SlideShare a Scribd company logo

Alfresco Certificates

Download as PPTX, PDF
Angel Borroy López
Angel Borroy López

This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.

1 of 32
Angel Borroy Search Team Nov 5, 2020 Cryptographic stores in Alfresco Brown Bag
22 Cryptographic Stores in Alfresco In Theory • Electronic Certificates • Chain of Trust • Public and Private CAs • Cryptographic Stores • mTLS Protocol In Practice • When to use mTLS Communication • Cryptographic Tools • Alfresco KeyStores • Alfresco mTLS Configuration • Using Custom Certificates In Panic • Troubleshooting Java KeyStores
33 In Theory
4 $openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout Certificate: Data: Version:3(0x2) SerialNumber:4097(0x1001) SignatureAlgorithm:sha256WithRSAEncryption Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA Validity NotBefore:Jun3009:24:082020GMT NotAfter: Jun2809:24:082030GMT Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient SubjectPublicKeyInfo: PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: 00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6: d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e: 5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47: 5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e: 97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64: 73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b: e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc: 89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96: b9:e6:a0:e9:e3:d4:08:3a:87 Exponent:65537(0x10001) X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeCertType: SSL Server NetscapeComment: OpenSSL GeneratedServerCertificate X509v3SubjectKeyIdentifier: 84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72 X509v3AuthorityKeyIdentifier: keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA serial:94:78:32:24:4E:A5:07:2B X509v3KeyUsage:critical Digital Signature,KeyEncipherment X509v3ExtendedKeyUsage: TLSWebServerAuthentication X509v3SubjectAlternativeName: DNS:localhost SignatureAlgorithm:sha256WithRSAEncryption 12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45: 34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15: 87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6: 6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67: 2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79: cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5: 30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11 Electronic Certificates X509 Certificate Issuer Name DN Common Name CN Distinguished Name DN Dates valid Private Key Public Key Key Usage Policies Issuer Signature This should match with Server DNS Name RSA 1024 bits with SHA 256 Keystore Truststore
5 Electronic Certificates: File Format .pem – Base64 encoded DER certificate, password .cer, .crt, .der – Binary DER form, password .p7b, .p7c – Base 64 Ascii file with PKCS#7, just for public certificate(s) or CRL(s) .p12 – PKCS#12, may contain certificate(s) (public) and private keys, binary format (ASN.1), password .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE----- -----BEGINRSAPRIVATE KEY----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDRSAPRIVATE KEY----- -----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDPKCS7-----
6 Public and Private CAs CA (Certificate Authority) is an entity that issues electronic certificates. Public CA • Trusted Third-Party for general public, mainly oriented to final users • Issued certificates are trusted by default in Operating Systems and Browsers • The information and services we provide on these servers is open in Internet Private CA • Trusted Third-Party for internal users and services • Issued certificates aren’t trusted by default, so you need to configure computers and servers in order to trust them • The information and services we provide on these servers is restricted to Intranet PUBLICPRIVATE
7 Chain of Trust A certificate must be traceable back to the trust root it was signed with. All public certificates in the chain [server, intermediate(s), and root] need to be present in the truststore. • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. • Intermediate Certificate(s): Intermediate certificates branch of root certificates like branches of trees. They act as middle- men between the protected root certificates and the server certificates issued. • Server Certificate – The server certificate is the one issued to the specific server -----BEGINRSAPRIVATE KEY----- MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z ... nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q= -----ENDRSA PRIVATEKEY----- -----BEGINCERTIFICATE----- MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix ... nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ== -----ENDCERTIFICATE----- -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE-----
