01-25-2023 07:12 AM
Hi,
I've installed from zip Alfresco Community 7.3 with Alfresco Search Services 2.0 with Mutual TLS following the official documentation (https://docs.alfresco.com/content-services/community/install/zip/tomcat/) but I'm stucked with a problem with certificates.
Solr logging show the following:
org.alfresco.error.AlfrescoRuntimeException: 00240001 Unable to create SSL context at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.getSSLContext(AuthSSLProtocolSocketFactory.java:130) at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.createSocket(AuthSSLProtocolSocketFactory.java:165) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at org.alfresco.httpclient.AbstractHttpClient.executeMethod(AbstractHttpClient.java:135) at org.alfresco.httpclient.AbstractHttpClient.sendRemoteRequest(AbstractHttpClient.java:111) at org.alfresco.httpclient.HttpClientFactory$HttpsClient.sendRequest(HttpClientFactory.java:422) at org.alfresco.solr.client.SOLRAPIClient.callRepository(SOLRAPIClient.java:1593) at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1103) at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:313) at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:275) at org.alfresco.solr.tracker.ModelTracker.ensureFirstModelSync(ModelTracker.java:297) at org.alfresco.solr.lifecycle.SolrCoreLoadListener.createModelTracker(SolrCoreLoadListener.java:341) at org.alfresco.solr.lifecycle.SolrCoreLoadListener.newSearcher(SolrCoreLoadListener.java:135) at org.apache.solr.core.SolrCore.lambda$getSearcher$15(SolrCore.java:2249) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:229) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: org.alfresco.error.AlfrescoRuntimeException: 00240000 Unable to create key manager at org.alfresco.encryption.AlfrescoKeyStoreImpl.createKeyManagers(AlfrescoKeyStoreImpl.java:337) at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.createSSLContext(AuthSSLProtocolSocketFactory.java:103) at org.alfresco.encryption.ssl.AuthSSLProtocolSocketFactory.getSSLContext(AuthSSLProtocolSocketFactory.java:124) ... 23 more Caused by: java.lang.IllegalArgumentException: password can't be null at java.base/com.sun.crypto.provider.KeyProtector.<init>(KeyProtector.java:114) at java.base/com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:129) at java.base/java.security.KeyStore.getKey(KeyStore.java:1057) at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271) at org.alfresco.encryption.AlfrescoKeyStoreImpl.createKeyManagers(AlfrescoKeyStoreImpl.java:332)
I'm sure I've created the certificates as it's explained in https://docs.alfresco.com/search-services/latest/config/keys/.
Some more information about my installation.
Here is the content of the configuration files from Alfresco and Solr.
server.xml <Connector port="8443" protocol="HTTP/1.1" connectionTimeout="2000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/alfresco-community/alf_data/keystore/ssl.keystore" keystorePass="mysecretpassword" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/alfresco-community/alf_data/keystore/ssl.truststore" truststorePass="mysecretpassword" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector>
alfresco-global.properties
############################### ## Common Alfresco Properties # ############################### # # Sample custom content and index data location # dir.root=/usr/local/alfresco-community/alf_data dir.keystore=${dir.root}/keystore # # Sample database connection properties # db.username=alfresco db.password=alfresco # db.poolmax=275 # db.pool.validate.query=SELECT 1 # # PostgreSQL connection (requires postgresql-8.2-504.jdbc3.jar or equivalent) # db.driver=org.postgresql.Driver db.url=jdbc:postgresql://localhost:5432/alfresco # # Index Recovery Mode #------------- # index.recovery.mode=AUTO # # URL Generation Parameters (The ${localname} token is replaced by the local server name) #------------- alfresco.context=alfresco alfresco.host=${localname} alfresco.port=8080 alfresco.protocol=http share.context=share share.host=${localname} share.port=8080 share.protocol=http # localTransform.core-aio.url=http://localhost:8090/ #This property is default true, here it is for information purpose. local.transform.service.enabled=true messaging.broker.url=tcp://localhost:61616 #This property is default true, here it it for information purpose. messaging.subsystem.autoStart=true #If you have setup username and password for AMQ, then set the below properties. In my case i have kept default admin/admin messaging.broker.username=admin messaging.broker.password=admin # notification.email.siteinvite=false ### License location ### dir.license.external=/usr/local/alfresco-community security.anyDenyDenies=false smart.folders.enabled=false alfresco.jmx.connector.enabled=false solr.host=localhost solr.port=8983 # solr.port.ssl=8983 solr.secureComms=https solr.base.url=/solr index.subsystem.name=solr6 # ssl encryption encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS # secret key keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.type=JCEKS
