Mutual TLS between ACS and Search Services (Solr6) includes 2 distinctively different communication channels:
Therefore, we need these four distinct groups of configurations for the four parties (yes, not two):
1. Alfresco (as a server) listening port number and protocol:
tomcat/conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig truststoreFile="../alf_data/keystore/ssl.truststore" truststorePassword="truststore" truststoreType="JCEKS" certificateVerification="required"> <Certificate certificateKeystoreFile="../alf_data/keystore/ssl.keystore" certificateKeystorePassword="keystore" certificateKeystoreType="JCEKS" certificateKeyAlias="ssl.repo" type="RSA" /> </SSLHostConfig> </Connector>
2. Solr (as a server) listening port number and protocol:
search-services/solr.in.sh
SOLR_PORT=8983
SOLR_SSL_KEY_STORE=../../solrhome/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE=../../solrhome/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_WANT_CLIENT_AUTH=false SOLR_OPTS="$SOLR_OPTS -Dalfresco.secureComms=https"
3. What host name, port number and protocol Alfresco (as a client) uses to connect to Solr:
tomcat/shared/classes/alfresco-global.properties
index.subsystem.name=solr6 solr.secureComms=https solr.host=localhost solr.port.ssl=8983
4. What host name, port number and protocol Solr (as a client) uses to connect to Alfresco:
search-services/solrhome/alfresco/conf/solrcore.properties
search-services/solrhome/archive/conf/solrcore.properties
alfresco.secureComms=true alfresco.host=localhost alfresco.port.ssl=8443 alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties
Keystore and truststore files mentioned in these settings should be pre-created using alfresco-ssl-generator. Follow the README of that tool to copy generate files to the correct place. For examples,
cd ~/ssl-tool ./run.sh -keysize 2048 -alfrescoversion enterprise -alfrescoformat classic cp -a keystores/alfresco/ssl* /opt/alfresco/alf_data/keystore/ cp -a keystores/solr /opt/alfresco/search-services/solrhome/keystore for f in alfresco archive; do cp -a keystores/solr/* /opt/alfresco/search-services/solrhome/$f/; done
Here are a list of pull requests aimed to clarify the Alfresco online documentations of Search Services on this topic:
.