8 Cryptographic Stores Java KeyStores are used to store key material and associated certificates. • Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords for each secret- or private-key entry. • Java Key Store (JKS) • The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and associated X.509 certificates. • JCE Key Store (JCEKS) • Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also introduced a new proprietary key store format: JCEKS. • PKCS#12 • Apart from these proprietary key stores, Java also supports standard PKCS#12 format >> In Alfresco both “keystore” and “truststore” file types are Java Keystores stored in one of the formats described above (JKS, JCEKS, PKCS12)
9 mTLS Protocol TLS Client Keystore Truststore Public Key Public Key Private Key TLS Server Keystore Truststore Public Key Public Key Private Key Hello message Server Public Key Client Public Key Key Validation Encrypted Data
1010 In Practice
11 When to use mTLS Communication HTTPdefaultINSECUREHTTPprotectedwithpass HTTPS protected with mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
12 Cryptographic Tools Issuing certificates • keytool only supports self-signed certificates and a limited set of policies • openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies Managing Certificates and Java KeyStores • Command line • keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates • Window based programs (keytool wrappers) • Portecle • KeyStore Explorer https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://www.openssl.org/docs/ http://portecle.sourceforge.net https://keystore-explorer.org/index.html
13 Alfresco KeyStores: Repository https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repoand so on) are not relevant, different ones can be used keystore • Not related with mTLS configuration, but with encrypting secrets* ssl.keystore • ssl.repo is the private key used to sign HTTP requests • ssl.alfresco.ca is the public key of the CA issuing the certificates ssl.truststore • alfresco.ca is the public key of the CA issuing the certificates • ssl.repo.client is the public key of the certificate used by SOLR as client * https://docs.alfresco.com/6.2/concepts/alf-keystores.html
14 Alfresco KeyStores: SOLR https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repo and so on) are not relevant, different ones can be used ssl-repo-client.keystore • ssl.repo.client is the private key used to sign HTTP requests • alfresco.ca is the public key of the CA issuing the certificates ssl-repo-client.truststore • ssl.alfresco.ca is the public key of the CA issuing the certificates • ssl.repo is the public key of the certificate used by Repository as client • ssl.repo.client is the public key of the certificate used by SOLR as client >> Zeppelin is connecting with the Alfresco Repository, so the KeyStores are the same from SOLR
15 Alfresco KeyStores: Browser https://github.com/Alfresco/alfresco-ssl-generator Connecting to SOLR Admin Web Console (by default available in https://127.0.0.1:8983/solr) requires a client certificate • This certificate needs to be installed in Windows, Mac OS X and Linux. • When using Mozilla Firefox, the certificate needs also to be installed in that browser.
16 Alfresco mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 CLASSIC
17 Alfresco mTLSCURRENT
18 Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR Alfresco mTLS: Repository Properties https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719 #default keystoreslocation dir.keystore=classpath:alfresco/keystore # general encryption parameters(keystore) encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=AES encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secretkey keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties encryption.keystore.provider= encryption.keystore.type=pkcs12 # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # SOLRConfiguration solr.port.ssl=8984 solr.secureComms=https ENCRYPTION PROPERTIES Not related with mTLS Configuration Required even when not using mTLS KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key alfresco-global.properties docker-compose.ymlCLASSIC
19 Tomcat Server configuration to receive HTTPs queries from SOLR Alfresco mTLS: Tomcat Repository Connector $ cat /usr/local/tomcat/conf/server.xml ... <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"> </Connector> </Service> </Server> KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key server.xml Dockerfile TOMCAT CONNECTOR TLS Configuration CLASSIC
20 Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco Alfresco mTLS: SOLR Properties https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44 # ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=JCEKS alfresco.encryption.ssl.keystore.provider= alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties # ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=JCEKS alfresco.encryption.ssl.truststore.provider= alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # AlfrescoRepositoryconfiguration alfresco.port.ssl=8443 alfresco.secureComms=https KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solrcore.properties CLASSIC
21 Jetty Server configuration to receive HTTPs queries from Alfresco Alfresco mTLS: Jetty SOLR Server $ cat /opt/alfresco-search-services/solr.in.sh # ssl.repo.client.keystore SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE_PASSWORD=password # ssl.repo.client.truststore SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE_PASSWORD=password # Jetty mTLS configuration SOLR_SSL_NEED_CLIENT_AUTH=true KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solr.in.sh solr.in.cmdCLASSIC
