AnsweredAssumed Answered

HowTo: Install/Config (3x 2008 R2 x64) LDAP SSO + Passthru + Email + IIS SSL Reverse Proxy + Sharepoint + Network Share + CIFS

Question asked by 102020 on Jan 24, 2013
Latest reply on Apr 8, 2013 by 102020
***  UPDATED 05/27/2015  ***
Greetz!
In this thread, I will be documenting my complete install process which follows the enterprise versions 'best practice' when deploying Alfresco. By doing so, I'm hoping to simplify the whole process for those new admins to Alfresco as it can be a little over whelming at first.

*Note: This is a complete guide at this point, if you want some other option or feature added to this document, please let me know.

At the time of this writing, we are running Alfresco 5.0.d, operating on Windows 2008 R2 64-bit Servers.
As per best practice, I recommend having 3 separate servers at minimum for Alfresco to run smoothly, preferably over an iSCSI or Fiber Channel, depending on your user count and work loads.

Firstly, let's describe the 3 servers you should have setup, 2 of which you should already have in your environment.
1) Application server - for the application layer of Alfresco (tomcat, apache, indexing etc happens here)
2) Database server - for the information storage, metadata, etc. We stayed with Postgres, but you optionally can run with MySQL as well (you could run MSSQL as well, but after testing with it, plus version updates on Alfresco, seemed more effort than it was really worth)
3) File server - sounds obvious, this is where all of your raw files will be kept plus versioning

Before jumping into this, I would like to make a reminder that you should either disable your windows firewall or open up the necessary ports for your PostgreSQL and file server shares, as well as any ports needed by Alfresco which you could document during the Alfresco install process. If you need a list of ports used by specific software, reference here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Let's get started and start configuring the Database server.
Firstly, download the latest version of PostgreSQL from here: http://www.enterprisedb.com/products-services-training/pgdownload#windows
Once you have it downloaded - install it, we kept default ports, but that option is totally up to you.
After install is complete, open up pgAdmin, connect to your server and create a new database. I would recommend creating a new db user for security. The only points to take note of when creating your database is on the 2nd tab that is titled 'Definition', where it says 'Collation' and 'Character type', you need to select 'English_United States.1252' for both options. Once your database is created, you need to configure your listener so Alfresco can remotely connect. To do this, go to File > Open pg_hba.conf. Once opened, you will want 2 options to be enabled, they should look something like the following (note: || represents a new column)

Type  ||  Database  ||  User  ||  IP-Address    ||  Method  ||  Option
host  ||  all       ||  all   ||  127.0.0.1/32  ||  md5     ||
host  ||  all       ||  all   ||  ::1/128    ||  md5     ||
host  ||  all       ||  all   ||  X.X.X.0/24    ||  trust   ||

In the above diagram, be sure to change the X.X.X.0 to your actual LAN subnet, for example 192.168.1.0/24

Once you have completed the above, we can now move onto the file server.

The file server in all honesty, is probably the easiest part of this whole build. Simply create your folder, right click, select 'Share With' > 'Specific People…'. From there, click on the drop down select 'Find People…'. At this point (I would greatly assume you are in a domain), search for your domain admin, probably administrator. Once selected, make sure to give Read/Write access to your domain admin as Alfresco will need that to write files over the network share.

From here, sit down and pat your self on the back, you've only got 1 more server to go!

Let's now start working on the actual Alfresco application server itself. I would recommend (especially if you are new), to use the installer packages. Before downloading your Alfresco package, let me point you to the 2 links for downloads:
http://wiki.alfresco.com/wiki/Download_and_Install_Alfresco This is the official community release. I HIGHLY recommend looking at the release notes to see what was fixed, or scour the forums to see what is BROKE. As a best practice though, I would always stay 1 subversion below what is listed if you are planning to put this into production, it will save you loads of head aches if something sprouts up you were not expecting to debug. A perfect example is in the community release 4.2.c, which many have noted (as well as myself) that the 'Edit Online' functionality has stopped working (and that is a rather important feature for most) - this is why I used to run 4.2.d from the nightly SVN.
If you agree with what I've said here, you can access the previous versions from here: http://wiki.alfresco.com/wiki/Category:Community_Edition
http://dev.alfresco.com/downloads/nightly/dist/ This is the link for the nightly builds, if you happen to be feeling lucky.

*** AS A BEST PRACTICE IF YOU ARE WANTING THIS FOR PRODUCTION, RUN 1 BUILD VERSION DOWN, UNLESS YOU ARE KNOWLEDGED ENOUGH ON DEBUGGING ***

First thing, let's install our own version of Java, instead of the built in version, over time, I have seen the Alfresco packaged installer fail to install certain things, such as java, postgresql, etc. Personally I'm at the point I would rather control these items myself to reduce hassle.
Download and install jdk-7u65 (latest v7): http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

So you should now have your Alfresco installer package, let's get started by running the install (duh). Once you are into the installation, you will come across a screen giving you the option of 'Easy' or 'Advanced'. You will want to choose 'Advanced' and proceed to the next page. A component selection page will now show, you want to UN-SELECT PostgreSQL and Java. You could also un-select Google Docs Integration if you have no intentions of using it too. On the next page, select your install location, default location should be fine. Next page will give you database configuration, you will be prompted with the following fields/values:


JDBC URL: jdbc:postgresql://localhost/alfresco
JDBC Driver: org.postgresql.Driver
Database name: alfresco
Username:
Password:
Verify:


Firstly, on the JDBC URL, replace the word 'localhost' with either the hostname of fqdn of your database server.
If the database you created back on your database server IS NOT called 'alfresco', rename it to what ever you called it when creating (still on the JDBC URL).
The JDBC Driver can be left alone, unless you decided to use MySQL, but that will not be covered here.
Database name should reflect the database name on the JDBC URL that you just changed (or kept).
Username / Password should be straight forward, enter the credentials you created back on your database server.

Here is an example of what it could look like depending what options you chose:

JDBC URL: jdbc:postgresql://MyDataBaseServer.MyFQDN.com/alfrescoDB
JDBC Driver: org.postgresql.Driver
Database name: alfrescoDB
Username: alfrescoUSR
Password: alfrescoPWD
Verify: alfrescoPWD


We can now proceed to the next screen which will give you your port numbers. If you are running a firewall on this server, I would recommend writing these down for reference. On this page, you don't really have to change anything, unless you want to run http on port 80, then change 8080 to 80. Same thing for if you want to run over https, change 8443 to 443. After you have your ports setup how you would like, keep clicking next until you come to the Admin Password page. This is the admin account to login to the gui once we are all setup - so create a password that you will remember. Once set, click next a few times until you get to Service Startup Configuration. You should (if you are going to be putting this to production) select 'Auto - Configure servers to start automatically'. Simply put, when you turn the server on, tomcat will start up and you will have a running Alfresco. Now click next until the install process starts - once it has completed, you will be prompted for 3 check boxes, just UN-SELECT all 3 and click finish as we DO NOT want to actually start Alfresco just yet.

Now let's start working on the configuration, which most of which is contained within alfresco-global.properties.
Go ahead and browse to: c:\alfresco\tomcat\shared\classes and open alfresco-global.properties

Let's start off with changing where the files will be stored, as we want them to be saved over the network. But before we start making config changes, go into services. Start > services.msc
Find the service called 'Apache Tomcat alfrescoTomcat' and pull up the properties. Once opened, click on the 'Log On' tab and change the radio option from 'Local System account' to 'This account'. Basically you want to plug in the user that you created the network share with (we assumed administrator before). Once you have the user in there that has read/write on your alfresco network share, be sure to put in the password too (the ******** that's in there will get you no where so make sure you do it!). Once updated, save the change and close out of the services snap-in.

Jump back over to your alfresco-global.properties file and add the following 2 lines under dir.root:

dir.contentstore=\\\\MyFileServer.MyFQDN.com\\MyShareName\\contentstore
dir.contentstore.deleted=\\\\MyFileServer.MyFQDN.com\\MyShareName\\contentstore.deleted

Be sure to update 'MyFileServer.MyFQDN.com' with your actual server information. Be sure to update MyShareName with the folder you shared on your network share too.

Congratulations, you now have a working network share connected to Alfresco!

At this point, we need to start, and then stop Alfresco as we need it to create some initial files before we move on.
In your programs, you will find 'Manager Tool'. Open it up and click 'Start'. Depending on the specs of your system, this could take a few minutes. Usually it will load everything up within 5 minutes. Once it's started, bring up the web gui to make sure you can login. It should be something like: https://MyAlfrescoServer:8443/share
If you can login using admin as username and the initial password you set, you are good. You can then go back to the 'Manager Tool' and turn off Alfresco.

*Note: If you are in a domain, you should add your fqdn to the intranet sites within IE so your SSO can work correctly, it appears in IE9/10 they have changed the detection method, so this should be done. By adding this, it resolves Sharepoint login prompt as well.

Let's now move on to setting up the email system so you can receive invites and notifications (if desired).
Basically, copy and paste the following anywhere in your alfresco-global.properties file:

### E-mail site invitation setting ###
notification.email.siteinvite=true
activities.feed.notifier.enabled=false
mail.host=xxx.xxx.xxx.xxx
mail.port=25
mail.encoding=UTF-8
mail.from.default=no-reply@fqdn.com
mail.from.enabled=false
mail.protocol=smtp
mail.smtp.auth=false
mail.smtp.debug=false
mail.smtp.timeout=30000
mail.smtp.starttls.enable=false
mail.smtps.auth=false
mail.smtps.starttls.enable=false


With the above, you may have to play with some of these settings depending how your email server works. The key lines you want to update are:
mail.host
mail.from.default
mail.username
mail.password
Optionally, you can change activities.feed.notifier.enabled from false to true if you would like, what that option does is send an activity feed to your Alfresco users on what activities have taken place - personally I think it's over kill since there already is a feed once you login to Alfresco.

Next, we will go and setup passthru and ldap at the same time. Anywhere in your alfresco-global.properties file, paste the following:

### Authentication ###
authentication.chain=passthru1:passthru,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=true
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=false
passthru.authentication.useLocalServer=false
passthru.authentication.domain=MyFQDN.com
passthru.authentication.servers=MyADServer.MyFQDN.com\\X.X.X.X
passthru.authentication.guestAccess=true
passthru.authentication.defaultAdministratorUserNames=admin
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

### LDAP Integration ###
synchronization.authCreatePeopleOnLogin=false
ldap.authentication.active=false
ldap.synchronization.active=true
ldap.authentication.java.naming.provider.url=ldap://MyADServer.MyFQDN.com:389
ldap.synchronization.java.naming.security.principal=administrator@MyFQDN.com
ldap.synchronization.java.naming.security.credentials=MyLittleSecret
ldap.synchronization.groupSearchBase=ou\=MyGroups,dc\=MyFQDN,dc=com
ldap.synchronization.userSearchBase=ou\=MyUsers,dc=\MyFQDN,dc=com


You will want to update the following with your own values:
passthru.authentication.domain
passthru.authentication.servers
ldap.authentication.java.naming.provider.url
ldap.synchronization.java.naming.security.principal
ldap.synchronization.java.naming.security.credentials
ldap.synchronization.groupSearchBase
ldap.synchronization.userSearchBase

Now if you want to enable user quotas, add the following into the same file:

### Quotas ###
system.usages.enabled=true


Next, we need to edit share-config-custom.xml, located: c:\alfresco\tomcat\shared\classes\alfresco\web-extension
Find:

   <!–
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
        
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
        
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
   –>


And remove the
<!– and –>

This is a needed step for SSO login to work.


Let's setup CIFS so we can map the alfresco sites 'document libraries' as network drives. First things first, let's go into our alfresco-global.properties file again and add the following:

### CIFS ###
cifs.enabled=true
cifs.serverName=alfrescoA
cifs.hostannounce=true
cifs.domain=
cifs.broadcast=X.X.X.X
cifs.localname=${localname}A
cifs.urlfile.prefix=http://${localname}:8080/alfresco/


The items you want to change here are:
cifs.serverName > enter your servers hostname. !Important, add the letter 'A' after your name, not sure on the reasoning behind it, but it's the only way it works.
cifs.domain > you can leave it blank and it will use the workgroup/domain you are joined to, or you can over ride if you wish.
cifs.broadcast > enter your alfresco server IP.

Optionally, you can add the next block of properties, this bit will show/hide the Alfresco generated icons in the CIFS drive.


cifs.pseudoFiles.enabled=false
cifs.pseudoFiles.explorerURL.enabled=false
cifs.pseudoFiles.explorerURL.fileName=__Alfresco.url
cifs.pseudoFiles.shareURL.enabled=false
cifs.pseudoFiles.shareURL.fileName=__Share.url


Save the file, we are done with this section. Now we need to enable NetBIOS over TCP/IP.
Go to Control Panel\Network and Internet\Network and Sharing Center > Change Adapter Settings > Local Area Connection > Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. .
On the General tab, select Advanced and then select the WINS tab.
Click Add and then add the IP address of the WINS server in your network and select Enable NetBIOS over TCP/IP.
Click OK > OK > OK.

If you have the firewall turned on, you probably want to set this too:
Open Control Panel\Network and Internet\Network and Sharing Center > Windows Firewall > Advanced Settings.
Select Inbound Rules.
On the right-side of the window, click New Rule.
Follow the instructions on the wizard:
Rule Type > Port, Next.
Rule apply to "TCP", Specific Local Ports > 445, Next,
Action > Block the connection, Next,
Profile > Select ALL network types (Domain, Public, Private)
Name > "Alfresco CIFS (Block 445)", Description the same.
Select Finish.

AND

Open the Control Panel\Network and Internet\Network and Sharing Center > Windows Firewall > Advanced Settings.
Select Inbound Rules.
On the right-side of the window, click New Rule.
Follow the instructions on the wizard:
Rule Type > Port, Next.
Rule apply to "TCP", Specific Local Ports > 137,138,139, Next,
Action > Allow the connection, Next,
Profile > Select ALL network types (Domain, Public, Private)
Name > "Alfresco CIFS (Allow 137,138,139)", Description the same.
Select Finish.

Lastly, you need to configure your XP/7 Clients, follow this:
Go to Control Panel\Network and Internet\Network and Sharing Center > Change Adapter Settings > Local Area Connection > Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
On the General tab, select Advanced and then select the WINS tab.
Click Add and then add the IP address of the WINS server in your network and select Enable NetBIOS over TCP/IP.
Click OK > OK > Close.
NOTE: You could set NetBIOS over TCP/IP through DHCP too if you are pushing DHCP from a Windows server too.
Use the net use R: \\{HOSTNAME}A\Alfresco * /USER:admin command to check your connection.
If the WINS server works correctly, you are then connected to Alfresco CIFS successfully.
On your Alfresco server, you need to disable: 'File and Printer Sharing for Microsoft Networks', this will make Windows 7 CIFS work.


Follow these steps to setup an IIS 7.5 Reverse Proxy. Allot of people are using Apache Reverse Proxy, but since we are running in a Windows environment, it logically made more sense to run this method.

Setup reverse proxy to wrap the connection with SSL. On your Alfresco machine, install IIS with default options.
Once installed download and install the following files:
URL Rewrite: http://www.iis.net/expand/URLRewrite
Application Request Routing: http://www.iis.net/expand/ApplicationRequestRouting

Open up IIS Manager, click on your server name, and on the main panel, open Application Request Routing. On the right hand column, click Server Proxy Settings…
Simply click Enable proxy, and then apply on the right.
Return to the same screen as before, and open Server Certificates, import your SSL cert (.pfx file is the easiest way to do that)
Now expand Sites, and select Default Web Site, and open URL Rewrite. On the right column, select Add Rule(s)…
You will get a popup, select Reverse Proxy from the list. Enter your non-ssl alfresco url, such as: hostname.fqdn.com:8080
Hi ok, now on the right column again, select Bindings, add your https binding and the certificate you want to tie to it. I would remove the http binding if you are not using it.
Save, and we are almost done!

Copy ALL of the content from C:\Alfresco-4.2.f\tomcat\webapps\share\WEB-INF\classes\alfresco\share-security-config.xml
*Note: You may want to open it using 'DAMN NFO Viewer', as the formatting is screwed up in this file if you open in notepad.

We need to edit share-config-custom.xml, located: C:\alfresco\tomcat\shared\classes\alfresco\web-extension

Paste the content you copied to the bottom of the share-config-custom.xml file

***You want to change the following 2 values:

<referer></referer>
<origin></origin>


they should look something like the below once you input your info:

<referer>https://hostname.fqdn.com/.*</referer>
<origin>https://hostname.fqdn.com</origin>


Make sure on the referer line you have the /.* at the end. That all for now, save and close.

Now let's go try it out after starting up your Alfresco instance. simply goto https://hostname.fqdn.com/share
and you should be all wrapped up in SSL!


With all that said, you now have a full config and should be ready to go into production.
Hope this helps all those who can be super confused by the wiki.

Additional Fix! If you have users with 1020x768, or even running an older projector, you'll find that the document preview is only 80px tall, which renders it useless. This bug was identified in v4.1.4, apparently fixed, but still on 4.2.d it seems to still be there. To fix edit c:\alfresco\tomcat\webapps\share\css\tablet.css
Search for:

.web-preview .previewer {
   height: auto !important;
}


Right after the 'height' parameter, add a new line and add:

   min-height: 410px;



Another quick fix if you are embedding flash elements, seems the sizing on embeds is qwarky as well, to fix this edit c:\alfresco\tomcat\webapps\share\components\preview\web-preview.css
Search for:

.web-preview .previewer video {
   max-height: 325px;
}


After, Add:

.web-preview .previewer embed {
   min-height: 410px;
}


No need to restart for 1st fix, 2nd fix needs Alfresco restart.


Disable the 'Create Site' function for all but Admins:
edit C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\public-services-security-context.xml
Find:

org.alfresco.service.cmr.site.SiteService.createSite=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_ALLOW


Replace:

org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ROLE_ADMINISTRATOR


Hide the 'Create Site' button for all but Admin (drop down menu):
edit C:\Alfresco\tomcat\webapps\share\WEB-INF\classes\alfresco\site-webscripts\org\alfresco\modules\header\sites.get.html.ftl
Find:

      <ul class="create-site-menuitem">
         <li>
            <a href="#" onclick="Alfresco.util.ComponentManager.get('${id_js}').showCreateSite(); return

false;">${msg("label.create-site")}</a>
         </li>
      </ul>


Add before the UL:

<#if user.isAdmin>


Add after the /UL:

</#if>


Hide the 'Create Site' button for all but Admin (my sites widget):
edit C:\Alfresco\tomcat\webapps\share\WEB-INF\classes\alfresco\site-webscripts\org\alfresco\components\dashlets\my-sites.get.html.ftl
Find:

                  <span class="first-child">
                     <a href="#" id="${id}-createSite-button" class="theme-color-1">
                        <img src="${url.context}/res/components/images/site-16.png" style="vertical-align: text-bottom" />
                        ${msg("link.createSite")}</a>
                  </span>


Add before the SPAN:

<#if user.isAdmin>


Add after the /SPAN:

</#if>






UPGRADE PROCESS
The following is my documentation on upgrading from 4.x.x to 4.x.x.
First things first, if you are using a nightly build, you MUST upgrade to the stable release of said build. So if you are using say nightly build of 4.2.d, you need to upgrade it to 4.2.d stable before upgrading to say 4.2.e.

First thing you want to do is shutdown alfresco and modify your alfresco-global.properties file. Change your indexing system to look like the below:

index.subsystem.name=noindex


The key is to change from solr/lucene to noindex, and comment out the rest for now.

Next, and most important, create a full backup of your alfresco directory and your database to cover yourself in a worst case.
Start up the alfresco system, once it's fully loaded, shut it down. At this point, the older version of alfresco is ready to move.

Go ahead and install your newer build of alfresco. Be sure to install it to a different directory. If you installed to c:\alfresco-4.2.d, then install new version to c:\alfresco-4.2.e. Go through your setup process like usual, but at the last screen, uncheck all the boxes as we DO NOT want to start the new alfresco just yet.

From here, copy your contentstore and contentstore.delete from old build to new build (usually in c:\alfresco\alf_data).

Next you need to create a new Postgresql database. Go ahead and create it like you would have previously, again be sure to name it different from your previous database. If your old db name is alfresco_42d, create new db as alfresco_42e.

Now let's just into DOS and goto: c:\program files\postgresql\9.3\bin (replace 9.3 with the version you are running, you can always upgrade your db version, but not covered in this document).

Run the following command to backup the old database:
pg_dump -U alfresco -Fc alfresco_42d > alfresco42d.pgb

Take note that 'alfresco' is your db username if you followed my original document. alfresco_42d is your database name.

Now run the following command to restore to the new database:
pg_restore -U alfresco -d alfresco_42e alfresco42d.pgb

Again, take note in username and NEW database name.

Just a note: if you have LDAP setup on the old system, you will want to add that into your NEW alfresco-global.properties before starting the system up.

Now let's go and make a change to alfresco-global.properties for the NEW build.
We want to make the same change to indexing we made to the old build:

index.subsystem.name=noindex


Now start your new build up, check your logs to make sure the patches are being applied. Once it's loaded, shut down, and change the indexing back to your original option, in my case:

index.subsystem.name=solr


Start the system back up, and if all went well, you have successfully upgraded. Now it's a matter of re-deploying your custom configs and away you go!

Outcomes