Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration
0 likes163 views
n this session, we'll simplify the complexities of configuring and troubleshooting mutual TLS (mTLS) within Alfresco environments. Attendees will gain practical insights into certificate management, trust validation, and common challenges encountered during configuration. We'll showcase and provide custom tools for troubleshooting during the session. These tools can be used with ZIP, Ansible, Docker and Kubernetes deployments. Event description available in https://hub.alfresco.com/t5/news-announcements/ttl-157-troubleshooting-made-easy-deciphering-alfresco-s-mtls/ba-p/319735/jump-to/first-unread-message
![Search Configuration (server)
Java Environment Variables
-Dsolr.jetty.truststore.password=truststore
-Dsolr.jetty.keystore.password=keystore
-Djdk.tls.client.protocols=TLSv1.3
OS Environment Variables (or modify solr.in.[sh|cmd] file)
SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore"
SOLR_SSL_KEY_STORE_PASSWORD: "keystore"
SOLR_SSL_KEY_STORE_TYPE: "PKCS12"
SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore"
SOLR_SSL_TRUST_STORE_PASSWORD: "truststore"
SOLR_SSL_TRUST_STORE_TYPE: "PKCS12"
SOLR_SSL_NEED_CLIENT_AUTH: "true"](https://image.slidesharecdn.com/alfresco-ttl-157-mtls-240417121354-907def3b/85/Alfresco-TTL-157-Troubleshooting-Made-Easy-Deciphering-Alfresco-mTLS-Configuration-20-320.jpg)
More Related Content
What's hot (20)
Similar to Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration (20)
![[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...](https://cdn.slidesharecdn.com/ss_thumbnails/1130svcfrontalbenjguin-140716110342-phpapp01-thumbnail.jpg?width=560&fit=bounds)
More from Angel Borroy López (20)
Recently uploaded (20)
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration
- 2. April 17, 2024 ©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries. TTL #157 Troubleshooting Made Easy: Deciphering Alfresco’s mTLS Configuration Angel Borroy Developer Evangelist
- 3. • Alfresco mTLS • Cryptographic Best Practices • Communication Repository <> Search • Troubleshooting Tools • Hands on, using EC certificates Agenda
- 6. Alfresco mTLS Messaging Transform ENTERPRISE UI DB Web Proxy CA keystore Search* Repository * When using Search Enterprise with Elasticsearch or OpenSearch
- 7. A Closer Look Alfresco Service TLS Protocol client server TLS Protocol CA keystore KEY keystore TRUST … … Self-Signed Public Authority
- 9. General Guidelines SSL TLSv1.0 TLSv1.1 TLSv1.2* TLSv1.3 JCEKS JKS PKCS12 RSA 2048 bits ECDSA 224 bits • Server Authentication • Client Authentication OpenSSL alfresco-ssl-generator Let’s Encrypt
- 10. TLS Protocol TLS Protocol client server TLS Protocol Use TLSv1.3 • Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig • Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols • Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS Alternatively use TLS 1.2 with ECDHE and AES-GCM hardcoded • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 When multiple TLS versions are available in the server, the client will select one • The default for security handshakes in JDK 17 is TLS 1.3
- 11. Keystore Type and Certificates Use Keystore Type PKCS12 • Avoid using non-standard formats like JKS or JCEKS Certificates • Algorithm • RSA, widely supported across different platforms and libraries • ECDSA, equivalent security with shorter key length, more performant and efficient for mTLS • Minimum key length • 2048 bits for RSA • 224 bits for EC • Usage • Server Authentication – OID 1.3.6.1.5.5.7.3.1 • Client Authentication – OID 1.3.6.1.5.5.7.3.2 keystore KEY keystore TRUST … …
- 12. Certificate Authority Self-Signed • Use Alfresco SSL Generator project, which depends on OpenSSL for certificate generation • Use alternative software able to issue certificates according with the previous recommendations • Later in this session, smallstep will be used Public Authority • Use OpenSSL with Let’s Encrypt, set up a cron job to re-fetch certificates regularly • Requires active Internet connection to Alfresco containers • Use a web hosting provider, like AWS CA Self-Signed Public Authority
- 13. Comm Repository <> Search
- 14. mTLS between Repository and Search CA Search Repository
- 15. Use community.sh script from Alfresco SSL Generator $ ./community.sh $ tree keystores keystores ├── alfresco │ ├── ssl.keystore │ └── ssl.truststore ├── solr │ ├── ssl.repo.client.keystore │ └── ssl.repo.client.truststore └── client └── browser.p12 Creating Certificates and Keystores Solr Admin Web Console
- 16. Repository Keystores $ keytool -v -list -keystore keystores/alfresco/ssl.truststore Alias name: alfresco.ca Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/alfresco/ssl.keystore Alias name: ssl.repo Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