22 Alfresco mTLS: SOLR Endpoints Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server Search Queries https://127.0.0.1:8983/solr/alfresco/afts https://127.0.0.1:8983/solr/alfresco/browse https://127.0.0.1:8983/solr/alfresco/cmis https://127.0.0.1:8983/solr/alfresco/query https://127.0.0.1:8983/solr/alfresco/select SQL Queries https://127.0.0.1:8983/solr/alfresco/sql Admin Actions https://127.0.0.1:8983/solr/admin
23 Alfresco mTLS: Repository Endpoints Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server Indexing requests https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets https://127.0.0.1:8443/alfresco/service/api/solr/acls https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders https://127.0.0.1:8443/alfresco/service/api/solr/metadata https://127.0.0.1:8443/alfresco/service/api/solr/model https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff https://127.0.0.1:8443/alfresco/service/api/solr/nodes https://127.0.0.1:8443/alfresco/service/api/solr/textContent https://127.0.0.1:8443/alfresco/service/api/solr/transactions
24 Alfresco mTLS: Sharding mTLS Configuration can be applied to SOLR Shards in the same way. • The same KeyStores can be used for every Shard • A new certificate ssl.client.repocan be generated for each Shard • You need to add these new certificates to Alfresco Repository truststore (ssl.truststore) Sample configuration using DB_ID for two shards is available in: https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
25 DEMO TIME: Using Custom Certificates 1 - Starting with a working mTLS configuration • Docker Compose for Alfresco Repository • ZIP Distribution file for Alfresco Search SOLR 2 - Create new KeyStores with different values 3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties 4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty • Use pkcs12 as KeyStore Type • Use password as password for the KeyStores CLASSIC $ ./run.sh -alfrescoversioncommunity -keysize 4096 -keystoretype PKCS12 -keystorepass password -truststoretypePKCS12 -truststorepasspassword -alfrescoformatclassic https://github.com/Alfresco/alfresco-ssl-generator
2626
27 Common mistakes: Searching If you are experimenting problems when searching from Alfresco, Share or from the REST API: • Review Alfresco Repository configuration > alfresco-global.properties • Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 solr.port.ssl=8983 solr.secureComms=https dir.keystore=/usr/local/tomcat/alf_data/keystore # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true
28 Common mistakes: Indexing If you are experimenting problems when indexing from SOLR: • Review Alfresco Tomcat configuration > server.xml • Review SOLR properties configuration > solrcore.properties https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector> alfresco.secureComms=https alfresco.port.ssl=8443 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.keystore.provider=JCEKS alfresco.encryption.ssl.truststore.type= alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.truststore.provider=JCEKS alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.type= alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
29 Troubleshooting: cURL Testing the configuration with CURL Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format: $ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000" In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format $ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"
30 Troubleshooting: Debugging Debugging the configuration The best approach to debug SSL Handshake is not using the Log4j categories, but setting this Java parameter for both Solr and Alfresco web apps: -Djavax.net.debug=ssl:handshake "ClientHello": { "clientversion" :"TLSv1.2", "random" : "79 4D93 54 F9 5983 0C 75 58 73 F8 DE3A 3C B695 57 8F 72 A4FE 92 BBD089 50 C3 A011 849C", "session id" : "49 6134 4C 45 80 A069 75 E3 92 C2 7DF6 2E04 70 3F 6C 4DA191 F0 B8CE79 1C 3B 15 0B 11 F5", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), ... ]", "compression methods" : "00", "extensions" : [ ] } ) "ServerHello": { "server version" : "TLSv1.2", "random" : "30 8C EEE3 E3 08 6D38 FDBC47 5E 9AC5 4C A5AD14 3E 97 DB3E DAC9 BE61 F9 0F88 F3 25 10", "session id" : "", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiatedconnection>] }, "ec_point_formats (11)": { "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2] } ] }
31 Troubleshooting: Resources Alfresco Documentation https://docs.alfresco.com/search-community/tasks/solr-install.html https://docs.alfresco.com/search-community/concepts/solr-troubleshooting.html Alfresco Hub https://hub.alfresco.com/t5/alfresco-content-services-blog/creating-self-signed-ssl-certificates-for-solr/ba-p/288477 https://hub.alfresco.com/t5/alfresco-content-services-blog/using-ssl-with-alfresco-search-services-and-solr-6/ba-p/292687 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by- default/ba-p/287905 Blog posts https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/
Thank you!