solr.in.sh # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Settings here will override settings in existing env vars or in bin/solr. The default shipped state # of this file is completely commented. # By default the script will use JAVA_HOME to determine which java # to use, but you can set a specific path for Solr to use without # affecting other Java applications on your server/workstation. #SOLR_JAVA_HOME="" # This controls the number of seconds that the solr script will wait for # Solr to stop gracefully or Solr to start. If the graceful stop fails, # the script will forcibly stop Solr. If the start fails, the script will # give up waiting and display the last few lines of the logfile. #SOLR_STOP_WAIT="180" # Increase Java Heap as needed to support your indexing / query needs #SOLR_HEAP="512m" # Expert: If you want finer control over memory options, specify them directly # Comment out SOLR_HEAP if you are using this though, that takes precedence SOLR_JAVA_MEM="-Xms2g -Xmx2g" # Enable verbose GC logging... # * If this is unset, various default options will be selected depending on which JVM version is in use # * For Java 8: if this is set, additional params will be added to specify the log file & rotation # * For Java 9 or higher: each included opt param that starts with '-Xlog:gc', but does not include an # output specifier, will have a 'file' output specifier (as well as formatting & rollover options) # appended, using the effective value of the SOLR_LOGS_DIR. # #GC_LOG_OPTS='-Xlog:gc*' # (Java 9+) #GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \ # -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime" # These GC settings have shown to work well for a number of common Solr workloads #GC_TUNE="-XX:NewRatio=3 -XX:SurvivorRatio=4 etc. # Set the ZooKeeper connection string if using an external ZooKeeper ensemble # e.g. host1:2181,host2:2181/chroot # Leave empty if not using SolrCloud #ZK_HOST="" # Set the ZooKeeper client timeout (for SolrCloud mode) #ZK_CLIENT_TIMEOUT="15000" # By default the start script uses "localhost"; override the hostname here # for production SolrCloud environments to control the hostname exposed to cluster state #SOLR_HOST="192.168.0.1" # By default the start script uses UTC; override the timezone if needed #SOLR_TIMEZONE="UTC" # Set to true to activate the JMX RMI connector to allow remote JMX client applications # to monitor the JVM hosting Solr; set to "false" to disable that behavior # (false is recommended in production environments) #ENABLE_REMOTE_JMX_OPTS="false" # The script will use SOLR_PORT+10000 for the RMI_PORT or you can set it here # RMI_PORT=18983 # Alfresco configuration. This file is automatically included by solr. You can define your custom settings here SOLR_OPTS="$SOLR_OPTS -Dsolr.jetty.request.header.size=1000000 -Dsolr.jetty.threads.stop.timeout=300000 -Ddisable.configEdit=true" # Anything you add to the SOLR_OPTS variable will be included in the java # start command line as-is, in ADDITION to other options. If you specify the # -a option on start script, those options will be appended as well. Examples: #SOLR_OPTS="$SOLR_OPTS -Dsolr.autoSoftCommit.maxTime=3000" #SOLR_OPTS="$SOLR_OPTS -Dsolr.autoCommit.maxTime=60000" #SOLR_OPTS="$SOLR_OPTS -Dsolr.clustering.enabled=true" # Location where the bin/solr script will save PID files for running instances # If not set, the script will create PID files in $SOLR_TIP/bin #SOLR_PID_DIR= # Path to a directory for Solr to store cores and their data. By default, Solr will use server/solr # If solr.xml is not stored in ZooKeeper, this directory needs to contain solr.xml #SOLR_HOME= # Solr provides a default Log4J configuration properties file in server/resources # however, you may want to customize the log settings and file appender location # so you can point the script to use a different log4j.properties file #LOG4J_PROPS=/var/solr/log4j.properties # Changes the logging level. Valid values: ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF. Default is INFO # This is an alternative to changing the rootLogger in log4j.properties #SOLR_LOG_LEVEL=INFO # Location where Solr should write logs to. Absolute or relative to solr start dir SOLR_LOGS_DIR=../../logs LOG4J_PROPS=$SOLR_LOGS_DIR/log4j.properties # Enables log rotation, cleanup, and archiving during start. Setting SOLR_LOG_PRESTART_ROTATION=false will skip start # time rotation of logs, and the archiving of the last GC and console log files. It does not affect Log4j configuration. # This pre-startup rotation may need to be disabled depending how much you customize the default logging setup. #SOLR_LOG_PRESTART_ROTATION=true # Sets the port Solr binds to, default is 8983 SOLR_PORT=8983 # Uncomment to set SSL-related system properties # Be sure to update the paths to the correct keystore for your environment #SOLR_SSL_KEY_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks #SOLR_SSL_KEY_STORE_PASSWORD=secret #SOLR_SSL_KEY_STORE_TYPE=JCEKS #SOLR_SSL_TRUST_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks #SOLR_SSL_TRUST_STORE_PASSWORD=secret #SOLR_SSL_TRUST_STORE_TYPE=JCEKS #SOLR_SSL_NEED_CLIENT_AUTH=false #SOLR_SSL_WANT_CLIENT_AUTH=false # Uncomment if you want to override previously defined SSL values for HTTP client # otherwise keep them commented and the above values will automatically be set for HTTP clients SOLR_SSL_CLIENT_KEY_STORE=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.keystore SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=mysecretpassword SOLR_SSL_CLIENT_KEY_STORE_TYPE=JCEKS SOLR_SSL_CLIENT_TRUST_STORE=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.truststore SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=mysecretpassword SOLR_SSL_CLIENT_TRUST_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_WANT_CLIENT_AUTH=false # SOLR_OPTS="$SOLR_OPTS -Dsolr.allow.unsafe.resourceloading=true -Dsolr.ssl.checkPeerName=false -Dsolr.data.dir.root=$DIST_DIR/data -Dsolr.solr.model.dir=$DIST_DIR/data/alfrescoModels" # Settings for authentication # Please configure only one of SOLR_AUTHENTICATION_CLIENT_CONFIGURER or SOLR_AUTH_TYPE parameters #SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer" #SOLR_AUTH_TYPE="basic" #SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks" # Settings for ZK ACL #SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \ # -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \ # -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD \ # -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD" #SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS" SOLR_SOLR_HOST=localhost SOLR_SOLR_PORT=8983 SOLR_SOLR_BASEURL=/solr SOLR_ALFRESCO_HOST=localhost SOLR_ALFRESCO_PORT=8080 SOLR_ALFRESCO_BASEURL=/alfresco
Solr core alfresco/conf/solrcore.properties #Thu Aug 25 10:19:57 UTC 2022 solr.backup=/usr/local/alfresco-search-services/solr6backup solr.authorityCache.initialSize=64 alfresco.encryption.ssl.truststore.location=keystore/ssl-repo-client.truststore # alfresco.encryption.ssl.truststore.location=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.truststore solr.suggester.minSecsBetweenBuilds=3600 solr.filterCache.size=256 alfresco.batch.count=5000 solr.initial.transaction.range=0-2000 alfresco.cascadeNodeBatchSize=10 alfresco.contentReadBatchSize=100 alfresco.corePoolSize=8 alfresco.metadata.getPathsInNodeBatches=true data.dir.root=/usr/local/alfresco-search-services/solrhome/ alfresco.encryption.ssl.keystore.type=JCEKS alfresco.nodeBatchSize=100 alfresco.template=rerank solr.request.content.compress=false solr.pathCache.initialSize=128 alfresco.encryption.ssl.truststore.type=JCEKS alfresco.host=localhost alfresco.lag=1000 alfresco.maxTotalConnections=200 alfresco.encryption.ssl.keystore.location=keystore/ssl-repo-client.keystore # alfresco.encryption.ssl.keystore.location=/usr/local/alfresco-search-services/solrhome/keystore/ssl-repo-client.keystore alfresco.encryption.ssl.truststore.provider= alfresco.topTermSpanRewriteLimit=1000 alfresco.port.ssl=8443 alfresco.contentStreamLimit=10000000 solr.filterCache.initialSize=128 alfresco.changeSetAclsBatchSize=500 solr.ownerCache.initialSize=64 alfresco.admin.fix.maxScheduledTransactions=500 solr.suggester.enabled=true alfresco.cron=0/10 * * * * ? * alfresco.commitInterval=2000 data.dir.store=alfresco solr.queryResultCache.initialSize=1024 solr.readerCache.autowarmCount=0 alfresco.threadDaemon=true alfresco.newSearcherInterval=3000 solr.pathCache.size=256 alfresco.recordUnindexedNodes=false alfresco.doPermissionChecks=true solr.authorityCache.autowarmCount=4 solr.ownerCache.size=128 alfresco.metadata.skipDescendantDocsForSpecificTypes=false alfresco.port=8080 alfresco.keepAliveTime=120 solr.documentCache.autowarmCount=512 solr.queryResultCache.size=1024 enable.alfresco.tracking=true alfresco.workQueueSize=-1 solr.ownerCache.autowarmCount=0 solr.documentCache.size=1024 alfresco.hole.retention=3600000 alfresco.contentUpdateBatchSize=1000 alfresco.encryption.ssl.keystore.provider= solr.queryResultMaxDocsCached=2048 alfresco.threadPriority=5 alfresco.baseUrl=/alfresco solr.deniedCache.initialSize=64 solr.pathCache.autowarmCount=32 alfresco.socketTimeout=360000 solr.authorityCache.size=128 solr.readerCache.size=128 solr.filterCache.autowarmCount=32 alfresco.postfilter=true alfresco.secureComms=https solr.readerCache.initialSize=64 solr.maxBooleanClauses=10000 alfresco.metadata.ignore.datatype.1=app\:configurations alfresco.metadata.ignore.datatype.0=cm\:person alfresco.stores=workspace\://SpacesStore solr.deniedCache.size=128 alfresco.aclBatchSize=100 solr.queryResultWindowSize=512 alfresco.hole.check.after=300000 alfresco.tracker.maxNodeLockMs=120000 solr.documentCache.initialSize=1024 shard.method=DB_ID alfresco.metadata.skipDescendantDocsForSpecificAspects=false alfresco.maxHostConnections=200 solr.deniedCache.autowarmCount=0 alfresco.maximumPoolSize=-1 solr.queryResultCache.autowarmCount=4 alfresco.transactionDocsBatchSize=2000
What can I have missed?
Thanks
07-04-2024 06:22 PM
It seems to that nobody at Hyland/Alfresco is willing to solve this kind of problem.
Buy the question is WHY ?
Explore our Alfresco products with the links below. Use labels to filter content by product module.