- 17. Repository Configuration (server) Add following Connector to ${TOMCAT_DIR}/conf/server.xml file <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.3" certificateVerification="required" truststoreFile="ssl.truststore" truststorePassword="truststore" truststoreType="PKCS12"> <Certificate certificateKeystoreFile="ssl.keystore" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="keystore" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
- 18. Repository Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set Alfresco Repository Java Properties solr.host=localhost solr.port.ssl=8983 solr.secureComms=https encryption.ssl.keystore.type=PKCS12 encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore encryption.ssl.truststore.type=PKCS12 encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore When using the same password for keystore and keys, no aliases setting is required
- 19. Search Keystores $ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore Alias name: ssl.repo Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: alfresco.ca Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
- 20. Search Configuration (server) Java Environment Variables -Dsolr.jetty.truststore.password=truststore -Dsolr.jetty.keystore.password=keystore -Djdk.tls.client.protocols=TLSv1.3 OS Environment Variables (or modify solr.in.[sh|cmd] file) SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" SOLR_SSL_KEY_STORE_PASSWORD: "keystore" SOLR_SSL_KEY_STORE_TYPE: "PKCS12" SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" SOLR_SSL_TRUST_STORE_TYPE: "PKCS12" SOLR_SSL_NEED_CLIENT_AUTH: "true"
- 21. Search Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set solrcore.properties Java Properties (in each core or in template) alfresco.host=localhost alfresco.port=8443 alfresco.secureComms=https alfresco.encryption.ssl.keystore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=PKCS12 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=PKCS12 When using the same password for keystore and keys, no aliases setting is required
- 22. Sample deployment with Docker Compose https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
- 25. Alfresco Repository Admin Web Console Deploy as addon alfresco-http-java-client.jar crypto-utils.jar Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/alfresco-http-java-client App URL http://localhost:8080/alfresco/s/admin/admin-search-client Credentials ADMINISTRATOR, default admin/admin
- 26. Alfresco Search Services Solr REST API Action Deploy as plugin alfresco-http-java-client.jar solr-http-java-client.jar config/solr.xml Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/solr-http-java-client App URL https://localhost:8983/solr/admin/cores?action=HTTP- CLIENT&coreName=alfresco Credentials Client certificate, like browser.p12
- 27. Command line Spring Boot command line application Run as program $ java -jar target/mtls-conf-app.jar ERRORS for ENDPOINT: Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint. ERRORS DETAIL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Source code https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
- 28. Hands on, using EC certificates
- 29. Lab Use ECC 256 bits certificates for ECDSA with step-ca • Around 10% faster than RSA 2048 bits for Alfresco mTLS • Less bandwidth consumption • Higher security (as RSA 2048 is equivalent to ECC 224) Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca # Start step-ca container, default CA will be created in “step” folder $ docker compose up # Install step CLI $ brew install step # Get CA password $ cat step/secrets/password ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
- 30. Lab # Create a certificate for alfresco, use “keystore” password to protect the key $ step certificate create alfresco alfresco.crt alfresco.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key # Create a certificate for solr, use “keystore” password to protect the key $ step certificate create solr solr.crt solr.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key
- 31. Lab # Build Keystore and Truststore for alfresco $ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key -out alfresco.pkcs12 -name alfresco -noiter -nomaciter $ keytool -import -alias solr -file solr.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore # Build Keystore and Truststore for solr $ openssl pkcs12 -export -in solr.crt -inkey solr.key -out solr.pkcs12 -name solr -noiter -nomaciter $ keytool -import -alias alfresco -file alfresco.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
- 32. Lab # Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12) $ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt # Modify compose.yaml to use the new keystores Alfresco • keystore=alfresco.pkcs12 • truststore=alfresco-truststore.pkcs12 • cert-alias=alfresco • cert-type=EC Solr • keystore=solr.pkcs12 • truststore=solr-truststore.pkcs12
- 33. Lab # Bonus verification $ nmap --script ssl-enum-ciphers -p 8983 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) $ nmap --script ssl-enum-ciphers -p 8443 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Cryptographic Best Practices
- 34. Thanks!