Keystores are invalid

cancel
Showing results for 
Search instead for 
Did you mean: 
kestu
Member II

Keystores are invalid

Bonjour,

Je rencontre un problème depuis plusieurs jours pour installer alfresco 4.d sur un serveur linux (CentOS).

Je suis passé par une installation manuelle. La connexion à la BDD se fait via MySql et il n'y a pas l'air d'y avoir de problème de ce côté là.
Je copie les fichiers de mon dossier /var/lib/tomcat5/webapps/alfresco/WEB-INF/classes/alfresco/keystore vers mon dossier /var/lib/alfresco/alf_data/keystore/, mais je reçois encore et toujours le même message d'erreur au lancement "Keystores are invalid".

Début du log d'erreur :
14:54:02,687 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starti
ng 'sysAdmin' subsystem, ID: [sysAdmin, default]
14:54:02,980 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startu
p of 'sysAdmin' subsystem, ID: [sysAdmin, default] complete
14:54:50,015 WARN  [org.alfresco.util.AbstractTriggerBean] Job ehCacheTracerJob is not active/enab
led
14:55:03,333 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registere
d template processor Repository Template Processor for extension ftl
14:55:03,358 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered
script processor Repository Script Processor for extension js
14:55:49,132 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] Schema managed by database di
alect org.hibernate.dialect.MySQLInnoDBDialect.
14:55:52,612 INFO  [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the s
chema.
14:55:53,274 ERROR [org.springframework.web.context.ContextLoader] Context initialization failed
org.alfresco.error.AlfrescoRuntimeException: 05120000 Keystores are invalid
        at org.alfresco.encryption.EncryptionChecker$1.execute(EncryptionChecker.java:71)
        at org.alfresco.encryption.EncryptionChecker$1.execute(EncryptionChecker.java:61)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransac
tionHelper.java:388)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransac
tionHelper.java:259)
        at org.alfresco.encryption.EncryptionChecker.onBootstrap(EncryptionChecker.java:60)
        at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(Abstr
actLifecycleBean.java:56)
        at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(Saf
eApplicationEventMulticaster.java:209)
        at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplica
tionEventMulticaster.java:180)
        at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApp
licationContext.java:303)
        at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractAp
plicationContext.java:911)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicat
ionContext.java:428)
        at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader
.java:276)
        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.j
ava:197)
        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderL
istener.java:47)
        at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.jav
a:63)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4212)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:634)

Fichier de configuration :

dir.root=/var/lib/alfresco/alf_data
dir.keystore=${dir.root}/keystore

db.username=alfresco
db.password=alfresco

db.schema.update=true

db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://localhost/alfresco?useUnicode=yes&characterEncoding=UTF-8

index.recovery.mode=AUTO

alfresco.context=alfresco
alfresco.host=localhost
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=localhost
share.port=8080
share.protocol=http

alfresco.rmi.services.host=0.0.0.0

Je n'ai pas besoin d'activer le https, je ne comprends pas l'utilité du keystore dans mon cas.

Merci d'avance.
6 Replies
rguinot
Customer

Re: Keystores are invalid

Il s'agit de la sécurisation de la communication SSL (par défaut) entre l'entrepôt et le serveur d'indexation basé sur Solr, basé sur une authentification mutuelle via des certificats.
On n'a pas assez d'infos pour savoir pourquoi les keystores sont invalies, mais de toute façon il est recommandé de générer vos propres clés et certificats.
cf http://wiki.alfresco.com/wiki/Alfresco_And_SOLR#Generating_New_SSL_Keys

Autrement, vous pouvez utiliser lucene "embarqué" en positionnant
index.recovery.mode=AUTO
index.subsystem.name=lucene

dans alfresco-global.properties.

ou bien desactiver la communication entre le serveur d'indexation et l'entrepôt (cf lien ci-dessus), mais ce n'est pas recommandé pour des raisons de sécurité.
bertrandf
Active Member

Re: Keystores are invalid

Bonjour,

Pouvez détailler un peu plus votre installation svp ?
Le keystore concerne Solr afin que la communication avec l’entrepôt soit sécurisée.

La doc alfresco qui peut vous aider :
http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/concepts/solr-webapp-config.html
http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/tasks/solr-SSL-single.html

[edit] grillé par Romain Smiley Very Happy
sibe
Active Member

Re: Keystores are invalid

Salut Kestu,

Dans votre fichier alfresco-global.properties, vous ne spécifiez en aucun moment un paramétrage de solr (peut être que vous l'avez fait via la console d'admin de share). En plus de ça pouvez-vous nous montrer votre fichier tomcat-user.xml et server.xml.

