The release of the following versions includes Mutual TLS Authentication by Default for Alfresco Repository and SOLR communications:
This blog post describes the changes required to upgrade your installation if you were using SSL or HTTP. Also a review on how the communication between SOLR and Repository works is included, as these concepts help to understand the simplified deployment diagrams with discouraged and recommended configurations.
This section provides a guide to upgrade your installation from different use cases:
If you were using Mutual Authentication TLS protocol for these communications, everything should work as before when using these new releases.
However, from these versions, default keystores and truststores have been removed from distribution ZIP files and Docker Images.
Since these resources are not available out of the box anymore, it's required to create a new set of cryptographic stores before upgrading your server or to perform a backup of your previous stores and a restoring process in the upgraded server. A new tool, named Alfresco SSL Generator, has been developed for this purpose. This tool can be used from Windows, Linux and Mac computers and it produces all the cryptographic stores required to configure the Mutual Authentication TLS protocol.
$ cd ssl-tool
$ ./run.sh
$ tree keystores/
keystores/
├── alfresco
│ ├── keystore
│ ├── keystore-passwords.properties
│ ├── ssl-keystore-passwords.properties
│ ├── ssl-truststore-passwords.properties
│ ├── ssl.keystore
│ └── ssl.truststore
├── client
│ └── browser.p12
└── solr
├── ssl-keystore-passwords.properties
├── ssl-truststore-passwords.properties
├── ssl.repo.client.keystore
└── ssl.repo.client.truststore
Once the new stores have been created, you can copy them to Repository and SOLR configuration folders. Detailed steps for this process are available at:
If you were using the Docker Images, verify that your configuration is using the keystores and truststores from an external volume or extend default Docker Image to copy these cryptographic stores to the configured paths inside the container. A sample Docker Compose configuration is provided at Alfresco/alfresco-ssl-generator
Detailed information on how to use Alfresco Search Services Docker Image is available at Alfresco/SearchServices
If you were using plain HTTP protocol for these communications but you want to use SSL after the upgrade, you must review your configuration to enable this protocol.
Repository
Inside alfresco-global.properties file, check that following values are set.
solr.host=localhost
solr.port.ssl=8984
solr.secureComms=https
Use Alfresco SSL Generator to produce all the cryptographic stores required to configure the Mutual Authentication TLS protocol.
Once the new stores have been created, you can copy them to Repository and SOLR configuration folders. Detailed steps for this process are available at Alfresco Content Services 6.1 > Installing the Alfresco WARS
Also Tomcat configuration for Repository needs to be reviewed, as a new SSL Connector for SOLR must be added. Detailed steps for this configuration are available at Alfresco Content Services 6.1 > Installing the Tomcat application server
SOLR
Inside solrcore.properties file (both "alfresco" and "archive" cores), following value must be set.
alfresco.secureComms=https
Additionally, Jetty server configuration and cryptographic stores paths must be set. Detailed steps for this configuration are available at Alfresco Search Services 1.3 > Installing and configuring Search Services with mutual TLS
If you were using the Docker Images, keystores and truststores must be set from an external volume or they should be copied to the configured paths inside the container. A sample Docker Compose configuration is provided at Alfresco/alfresco-ssl-generator
Detailed information on how to use Alfresco Search Services Docker Image is available at Alfresco/SearchServices
If you were using plain HTTP protocol for these communications, you must verify that you are explicitly using this configuration instead of relying on default values.
Repository
Inside alfresco-global.properties file, following value must be set.
solr.secureComms=none
If you were using the Docker Image, verify that this setting is also set in your service declaration in docker-compose.yml file.
alfresco:
image: alfresco/alfresco-content-repository:6.1.0.5
mem_limit: 1700m
environment:
JAVA_OPTS: "
-Ddb.driver=org.postgresql.Driver
-Ddb.username=alfresco
-Ddb.password=alfresco
-Ddb.url=jdbc:postgresql://postgres:5432/alfresco
-Dsolr.host=solr6
-Dsolr.port=8983
-Dsolr.base.url=/solr
-Dindex.subsystem.name=solr6
-Dsolr.secureComms=none
"
SOLR
Inside solrcore.properties file (both "alfresco" and "archive" cores), following value must be set.
alfresco.secureComms=none
If you are using the Docker Image, a new environment variable named ALFRESCO_SECURE_COMMS is available. This variable accepts "none" for HTTP and "https" for Mutual TLS Authentication, so you should add this line to your service declaration in docker-compose.yml file.
solr6:
image: alfresco/alfresco-search-services:1.3.0.5
environment:
# Solr needs to know how to register itself with Alfresco
- SOLR_ALFRESCO_HOST=alfresco
- SOLR_ALFRESCO_PORT=8080
# Alfresco needs to know how to call solr
- SOLR_SOLR_HOST=solr6
- SOLR_SOLR_PORT=8983
# Create the default alfresco and archive cores
- SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive
- "SOLR_JAVA_MEM=-Xms2g -Xmx2g"
# HTTP by default
- ALFRESCO_SECURE_COMMS=none
Web Proxy
When using plain HTTP for communications between Repository and SOLR, some REST API services must be protected from external access, as only communications in the internal network are secure. Following snippet is a sample configuration for NGINX, but you can use any other Web Proxy for that.
# Protect access to SOLR APIs
location ~ ^(/.*/service/api/solr/.*)$ {return 403;}
location ~ ^(/.*/s/api/solr/.*)$ {return 403;}
location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;}
location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;}
location ~ ^(/.*/proxy/alfresco/api/solr/.*)$ {return 403 ;}
location ~ ^(/.*/-default-/proxy/alfresco/api/.*)$ {return 403;}
Additional information for this task is available at Adding a reverse proxy in front of Alfresco Content Services.
We have included also this configuration as default for Docker Compose reference templates:
acs-deployment/docker-compose.yml at master · Alfresco/acs-deployment · GitHub
Using alfresco/alfresco-acs-nginx:3.0.1 Docker Image for NGINX configuration.
acs-community-deployment/docker-compose.yml at master · Alfresco/acs-community-deployment · GitHub
Using alfresco/acs-community-ngnix:1.0.0 Docker Image for NGINX configuration.
These are the main changes you'll find, but detailed information is provided below on why we did this change.
In this section communication between Alfresco Repository and SOLR is revisited, in order to provide the right background to understand the discouraged and recommended deployment configurations.
The communication between Alfresco Repository and SOLR happens in both ways:
Despite Alfresco can be deployed in many different ways, a simplified scenario can be described in the following diagrams.
Three alternatives are analysed:
When using HTTP, SOLR REST API is exposed without authentication requirements. This means that SOLR can perform tracking operations with Repository but also any external application can use SOLR REST API to get information from repository (metadata, permission, models and content) without authentication.
The access to the SOLR Web Console is also exposed, at it's available by default at http://localhost:8983/solr without authentication.
In this scenario, Repository information is exposed, so you must avoid using this configuration.
When using HTTP behind a Web Proxy (like NGINX), SOLR REST API is exposed without authentication requirements internally. This means that SOLR can perform tracking operations with Repository using internal HTTP port 8080, but the external access to this API is protected by the Web Proxy. Any external application trying to access to SOLR REST API without authentication, using the external HTTP port 80, will be blocked by the rules described before at "If you were using HTTP > Web Proxy" section.
This approach is the one provided for Docker Compose and Helm Charts by default, as they are using a pre-configured Web Proxy to expose internal services.
The access to the SOLR Web Console, available by default at http://localhost:8983/solr, can be also exposed by the Web Proxy to be served at http://localhost/solr including a simple credential protection or any other mechanism to avoid public access.
NGINX sample configuration is provided below.
# SOLR Web Console
location /solr/ {
proxy_pass http://solr6:8983/;
# Basic authentication
auth_basic "Solr web console";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
}
In this scenario, Repository information is safely protected, so this configuration is recommended.
When using Mutual Authentication TLS, SOLR REST API is exposed in SSL with clientAuth requirement. This means that SOLR can perform tracking operations with Repository using internal HTTPs port 8443 and signing the requests with the SOLR server certificate configured in solrcore.properties. Any external application trying to access to SOLR REST API using the HTTP port 8080, will be blocked by the Repository Web Filter. If the application uses the HTTPs port 8443, a clientAuth will be required and it will fail as the accepted server certificate is privately protected in SOLR server.
The access to the SOLR Web Console, available by default at https://localhost:8983/solr, is also protected by Mutual Authentication TLS. A client certificate, named browser.p12, is provided by the Alfresco SSL Generator in order to grant the access to this server.
In this scenario, Repository information is safely protected, so this configuration is recommended.