cancel
Showing results for 
Search instead for 
Did you mean: 
michael_chen_ri
Confirmed Champ
Confirmed Champ

Mutual TLS between ACS and Search Services (Solr6) includes 2 distinctively different communication channels:

  • TLS connection (https) from Alfresco (the client) to Solr6 (the server)
  • TLS connection (https) from Solr6 (the client) to Alfresco (the server)

Therefore, we need these four distinct groups of configurations for the four parties (yes, not two):

1. Alfresco (as a server) listening port number and protocol:

    tomcat/conf/server.xml

	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	           maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
	    <SSLHostConfig truststoreFile="../alf_data/keystore/ssl.truststore"
	                   truststorePassword="truststore" truststoreType="JCEKS"
	                   certificateVerification="required">
	        <Certificate certificateKeystoreFile="../alf_data/keystore/ssl.keystore"
	                     certificateKeystorePassword="keystore" certificateKeystoreType="JCEKS"
	                     certificateKeyAlias="ssl.repo" type="RSA" />
	    </SSLHostConfig>
	</Connector>

2. Solr (as a server) listening port number and protocol:

    search-services/solr.in.sh

SOLR_PORT=8983
SOLR_SSL_KEY_STORE=../../solrhome/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE=../../solrhome/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_WANT_CLIENT_AUTH=false SOLR_OPTS="$SOLR_OPTS -Dalfresco.secureComms=https"

3. What host name, port number and protocol Alfresco (as a client) uses to connect to Solr:

    tomcat/shared/classes/alfresco-global.properties

index.subsystem.name=solr6
solr.secureComms=https
solr.host=localhost
solr.port.ssl=8983

4. What host name, port number and protocol Solr (as a client) uses to connect to Alfresco:

    search-services/solrhome/alfresco/conf/solrcore.properties
    search-services/solrhome/archive/conf/solrcore.properties

alfresco.secureComms=true
alfresco.host=localhost
alfresco.port.ssl=8443
alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore
alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties
alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties

Keystore and truststore files mentioned in these settings should be pre-created using alfresco-ssl-generator. Follow the README of that tool to copy generate files to the correct place. For examples,

cd ~/ssl-tool
./run.sh -keysize 2048 -alfrescoversion enterprise -alfrescoformat classic
cp -a keystores/alfresco/ssl* /opt/alfresco/alf_data/keystore/
cp -a keystores/solr /opt/alfresco/search-services/solrhome/keystore
for f in alfresco archive; do cp -a keystores/solr/* /opt/alfresco/search-services/solrhome/$f/; done

Here are a list of pull requests aimed to clarify the Alfresco online documentations of Search Services on this topic:

.