Help

A simplified guide to enable ACS Mutual TLS with Search Services

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A simplified guide to enable ACS Mutual TLS with Search Services

michael_chen_ri
Active Member II
2 0 3,015
‎15 Jul 2021 11:11 PM

Mutual TLS between ACS and Search Services (Solr6) includes 2 distinctively different communication channels:

  • TLS connection (https) from Alfresco (the client) to Solr6 (the server)
  • TLS connection (https) from Solr6 (the client) to Alfresco (the server)

Therefore, we need these four distinct groups of configurations for the four parties (yes, not two):

1. Alfresco (as a server) listening port number and protocol:

    tomcat/conf/server.xml

	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	           maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
	    <SSLHostConfig truststoreFile="../alf_data/keystore/ssl.truststore"
	                   truststorePassword="truststore" truststoreType="JCEKS"
	                   certificateVerification="required">
	        <Certificate certificateKeystoreFile="../alf_data/keystore/ssl.keystore"
	                     certificateKeystorePassword="keystore" certificateKeystoreType="JCEKS"
	                     certificateKeyAlias="ssl.repo" type="RSA" />
	    </SSLHostConfig>
	</Connector>

 

2. Solr (as a server) listening port number and protocol:

    search-services/solr.in.sh

SOLR_PORT=8983
SOLR_SSL_KEY_STORE=../../solrhome/keystore/ssl.repo.client.keystore
SOLR_SSL_KEY_STORE_PASSWORD=keystore
SOLR_SSL_KEY_STORE_TYPE=JCEKS
SOLR_SSL_TRUST_STORE=../../solrhome/keystore/ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE_PASSWORD=truststore
SOLR_SSL_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_OPTS="$SOLR_OPTS -Dalfresco.secureComms=https"

 

3. What host name, port number and protocol Alfresco (as a client) uses to connect to Solr:

    tomcat/shared/classes/alfresco-global.properties

index.subsystem.name=solr6
solr.secureComms=https
solr.host=localhost
solr.port.ssl=8983

 

4. What host name, port number and protocol Solr (as a client) uses to connect to Alfresco:

    search-services/solrhome/alfresco/conf/solrcore.properties
    search-services/solrhome/archive/conf/solrcore.properties

alfresco.secureComms=true
alfresco.host=localhost
alfresco.port.ssl=8443
alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore
alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties
alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties

 

Keystore and truststore files mentioned in these settings should be pre-created using alfresco-ssl-generator. Follow the README of that tool to copy generate files to the correct place. For examples,

cd ~/ssl-tool
./run.sh -keysize 2048 -alfrescoversion enterprise -alfrescoformat classic
cp -a keystores/alfresco/ssl* /opt/alfresco/alf_data/keystore/
cp -a keystores/solr /opt/alfresco/search-services/solrhome/keystore
for f in alfresco archive; do cp -a keystores/solr/* /opt/alfresco/search-services/solrhome/$f/; done

Here are a list of pull requests aimed to clarify the Alfresco online documentations of Search Services on this topic:

.

Alfresco Content Services Blog

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.