Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a consistent documentation to setup search services and keystores ? Or source for 2.0.5 ?

Go to answer
mikef38
Champ on-the-rise
Champ on-the-rise

‎02-07-2023 12:20 PM

Hello

I am trying to install Alfresco (latest version) and of course the search services.

For Alfresco, for an unknown reason I could make it work, mostly. Excepted for the connection with the search services. But I have the same problem in both components (Repo and Search) so if I can understand one, I might have clue to understand the other.

The problem is that they complain : "password can't be null".

So I will try first with the search services, because it is a standalone application, easier to start and stop hundreds of times.

In spite of cleverly inconsistent documentation, I could, I believe, setup the search services, I created the keystores with the tool downloaded from https://github.com/Alfresco/alfresco-ssl-generator , provided the information of the keystores (location, password, type) in the numerous places it was required, before that there were other errors such as unsafe location of the keystore resource (although I put it where I was told to do), but now Solr starts, excepted for the "password can't be null" error.

For instance, I ran the cool command, found somewhere in the documentation :

./solr/bin/solr start -a  "-Dcreate.alfresco.defaults=alfresco,archive
 -Dsolr.ssl.checkPeerName=false
 -Dsolr.allow.unsafe.resourceloading=true
 -Dssl-keystore.password=PASSWORD-KS
 -Dssl-keystore.aliases=ssl-alfresco-ca,ssl-repo-client
 -Dssl-keystore.ssl-alfresco-ca.password=PASSWORD-KS
 -Dssl-keystore.ssl-repo-client.password=PASSWORD-KS
 -Dssl-truststore.password=PASSWORD-TRS
 -Dssl-truststore.aliases=ssl-alfresco-ca,ssl-repo,ssl-repo-client
 -Dssl-truststore.ssl-alfresco-ca.password=PASSWORD-TRS
 -Dssl-truststore.ssl-repo.password=PASSWORD-TRS
 -Dssl-truststore.ssl-repo-client.password=PASSWORD-TRS" -f

where PASSWORD-KS is the password for the keystore, and PASSWORD-TRS is the password for the truststore.

At this point I have an error: 

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Java is Java 11, because I tried with 16 and it doesn't work because half dozen start parameters are unknown.

If I start solr with "solr start", I get the null password error.

So now I will try to get the source of my version and try to find what exactly I should do in order to give the password or make it work.

I had downloaded the version 2.0.5. 

I go to the source repo (https://github.com/Alfresco/SearchServices/tree/2.0.0), no 2.0.5 version. There are tags for 2.0.0, 2.0.1, 2.0.2, 2.0.3, and pre-releases of 2.1.0.

Ok, let's go back to the beginning, download it again and check what is the latest version or an older one.

I go to the Alfresco download page for community edition. There I have "7.3 Community install". Ok. 

Down the page I can find: 3. Non-containerized manual deployment. So far so good. I was there already.

And: Alfresco Search Services 2.0.3.zip. Hum ? 2.0.3 ?

But the link is: https://download.alfresco.com/cloudfront/release/community/SearchServices/2.0.5/alfresco-search-serv.... And the README file says it's 2.0.5. That's why I believed I installed the version 2.0.5.

Then where is the source for this version ?

So to resume

  • if someone can give the step-by-step procedure to setup this and have it work without any "null password" error, I'd be glad to follow it.
  • Else if I have to find where is the mess, where are the sources in sync with the version available for download ?

Thank you.

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
angelborroy
Community Manager Community Manager
Community Manager
In response to mikef38

‎02-21-2023 09:41 AM

You can always try Docker Compose for reference configuration:

https://github.com/alfresco/alfresco-docker-installer

https://github.com/aborroy/alfresco-installer

Despite you are not deploying in Docker and so on... just to read expected configuration from a running environment.

Hyland Developer Evangelist

View answer in original post

0 Kudos
17 REPLIES 17

Go to answer
mikef38
Champ on-the-rise
Champ on-the-rise
In response to mikef38

‎02-16-2023 09:48 AM

Maybe the keystores created by ssl-tool are bad ?

I simply used :

./run.sh  -keystorepass ks+xxxxxxx -truststorepass trs+xxxxxxx -encmetadatapass enc+xxxxxxx -encstorepass enc+xxxxxxx

and then copied respectively the keystore and trustore found in alfresco and solr to their location.

For solr, I have to put a copy of them under each core else in another location solr complains.

The content of the stores are :

keystore:
Type de fichier de clés : JCEKS
Fournisseur de fichier de clés : SunJCE

Votre fichier de clés d'accès contient 2 entrées

ssl.alfresco.ca, 10 févr. 2023, trustedCertEntry, 
Empreinte du certificat (SHA-256) : 73:58:B4:16:64:C5:69:F6:5A:5C:35:FA:B1:49:66:06:10:43:9F:6D:50:B9:B0:DA:0B:EA:8F:21:30:BB:24:87
ssl.repo.client, 10 févr. 2023, PrivateKeyEntry, 
Empreinte du certificat (SHA-256) : 38:F6:BA:0C:0E:28:7F:B1:D3:A1:68:1C:46:37:56:54:CA:B0:35:87:2C:8E:54:62:DE:C3:E8:7D:45:59:B0:41
truststore:
Type de fichier de clés : JCEKS
Fournisseur de fichier de clés : SunJCE

