cancel
Showing results for 
Search instead for 
Did you mean: 

org.alfresco.error.AlfrescoRuntimeException Unable to create key manager

rgdelacalle
Champ in-the-making
Champ in-the-making

Hi,

I've installed from zip Alfresco Community 7.3 with Alfresco Search Services 2.0 with Mutual TLS following the official documentation (https://docs.alfresco.com/content-services/community/install/zip/tomcat/) but I'm stucked with a problem with certificates.

Solr logging show the following:

org.alfresco.error.AlfrescoRuntimeException: 00240001 Unable to create SSL context
	at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.getSSLContext(AuthSSLProtocolSocketFactory.java:130)
	at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.createSocket(AuthSSLProtocolSocketFactory.java:165)
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
	at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:135)
	at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:111)
	at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:422)
	at org.alfresco.solr.client.SOLRAPIClient.callRepository(SOLRAPIClient.java:1593)
	at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1103)
	at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:313)
	at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:275)
	at org.alfresco.solr.tracker.ModelTracker.ensureFirstModelSync(ModelTracker.java:297)
	at org.alfresco.solr.lifecycle.SolrCoreLoadListener.createModelTracker(SolrCoreLoadListener.java:341)
	at org.alfresco.solr.lifecycle.SolrCoreLoadListener.newSearcher(SolrCoreLoadListener.java:135)
	at org.apache.solr.core.SolrCore.lambda$getSearcher$15(SolrCore.java:2249)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:229)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.alfresco.error.AlfrescoRuntimeException: 00240000 Unable to create key manager
	at org.alfresco.encryption.AlfrescoKeyStoreImpl.createKeyManagers(AlfrescoKeyStoreImpl.java:337)
	at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.createSSLContext(AuthSSLProtocolSocketFactory.java:103)
	at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.getSSLContext(AuthSSLProtocolSocketFactory.java:124)
	... 23 more
Caused by: java.lang.IllegalArgumentException: password can't be null
	at java.base/com.sun.crypto.provider.KeyProtector.<init>(KeyProtector.java:114)
	at java.base/com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:129)
	at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
	at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)
	at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)
	at org.alfresco.encryption.AlfrescoKeyStoreImpl.createKeyManagers(AlfrescoKeyStoreImpl.java:332)

I'm sure I've created the certificates as it's explained in https://docs.alfresco.com/search-services/latest/config/keys/.

Some more information about my installation.

  • $ALF_HOME=/usr/local/alfresco-community
  • $SOLR_HOME=/usr/local/alfresco-search-services
  • Both Solr cores, alfresco and archive, are created.
  • Alfresco keystore. $ALF_HOME/alf_data/keystore
  • Solr keystore. $SOLR_HOME/solrhome/keystore

Here is the content of the configuration files from Alfresco and Solr.

server.xml

<Connector port="8443" protocol="HTTP/1.1"
                connectionTimeout="2000"
                SSLEnabled="true" maxThreads="150" scheme="https"
                keystoreFile="/usr/local/alfresco-community/alf_data/keystore/ssl.keystore"
                keystorePass="mysecretpassword" keystoreType="JCEKS" secure="true"
                truststoreFile="/usr/local/alfresco-community/alf_data/keystore/ssl.truststore"
                truststorePass="mysecretpassword" truststoreType="JCEKS"
                clientAuth="want" sslProtocol="TLS">
        </Connector>
alfresco-global.properties
############################### ## Common Alfresco Properties # ############################### # # Sample custom content and index data location # dir.root=/usr/local/alfresco-community/alf_data dir.keystore=${dir.root}/keystore # # Sample database connection properties # db.username=alfresco db.password=alfresco # db.poolmax=275 # db.pool.validate.query=SELECT 1 # # PostgreSQL connection (requires postgresql-8.2-504.jdbc3.jar or equivalent) # db.driver=org.postgresql.Driver db.url=jdbc:postgresql://localhost:5432/alfresco # # Index Recovery Mode #------------- # index.recovery.mode=AUTO # # URL Generation Parameters (The ${localname} token is replaced by the local server name) #------------- alfresco.context=alfresco alfresco.host=${localname} alfresco.port=8080 alfresco.protocol=http share.context=share share.host=${localname} share.port=8080 share.protocol=http # localTransform.core-aio.url=http://localhost:8090/ #This property is default true, here it is for information purpose. local.transform.service.enabled=true messaging.broker.url=tcp://localhost:61616 #This property is default true, here it it for information purpose. messaging.subsystem.autoStart=true #If you have setup username and password for AMQ, then set the below properties. In my case i have kept default admin/admin messaging.broker.username=admin messaging.broker.password=admin # notification.email.siteinvite=false ### License location ### dir.license.external=/usr/local/alfresco-community security.anyDenyDenies=false smart.folders.enabled=false alfresco.jmx.connector.enabled=false solr.host=localhost solr.port=8983 # solr.port.ssl=8983 solr.secureComms=https solr.base.url=/solr index.subsystem.name=solr6 # ssl encryption encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS # secret key keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.type=JCEKS
solr.in.sh

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Settings here will override settings in existing env vars or in bin/solr.  The default shipped state
# of this file is completely commented.

# By default the script will use JAVA_HOME to determine which java
# to use, but you can set a specific path for Solr to use without
# affecting other Java applications on your server/workstation.
#SOLR_JAVA_HOME=""

# This controls the number of seconds that the solr script will wait for
# Solr to stop gracefully or Solr to start.  If the graceful stop fails,
# the script will forcibly stop Solr.  If the start fails, the script will
# give up waiting and display the last few lines of the logfile.
#SOLR_STOP_WAIT="180"

# Increase Java Heap as needed to support your indexing / query needs
#SOLR_HEAP="512m"

# Expert: If you want finer control over memory options, specify them directly
# Comment out SOLR_HEAP if you are using this though, that takes precedence
SOLR_JAVA_MEM="-Xms2g -Xmx2g"

# Enable verbose GC logging...
#  * If this is unset, various default options will be selected depending on which JVM version is in use
#  * For Java 8: if this is set, additional params will be added to specify the log file & rotation
#  * For Java 9 or higher: each included opt param that starts with '-Xlog:gc', but does not include an
#    output specifier, will have a 'file' output specifier (as well as formatting & rollover options)
#    appended, using the effective value of the SOLR_LOGS_DIR.
#
#GC_LOG_OPTS='-Xlog:gc*'  # (Java 9+)
#GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \
#  -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime"

# These GC settings have shown to work well for a number of common Solr workloads
#GC_TUNE="-XX:NewRatio=3 -XX:SurvivorRatio=4    etc.

# Set the ZooKeeper connection string if using an external ZooKeeper ensemble
# e.g. host1:2181,host2:2181/chroot
# Leave empty if not using SolrCloud
#ZK_HOST=""

# Set the ZooKeeper client timeout (for SolrCloud mode)
#ZK_CLIENT_TIMEOUT="15000"

# By default the start script uses "localhost"; override the hostname here
# for production SolrCloud environments to control the hostname exposed to cluster state
#SOLR_HOST="192.168.0.1"

# By default the start script uses UTC; override the timezone if needed
#SOLR_TIMEZONE="UTC"

# Set to true to activate the JMX RMI connector to allow remote JMX client applications
# to monitor the JVM hosting Solr; set to "false" to disable that behavior
# (false is recommended in production environments)
#ENABLE_REMOTE_JMX_OPTS="false"

# The script will use SOLR_PORT+10000 for the RMI_PORT or you can set it here
# RMI_PORT=18983

# Alfresco configuration. This file is automatically included by solr. You can define your custom settings here
SOLR_OPTS="$SOLR_OPTS -Dsolr.jetty.request.header.size=1000000 -Dsolr.jetty.threads.stop.timeout=300000 -Ddisable.configEdit=true"

# Anything you add to the SOLR_OPTS variable will be included in the java
# start command line as-is, in ADDITION to other options. If you specify the
# -a option on start script, those options will be appended as well. Examples:
#SOLR_OPTS="$SOLR_OPTS -Dsolr.autoSoftCommit.maxTime=3000"
#SOLR_OPTS="$SOLR_OPTS -Dsolr.autoCommit.maxTime=60000"
#SOLR_OPTS="$SOLR_OPTS -Dsolr.clustering.enabled=true"

# Location where the bin/solr script will save PID files for running instances
# If not set, the script will create PID files in $SOLR_TIP/bin
#SOLR_PID_DIR=

# Path to a directory for Solr to store cores and their data. By default, Solr will use server/solr
# If solr.xml is not stored in ZooKeeper, this directory needs to contain solr.xml
#SOLR_HOME=

# Solr provides a default Log4J configuration properties file in server/resources
# however, you may want to customize the log settings and file appender location
# so you can point the script to use a different log4j.properties file
#LOG4J_PROPS=/var/solr/log4j.properties

# Changes the logging level. Valid values: ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF. Default is INFO
# This is an alternative to changing the rootLogger in log4j.properties
#SOLR_LOG_LEVEL=INFO

# Location where Solr should write logs to. Absolute or relative to solr start dir
SOLR_LOGS_DIR=../../logs
LOG4J_PROPS=$SOLR_LOGS_DIR/log4j.properties

# Enables log rotation, cleanup, and archiving during start. Setting SOLR_LOG_PRESTART_ROTATION=false will skip start
# time rotation of logs, and the archiving of the last GC and console log files. It does not affect Log4j configuration.
# This pre-startup rotation may need to be disabled depending how much you customize the default logging setup.
#SOLR_LOG_PRESTART_ROTATION=true

# Sets the port Solr binds to, default is 8983
SOLR_PORT=8983

# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
#SOLR_SSL_KEY_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks
#SOLR_SSL_KEY_STORE_PASSWORD=secret
#SOLR_SSL_KEY_STORE_TYPE=JCEKS
#SOLR_SSL_TRUST_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks
#SOLR_SSL_TRUST_STORE_PASSWORD=secret
#SOLR_SSL_TRUST_STORE_TYPE=JCEKS
#SOLR_SSL_NEED_CLIENT_AUTH=false
#SOLR_SSL_WANT_CLIENT_AUTH=false

# Uncomment if you want to override previously defined SSL values for HTTP client
# otherwise keep them commented and the above values will automatically be set for HTTP clients
SOLR_SSL_CLIENT_KEY_STORE=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.keystore
SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=mysecretpassword
SOLR_SSL_CLIENT_KEY_STORE_TYPE=JCEKS
SOLR_SSL_CLIENT_TRUST_STORE=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.truststore
SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=mysecretpassword
SOLR_SSL_CLIENT_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_SSL_WANT_CLIENT_AUTH=false
# SOLR_OPTS="$SOLR_OPTS -Dsolr.allow.unsafe.resourceloading=true -Dsolr.ssl.checkPeerName=false -Dsolr.data.dir.root=$DIST_DIR/data -Dsolr.solr.model.dir=$DIST_DIR/data/alfrescoModels"

# Settings for authentication
# Please configure only one of SOLR_AUTHENTICATION_CLIENT_CONFIGURER or SOLR_AUTH_TYPE parameters
#SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer"
#SOLR_AUTH_TYPE="basic"
#SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"

# Settings for ZK ACL
#SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \
#  -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \
#  -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD \
#  -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD"
#SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"

SOLR_SOLR_HOST=localhost
SOLR_SOLR_PORT=8983
SOLR_SOLR_BASEURL=/solr
SOLR_ALFRESCO_HOST=localhost
SOLR_ALFRESCO_PORT=8080
SOLR_ALFRESCO_BASEURL=/alfresco
Solr core alfresco/conf/solrcore.properties

#Thu Aug 25 10:19:57 UTC 2022
solr.backup=/usr/local/alfresco-search-services/solr6backup
solr.authorityCache.initialSize=64
alfresco.encryption.ssl.truststore.location=keystore/ssl-repo-client.truststore
# alfresco.encryption.ssl.truststore.location=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.truststore
solr.suggester.minSecsBetweenBuilds=3600
solr.filterCache.size=256
alfresco.batch.count=5000
solr.initial.transaction.range=0-2000
alfresco.cascadeNodeBatchSize=10
alfresco.contentReadBatchSize=100
alfresco.corePoolSize=8
alfresco.metadata.getPathsInNodeBatches=true
data.dir.root=/usr/local/alfresco-search-services/solrhome/
alfresco.encryption.ssl.keystore.type=JCEKS
alfresco.nodeBatchSize=100
alfresco.template=rerank
solr.request.content.compress=false
solr.pathCache.initialSize=128
alfresco.encryption.ssl.truststore.type=JCEKS
alfresco.host=localhost
alfresco.lag=1000
alfresco.maxTotalConnections=200
alfresco.encryption.ssl.keystore.location=keystore/ssl-repo-client.keystore
# alfresco.encryption.ssl.keystore.location=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.keystore
alfresco.encryption.ssl.truststore.provider=
alfresco.topTermSpanRewriteLimit=1000
alfresco.port.ssl=8443
alfresco.contentStreamLimit=10000000
solr.filterCache.initialSize=128
alfresco.changeSetAclsBatchSize=500
solr.ownerCache.initialSize=64
alfresco.admin.fix.maxScheduledTransactions=500
solr.suggester.enabled=true
alfresco.cron=0/10 * * * * ? *
alfresco.commitInterval=2000
data.dir.store=alfresco
solr.queryResultCache.initialSize=1024
solr.readerCache.autowarmCount=0
alfresco.threadDaemon=true
alfresco.newSearcherInterval=3000
solr.pathCache.size=256
alfresco.recordUnindexedNodes=false
alfresco.doPermissionChecks=true
solr.authorityCache.autowarmCount=4
solr.ownerCache.size=128
alfresco.metadata.skipDescendantDocsForSpecificTypes=false
alfresco.port=8080
alfresco.keepAliveTime=120
solr.documentCache.autowarmCount=512
solr.queryResultCache.size=1024
enable.alfresco.tracking=true
alfresco.workQueueSize=-1
solr.ownerCache.autowarmCount=0
solr.documentCache.size=1024
alfresco.hole.retention=3600000
alfresco.contentUpdateBatchSize=1000
alfresco.encryption.ssl.keystore.provider=
solr.queryResultMaxDocsCached=2048
alfresco.threadPriority=5
alfresco.baseUrl=/alfresco
solr.deniedCache.initialSize=64
solr.pathCache.autowarmCount=32
alfresco.socketTimeout=360000
solr.authorityCache.size=128
solr.readerCache.size=128
solr.filterCache.autowarmCount=32
alfresco.postfilter=true
alfresco.secureComms=https
solr.readerCache.initialSize=64
solr.maxBooleanClauses=10000
alfresco.metadata.ignore.datatype.1=app\:configurations
alfresco.metadata.ignore.datatype.0=cm\:person
alfresco.stores=workspace\://SpacesStore
solr.deniedCache.size=128
alfresco.aclBatchSize=100
solr.queryResultWindowSize=512
alfresco.hole.check.after=300000
alfresco.tracker.maxNodeLockMs=120000
solr.documentCache.initialSize=1024
shard.method=DB_ID
alfresco.metadata.skipDescendantDocsForSpecificAspects=false
alfresco.maxHostConnections=200
solr.deniedCache.autowarmCount=0
alfresco.maximumPoolSize=-1
solr.queryResultCache.autowarmCount=4
alfresco.transactionDocsBatchSize=2000

What can I have missed?

Thanks

1 REPLY 1

khandah
Champ in-the-making
Champ in-the-making

It seems to that nobody at Hyland/Alfresco is willing to solve this kind of problem.

Buy the question is WHY ?