Sinon utilises Lucene embarqué comme l'a expliqué Romain.
kestu
Member II

Re: Keystores are invalid

Bonjour,

Merci pour vos réponses.

J'ai tenter d'utiliser lucene, avec le même message, puis de carrément désactiver solr en ajoutant les lignes :

index.subsystem.name=solr
solr.host=localhost
solr.port=8080
solr.secureComms=none

Sans succès, toujours l'erreur "Keystores are invalid".

Je pensais qu'il ne prenais pas en compte le fichier de configuration mais il ne parvient pas à se connecter à la BDD quand je change les accès, donc ça ne doit pas être ça.

Sinon j'effectue les manipulations en SSH, sur un serveur Linux (centOS). Ma version de java est la 1.6.0, celle d'alfersco 4.0d et j'utilise mysql 5.0.95 pour les BDD. Si j'oublie des informations (surement) pouvez vous être plus spécifique ?

Fichier tomcat-user.xml :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>

Fichier server.xml :
<!– Example Server Configuration File –>
<!– Note that component elements are nested corresponding to their
     parent-child relationships with each other –>

<!– A "Server" is a singleton element that represents the entire JVM,
     which may contain one or more "Service" instances.  The Server
     listens for a shutdown command on the indicated port.

     Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" or "Loggers" at this level.
–>

<Server port="8005" shutdown="SHUTDOWN">

  <!– Comment these entries out to disable JMX MBeans support used for the
       administration web application –>
  <Listener className="org.apache.catalina.core.AprLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>

  <!– Global JNDI resources –>
  <GlobalNamingResources>

    <!– Test entry for demonstration purposes –>
    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

    <!– Editable user database that can also be used by
         UserDatabaseRealm to authenticate users –>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />

  </GlobalNamingResources>

  <!– A "Service" is a collection of one or more "Connectors" that share
       a single "Container" (and therefore the web applications visible
       within that Container).  Normally, that Container is an "Engine",
       but this is not required.

       Note:  A "Service" is not itself a "Container", so you may not
       define subcomponents such as "Valves" or "Loggers" at this level.
   –>

  <!– Define the Tomcat Stand-Alone Service –>
  <Service name="Catalina">

    <!– A "Connector" represents an endpoint by which requests are received
         and responses are returned.  Each Connector passes requests on to the
         associated "Container" (normally an Engine) for processing.

         By default, a non-SSL HTTP/1.1 Connector is established on port 8080.
         You can also enable an SSL HTTP/1.1 Connector on port 8443 by
         following the instructions below and uncommenting the second Connector
         entry.  SSL support requires the following steps (see the SSL Config
         HOWTO in the Tomcat 5 documentation bundle for more detailed
         instructions):
         * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or
           later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
         * Execute:
             %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
             $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA  (Unix)
           with a password value of "changeit" for both the certificate and
           the keystore itself.

         By default, DNS lookups are enabled when a web application calls
         request.getRemoteHost().  This can have an adverse impact on
         performance, so you can disable it by setting the
         "enableLookups" attribute to "false".  When DNS lookups are disabled,
         request.getRemoteHost() will return the String version of the
         IP address of the remote client.
    –>

    <!– Define a non-SSL HTTP/1.1 Connector on port 8080 –>
    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
    <!– Note : To disable connection timeouts, set connectionTimeout value
     to 0 –>
   
   <!– Note : To use gzip compression you could set the following properties :
   
            compression="on"
            compressionMinSize="2048"
            noCompressionUserAgents="gozilla, traviata"
            compressableMimeType="text/html,text/xml"
   –>

    <!– Define a SSL HTTP/1.1 Connector on port 8443 –>
    <!–
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    –>

    <!– Define an AJP 1.3 Connector on port 8009 –>
    <Connector port="8009"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

    <!– Define a Proxied HTTP/1.1 Connector on port 8082 –>
    <!– See proxy documentation for more information about using this. –>
    <!–
    <Connector port="8082"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" acceptCount="100" connectionTimeout="20000"
               proxyPort="80" disableUploadTimeout="true" />
    –>

    <!– An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host). –>

    <!– You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1">        
    –>
        
    <!– Define the top level container in our container hierarchy –>
    <Engine name="Catalina" defaultHost="localhost">

      <!– The request dumper valve dumps useful debugging information about
           the request headers and cookies that were received, and the response
           headers and cookies that were sent, for all requests received by
           this instance of Tomcat.  If you care only about requests to a
           particular virtual host, or a particular application, nest this
           element inside the corresponding <Host> or <Context> entry instead.

           For a similar mechanism that is portable to all Servlet 2.4
           containers, check out the "RequestDumperFilter" Filter in the
           example application (the source for this filter may be found in
           "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters").

           Note that this Valve uses the platform's default character encoding.
           This may cause problems for developers in another encoding, e.g.
           UTF-8.  Use the RequestDumperFilter instead.

           Also note that enabling this Valve will write a ton of stuff to your
           logs.  They are likely to grow quite large.  This extensive log writing
           will definitely slow down your server.

           Request dumping is disabled by default.  Uncomment the following
           element to enable it. –>
      <!–
      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
      –>

      <!– Because this Realm is here, an instance will be shared globally –>

      <!– This Realm uses the UserDatabase configured in the global JNDI
           resources under the key "UserDatabase".  Any edits
           that are performed against this UserDatabase are immediately
           available for use by the Realm.  –>
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

      <!– Comment out the old realm but leave here for now in case we
           need to go back quickly –>
      <!–
      <Realm className="org.apache.catalina.realm.MemoryRealm" />
      –>

      <!– Replace the above Realm with one of the following to get a Realm
           stored in a database and accessed via JDBC –>

      <!–
      <Realm  className="org.apache.catalina.realm.JDBCRealm"
             driverName="org.gjt.mm.mysql.Driver"
          connectionURL="jdbc:mysql://localhost/authority"
         connectionName="test" connectionPassword="test"
              userTable="users" userNameCol="user_name" userCredCol="user_pass"
          userRoleTable="user_roles" roleNameCol="role_name" />
      –>

      <!–
      <Realm  className="org.apache.catalina.realm.JDBCRealm"
             driverName="oracle.jdbc.driver.OracleDriver"
          connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
         connectionName="scott" connectionPassword="tiger"
              userTable="users" userNameCol="user_name" userCredCol="user_pass"
          userRoleTable="user_roles" roleNameCol="role_name" />
      –>

      <!–
      <Realm  className="org.apache.catalina.realm.JDBCRealm"
             driverName="sun.jdbc.odbc.JdbcOdbcDriver"
          connectionURL="jdbc:odbc:CATALINA"
              userTable="users" userNameCol="user_name" userCredCol="user_pass"
          userRoleTable="user_roles" roleNameCol="role_name" />
      –>

      <!– Define the default virtual host
           Note: XML Schema validation will not work with Xerces 2.2.
       –>
      <Host name="localhost" appBase="webapps"
       unpackWARs="true" autoDeploy="true"
       xmlValidation="false" xmlNamespaceAware="false">

        <!– Defines a cluster for this node,
             By defining this element, means that every manager will be changed.
             So when running a cluster, only make sure that you have webapps in there
             that need to be clustered and remove the other ones.
             A cluster has the following parameters:

             className = the fully qualified name of the cluster class

             clusterName = a descriptive name for your cluster, can be anything

             mcastAddr = the multicast address, has to be the same for all the nodes

             mcastPort = the multicast port, has to be the same for all the nodes
            
             mcastBindAddress = bind the multicast socket to a specific address
            
             mcastTTL = the multicast TTL if you want to limit your broadcast
            
             mcastSoTimeout = the multicast readtimeout

             mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat

             mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received

             tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes

             tcpListenAddress = the listen address (bind address) for TCP cluster request on this host,
                                in case of multiple ethernet cards.
                                auto means that address becomes
                                InetAddress.getLocalHost().getHostAddress()

             tcpListenPort = the tcp listen port

             tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS
                                  has a wakup bug in java.nio. Set to 0 for no timeout

             printToScreen = true means that managers will also print to std.out

             expireSessionsOnShutdown = true means that

             useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called.
                            false means to replicate the session after each request.
                            false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager)
                            <%
                            HashMap map = (HashMap)session.getAttribute("map");
                            map.put("key","value");
                            %>
             replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'.
                               * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication.
                               * Synchronous means that the thread that executes the request, is also the
                               thread the replicates the data to the other nodes, and will not return until all
                               nodes have received the information.
                               * Asynchronous means that there is a specific 'sender' thread for each cluster node,
                               so the request thread will queue the replication request into a "smart" queue,
                               and then return to the client.
                               The "smart" queue is a queue where when a session is added to the queue, and the same session
                               already exists in the queue from a previous request, that session will be replaced
                               in the queue instead of replicating two requests. This almost never happens, unless there is a
                               large network delay.
        –>            
        <!–
            When configuring for clustering, you also add in a valve to catch all the requests
            coming in, at the end of the request, the session may or may not be replicated.
            A session is replicated if and only if all the conditions are met:
            1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND
            2. a session exists (has been created)
            3. the request is not trapped by the "filter" attribute

            The filter attribute is to filter out requests that could not modify the session,
            hence we don't replicate the session after the end of this request.
            The filter is negative, ie, anything you put in the filter, you mean to filter out,
            ie, no replication will be done on requests that match one of the filters.
            The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to.

            filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI
            ending with .gif and .js are intercepted.
           
            The deployer element can be used to deploy apps cluster wide.
            Currently the deployment only deploys/undeploys to working members in the cluster
            so no WARs are copied upons startup of a broken node.
            The deployer watches a directory (watchDir) for WAR files when watchEnabled="true"
            When a new war file is added the war gets deployed to the local instance,
            and then deployed to the other instances in the cluster.
            When a war file is deleted from the watchDir the war is undeployed locally
            and cluster wide
        –>
       
        <!–
        <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster"
                 managerClassName="org.apache.catalina.cluster.session.DeltaManager"
                 expireSessionsOnShutdown="false"
                 useDirtyFlag="true"
                 notifyListenersOnReplication="true">

            <Membership
                className="org.apache.catalina.cluster.mcast.McastService"
                mcastAddr="228.0.0.4"
                mcastPort="45564"
                mcastFrequency="500"
                mcastDropTime="3000"/>

            <Receiver
                className="org.apache.catalina.cluster.tcp.ReplicationListener"
                tcpListenAddress="auto"
                tcpListenPort="4001"
                tcpSelectorTimeout="100"
                tcpThreadCount="6"/>

            <Sender
                className="org.apache.catalina.cluster.tcp.ReplicationTransmitter"
                replicationMode="pooled"
                ackTimeout="15000"
                waitForAck="true"/>

            <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve"
                   filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
                  
            <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer"
                      tempDir="/tmp/war-temp/"
                      deployDir="/tmp/war-deploy/"
                      watchDir="/tmp/war-listen/"
                      watchEnabled="false"/>
                     
            <ClusterListener className="org.apache.catalina.cluster.session.ClusterSessionListener"/>
        </Cluster>
        –>       



        <!– Normally, users must authenticate themselves to each web app
             individually.  Uncomment the following entry if you would like
             a user to be authenticated the first time they encounter a
             resource protected by a security constraint, and then have that
             user identity maintained across *all* web applications contained
             in this virtual host. –>
        <!–
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        –>

        <!– Access log processes all requests for this virtual host.  By
             default, log files are created in the "logs" directory relative to
             $CATALINA_HOME.  If you wish, you can specify a different
             directory with the "directory" attribute.  Specify either a relative
             (to $CATALINA_HOME) or absolute path to the desired directory.
        –>
        <!–
        <Valve className="org.apache.catalina.valves.AccessLogValve"
                 directory="logs"  prefix="localhost_access_log." suffix=".txt"
                 pattern="common" resolveHosts="false"/>
        –>

        <!– Access log processes all requests for this virtual host.  By
             default, log files are created in the "logs" directory relative to
             $CATALINA_HOME.  If you wish, you can specify a different
             directory with the "directory" attribute.  Specify either a relative
             (to $CATALINA_HOME) or absolute path to the desired directory.
             This access log implementation is optimized for maximum performance,
             but is hardcoded to support only the "common" and "combined" patterns.
        –>
        <!–
        <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
                 directory="logs"  prefix="localhost_access_log." suffix=".txt"
                 pattern="common" resolveHosts="false"/>
        –>

      </Host>

    </Engine>

  </Service>

</Server>
rguinot
Customer

Re: Keystores are invalid

- vous devez aussi desactiver ssl coté solr (alfresco.secureComms=none) dans chaque solrcore.properties
- coté repository, il y a également un keystore pour les clés de chiffrement des mots de passe des services externes (twitter, etc) que vous avez déclaré
- votre fichier tomcat-users.xml ne contient aucunement les "utilisateurs" associés aux DN des certificats
- la défintion du connecteur SSL de votre fichier server.xml est invalide, ne contient aucunement les keystore, truststore, etc
- avez vous généré vos propres clés / certificats comme suggéré ?

relisez la documentation.
sinon vous pouvez passez a lucene embarqué comme indiqué précédemment, relisez les messages précédents.
kestu
Member II

Re: Keystores are invalid

Bonjour,

Il fallait que je définisse correctement les fichier server.xml et tomcat-users.xml pour que ça fonctionne. Ca marche nickel maintenant.

Merci à vous pour vos réponses.