Votre fichier de clés d'accès contient 3 entrées

alfresco.ca, 10 févr. 2023, trustedCertEntry, 
Empreinte du certificat (SHA-256) : 73:58:B4:16:64:C5:69:F6:5A:5C:35:FA:B1:49:66:06:10:43:9F:6D:50:B9:B0:DA:0B:EA:8F:21:30:BB:24:87
ssl.repo, 10 févr. 2023, trustedCertEntry, 
Empreinte du certificat (SHA-256) : C0:3C:23:2F:36:45:02:AD:F4:B4:8F:12:63:44:6E:7F:04:B2:59:DA:C3:20:A0:40:AD:EE:7D:6D:55:2A:77:A1
ssl.repo.client, 10 févr. 2023, trustedCertEntry, 
Empreinte du certificat (SHA-256) : 38:F6:BA:0C:0E:28:7F:B1:D3:A1:68:1C:46:37:56:54:CA:B0:35:87:2C:8E:54:62:DE:C3:E8:7D:45:59:B0:41
0 Kudos

Go to answer
mikef38
Champ on-the-rise
Champ on-the-rise
In response to mikef38

‎02-17-2023 04:27 AM

Another part of the configuration that is involved, Tomcat connector for Solr requests:

    <Connector port="8454" protocol="HTTP/1.1"
     SSLEnabled="true" maxThreads="150" scheme="https"
     keystoreFile="/opt/Alfresco/alf_data_7/keystore/ssl.keystore"
     keystorePass="ks+xxxxxxxx" keystoreType="JCEKS"
     secure="true" connectionTimeout="240000"
     truststoreFile="/opt/Alfresco/alf_data_7/keystore/ssl.truststore"
     truststorePass="trs+xxxxxxxx" truststoreType="JCEKS"
     clientAuth="false" sslProtocol="TLS" />

Note that the port is 8454, firstly because on 8443/8444 there is older Tomcat running an old Alfresco 5.0, that works perfectly, secondly because the main SSL port (usually 8443, here 8453) is used for human access with an official domain certificate, so there is a 2nd connector on port 8454 for Solr and its certificates. I don't even understand why all the documentations insist on serving Solr on port 8443, how can it work in a real setup where this port is the standard Tomcat port to serve the user's browsers ?

0 Kudos

Go to answer
mikef38
Champ on-the-rise
Champ on-the-rise
In response to mikef38

‎02-17-2023 08:25 AM

I still add information in the hope that someone knowng Alfresco 7 will figure what to do.

As said before, 2 SSL connectors are defined in server.xml, one referencing a keystore will an official certificate, and one with the certificate purposely created to interact with the search services.

They are on different ports and the search services are correctly configured to use the right port.

8453 = connection from a browser, official certificate in its own keystore

8454 = connection from the search services, certificates and keys in the keystore created by ssl-tool and shared with the search services.

This setup works perfectly with Alfresco 5.

If I remove the first connector and keep only the one on port 8454, there is no more the error 403 on the search services log and it seems that Alfresco answers correctly with the change lists.

What should I do to both give access to the search services, and let the users access Alfresco on port 8453 ?

0 Kudos

Go to answer
angelborroy
Community Manager Community Manager
Community Manager
In response to mikef38

‎02-20-2023 03:53 AM

Did you try setting expected port in solrcore.properties file?

https://github.com/Alfresco/SearchServices/blob/master/search-services/alfresco-search/src/main/reso...

alfresco.port.ssl=8454
Hyland Developer Evangelist
0 Kudos

Go to answer
mikef38
Champ on-the-rise
Champ on-the-rise
In response to angelborroy

‎02-21-2023 08:46 AM

Hello

Yes, I did. Else it would not work at all when I remove the other connector (for browser access). BTW Solr creates this file in the core directory which helps settings keys, although in messy order, 1st thing I did is order alphabetically the properties file to find the keys in my text editor and avoid duplicates.

So it appears that I set

clientAuth="false"

in the Connector tag (see message with the Connector data) which is the culprit here. 

The advised value in one of your documentations was "want". I guess that among all tries and errors and various posts I put false at some time, my bad. It is very consistent with the fact that Tomcat didn't provide the certificate data to Alfresco.  However I found that if I set clientAuth="required" (as per Tomcat 9 documentation), it looks like it works too. Maybe.

Now Solr is indexing, I checked with the admin tool that it does and that I can find my documents from there.

However Alfresco doesn't find nothing, and the transform service doesn't work either (hence text indexing doesn't work) although I tried to follow the 20 pages tutorial you quoted but that's another story, I have first to investigate by myslelf.

Thank you for the help!

0 Kudos

Go to answer
angelborroy
Community Manager Community Manager
Community Manager
In response to mikef38

‎02-21-2023 09:41 AM

You can always try Docker Compose for reference configuration:

https://github.com/alfresco/alfresco-docker-installer

https://github.com/aborroy/alfresco-installer

Despite you are not deploying in Docker and so on... just to read expected configuration from a running environment.

Hyland Developer Evangelist
0 Kudos

Go to answer
mikef38
Champ on-the-rise
Champ on-the-rise
In response to angelborroy

‎02-22-2023 09:45 AM

Thank you for the advice, so I went there and browsed the project and found the installation script where they set up the solr SSL port and see how it's done. Yet another parameter that was set correctly in my configuration during the 1st pass and then messed when nothing was working...

Also I fixed the problem with transform services, which was a small mistake in alfresco-global.properties. I don't know if all transforms work, but at least I get thumbnails of PDF or Office files and full text search works.

Thank you very much for your help.

0 Kudos

Go to answer
angelborroy
Community Manager Community Manager
Community Manager
In response to mikef38

‎02-22-2023 09:49 AM

Great you have it working!

Thanks for completing the thread with the feedback.

Hyland Developer Evangelist
0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC