Wednesday, September 19, 2012

How to renew Alfresco Solr SSL certificate

This information is only applicable to Alfresco (Enterprise) 4.x versions
There needs to be two-way communication between the Alfresco server and the SOLR server. So that no one else can abuse this communication channel, it must be secured by means of HTTPS encryption and a mutual client certificate authentication.
There are three important points involved in setting up this mutual trust relationship:
  • Creating a 'keystore directory' and configuring the Alfresco and Solr servers to use it.
  • Generating and installing your own 'secure certificates'.
  • Replacing default certificates and handling 'certificate expiry'.

If you installed Alfresco and SOLR via the Installation Wizard, there is no need to perform step 1, as the directory and associated configuration will already be present. You can proceed straight to step 2.
If you installed SOLR manually, then please carefully review steps 1 and 2 - as otherwise, without configuring your own keystore directory, you may be picking up expired, default keys.

1. Creating a keystore directory and configuring the Alfresco and Solr Servers to use it
The following instructions assume SOLR has already been extracted and configured.
We will use to refer to the tomcat directory where Alfresco is installed and to the tomcat directory where Solr is installed. These may be the same or different directories, depending on whether you have chosen to install Solr on a standalone server or the same server as Alfresco.
  • Ensure that Alfresco has already been started at least once, i.e. the /webapps/alfresco/WEB-INF directory exists.
  • Create and populate a keystore directory for the Alfresco and SOLR servers. By convention, we will create this in /alf_data/keystore. Please note that at this stage the keystore directory will just be a template, containing standard keys available to everybody. To secure the installation you must carry out the steps to generate new keys, specified in section 2.
    • Linux/Unix:

          mkdir -p /alf_data/keystore
          cp /webapps/alfresco/WEB-INF/classes/alfresco/keystore/* /alf_data/keystore

    • Windows
                    mkdir \alf_data\keystore
                    copy \webapps\alfresco\WEB-INF\classes\alfresco\keystore\* \alf_data\keystore

  • Configure the Alfresco and SOLR tomcats to use the keystore and truststore for https requests, by editing the specification of the connector on port 8443 in /conf/server.xml and /conf/server.xml as follows, remembering to replace /alf_data/keystore with the full path to your keystore directory

< maxThreads="150" scheme="https" keystoreFile="/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true"connectionTimeout="240000" truststoreFile="/alf_data/keystore/ssl.truststore"truststorePass="kT9X6oe68t" truststoreType="JCEKS"
clientAuth="false" sslProtocol="TLS" />
  • Configure Alfresco itself to use the keystore and truststore for client requests to SOLR, by specifying dir.keystore in ALFRESCO_TOMCAT_HOME/shared/classes/alfresco-global.properties, remembering to replace /alf_data/keystore with the full path to your keystore directory
          dir.keystore=/alf_data/keystore
  • Configure an identity for the Alfresco server. In /conf/tomcat-users.xml, add the following. Note that you can choose a different username, such as the host name of the Alfresco server, but it must match the REPO_CERT_DNAME you will later specify in the keystore in section 2.
  • Configure an identity for the Solr server. In /conf/tomcat-users.xml, add the following. . Note that you can choose a different username but it must match the SOLR_CLIENT_CERT_DNAME you will later specify in the keystore in section 2.
  • To complete the installation, it’s necessary to secure communications by generating your own keys. See section 2.
2. Generating and installing your own secure certificates
Use these instructions to replace or update the keys used to secure communications between Alfresco and SOLR, using secure keys specific to your Alfresco installation.
NOTE: If applying these instructions to a clustered installation, the steps should be carried out on a single host and then the generated .keystore and .truststore files must be replicated(used) on all other hosts in the cluster.
The following instructions assume that solr has been extracted and a keystore directory has already been created, either automatically by the Alfresco installer, or manually by following the instructions in section 1.
  • Obtain the file generate_keystores.sh (for Linux and Solaris) orgenerate_keystores.bat (for Windows) from the Customer Support website under 'Online Resources > Downloads > Alfresco Enterprise 4.x > '
  • Edit the environment variables at the beginning of the file to match your environment
If you are updating an environment created by the Alfresco installer, you will only need to edit ALFRESCO_HOME to specify the correct installation directory
For manual installations, carefully review ALFRESCO_KEYSTORE_HOME, SOLR_HOME, JAVA_HOME, REPO_CERT_DNAME and SOLR_CLIENT_CERT_DNAME and edit as appropriate.
  • Run the edited script
  • You should see the message 'Certificate update complete' and another message reminding you what dir.keystore should be set to in alfresco-global.properties
3. Replacing default certificates and handling certificate expiry
If you see errors such as the following in the logs, it means that the expiry date set in one or more of your SSL certificates has passed.
21:52:14,109 ERROR [org.quartz.core.ErrorLogger] Job (DEFAULT.search.archiveCoreBackupJobDetail threw an exception. 
org.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: org.alfresco.error.AlfrescoRuntimeException: 07180158 Bakup for core archive feailed .... ] 
at org.quartz.core.JobRunShell.run(JobRunShell.java:227) 
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563) 
Caused by: org.alfresco.error.AlfrescoRuntimeException: 07180158 Backup for core archive failed .... 
at org.alfresco.repo.search.impl.solr.SolrBackupClient.executeImpl(SolrBackupClient.java:158) 
at org.alfresco.repo.search.impl.solr.SolrBackupClient.execute(SolrBackupClient.java:112) 
at org.alfresco.repo.search.impl.solr.SolrBackupJob.execute(SolrBackupJob.java:58) 
at org.quartz.core.JobRunShell.run(JobRunShell.java:216) 
... 1 more 
Caused by: org.apache.solr.client.solrj.SolrServerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed

It is recommend to generate new secure certificates following the instructions in section 2 
As a temporary measure, you can substitute all your existing .keystore, .truststore and .p12 files with the new Alfresco default files. These can be found in zip file'keystores.zip' available in the support website download section with the generate keystore scripts.

There are numerous locations for these files in the Alfresco/SOLR install, you must find and replace all the .keystore, .truststore and .p12 files with the new secure certificates

This is an example list of typical (v4.0.2.x ) file paths to be updated is below, but please be aware these files may be located in different relative locations in your system:
/alf_data/keystore/browser.p12
/alf_data/keystore/ssl.truststore
/alf_data/keystore/ssl.keystore
/alf_data/solr/workspace-SpacesStore/conf/ssl.repo.client.truststore
/alf_data/solr/workspace-SpacesStore/conf/ssl.repo.client.keystore
/alf_data/solr/archive-SpacesStore/conf/ssl.repo.client.truststore
/alf_data/solr/archive-SpacesStore/conf/ssl.repo.client.keystore
/alf_data/solr/templates/test/conf/ssl.repo.client.truststore
/alf_data/solr/templates/test/conf/ssl.repo.client.keystore
Use the generate keystore script provided with the Alfresco Enterprise version you are updating
In the case of version 4.0.2, ideally it is best to update your install to 4.0.2.9, else use the scripts found under 4.0.2.9 downloads for 4.0.2 secure certificate generation
The /alf_data/solr/templates directory does not exist in 4.0, 4.0.1 installs.
Users connecting directly to SOLR web app will need to replace their browser.p12 file with the new one (http://docs.alfresco.com/4.0/topic/com.alfresco.enterprise.doc/tasks/solr-SSL-connecting.html)
(cluster) If applying these instructions to a clustered installation, the .keystoreand .truststore files must be replicated (used) on all other hosts in the cluster.




Your Reviews/Queries Are Accepted