Recommended

(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
Angel Borroy López
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0
Angel Borroy López
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
Angel Borroy López
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White Paper
Toni de la Fuente
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
Toni de la Fuente
 
Upgrading to Alfresco 6
Upgrading to Alfresco 6Upgrading to Alfresco 6
Upgrading to Alfresco 6
Angel Borroy López
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
Luis Cabaceira
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
Angel Borroy López
 

Recommended

(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
Angel Borroy López
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0
Angel Borroy López
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
Angel Borroy López
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White Paper
Toni de la Fuente
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
Toni de la Fuente
 
Upgrading to Alfresco 6
Upgrading to Alfresco 6Upgrading to Alfresco 6
Upgrading to Alfresco 6
Angel Borroy López
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
Luis Cabaceira
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
Angel Borroy López
 
Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019
J V
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content Transformation
Alfresco Software
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and Then
Angel Borroy López
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions
Alfresco Software
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
Luis Cabaceira
 
Alfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeAlfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the Trade
Luis Colorado
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zones
Sanket Mehta
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
Toni de la Fuente
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfrescoUE
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
J V
 
Intro to the Alfresco Public API
Intro to the Alfresco Public APIIntro to the Alfresco Public API
Intro to the Alfresco Public API
Jeff Potts
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
J V
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoring
Miguel Rodriguez
 
Webscripts
WebscriptsWebscripts
Webscripts
Alfresco Software
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Francesco Corti
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
Symphony Software Foundation
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
Luis Cabaceira
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
Luis Cabaceira
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
Toni de la Fuente
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
Shivji Kumar Jha
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 

More Related Content

What's hot

Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019
J V
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content Transformation
Alfresco Software
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and Then
Angel Borroy López
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions
Alfresco Software
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
Luis Cabaceira
 
Alfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeAlfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the Trade
Luis Colorado
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zones
Sanket Mehta
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
Toni de la Fuente
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfrescoUE
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
J V
 
Intro to the Alfresco Public API
Intro to the Alfresco Public APIIntro to the Alfresco Public API
Intro to the Alfresco Public API
Jeff Potts
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
J V
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoring
Miguel Rodriguez
 
Webscripts
WebscriptsWebscripts
Webscripts
Alfresco Software
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Francesco Corti
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
Symphony Software Foundation
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
Luis Cabaceira
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
Luis Cabaceira
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
Toni de la Fuente
 

What's hot (20)

Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content Transformation
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and Then
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
 
Alfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeAlfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the Trade
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zones
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin Ideas
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
 
Intro to the Alfresco Public API
Intro to the Alfresco Public APIIntro to the Alfresco Public API
Intro to the Alfresco Public API
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoring
 
Webscripts
WebscriptsWebscripts
Webscripts
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
 

Similar to Alfresco Certificates

Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
Shivji Kumar Jha
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
Trivadis
 
Java security
Java securityJava security
Java security
Bart Blommaerts
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
Toni de la Fuente
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Angel Borroy López
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
DataArt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
William Lee
 

Similar to Alfresco Certificates (20)

Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
 
Java security
Java securityJava security
Java security
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 

More from Angel Borroy López

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Angel Borroy López
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Angel Borroy López
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
Angel Borroy López
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Angel Borroy López
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
Angel Borroy López
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
Angel Borroy López
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
Angel Borroy López
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
Angel Borroy López
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
Angel Borroy López
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
Angel Borroy López
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
Angel Borroy López
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
Angel Borroy López
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
Angel Borroy López
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
Angel Borroy López
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
Angel Borroy López
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
Angel Borroy López
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
Angel Borroy López
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Angel Borroy López
 
How to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverHow to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last Forever
Angel Borroy López
 
10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know
Angel Borroy López
 

More from Angel Borroy López (20)

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearch
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
 
How to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverHow to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last Forever
 
10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know
 

Recently uploaded

GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
Sharepoint Designs
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
ayushiqss
 

Recently uploaded (20)

GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024Explore Modern SharePoint Templates for 2024
Explore Modern SharePoint Templates for 2024
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
 

Alfresco Certificates

  • 1. Angel Borroy Search Team Nov 5, 2020 Cryptographic stores in Alfresco Brown Bag
  • 2. 22 Cryptographic Stores in Alfresco In Theory • Electronic Certificates • Chain of Trust • Public and Private CAs • Cryptographic Stores • mTLS Protocol In Practice • When to use mTLS Communication • Cryptographic Tools • Alfresco KeyStores • Alfresco mTLS Configuration • Using Custom Certificates In Panic • Troubleshooting Java KeyStores
  • 4. 4 $openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout Certificate: Data: Version:3(0x2) SerialNumber:4097(0x1001) SignatureAlgorithm:sha256WithRSAEncryption Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA Validity NotBefore:Jun3009:24:082020GMT NotAfter: Jun2809:24:082030GMT Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient SubjectPublicKeyInfo: PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: 00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6: d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e: 5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47: 5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e: 97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64: 73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b: e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc: 89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96: b9:e6:a0:e9:e3:d4:08:3a:87 Exponent:65537(0x10001) X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeCertType: SSL Server NetscapeComment: OpenSSL GeneratedServerCertificate X509v3SubjectKeyIdentifier: 84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72 X509v3AuthorityKeyIdentifier: keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA serial:94:78:32:24:4E:A5:07:2B X509v3KeyUsage:critical Digital Signature,KeyEncipherment X509v3ExtendedKeyUsage: TLSWebServerAuthentication X509v3SubjectAlternativeName: DNS:localhost SignatureAlgorithm:sha256WithRSAEncryption 12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45: 34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15: 87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6: 6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67: 2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79: cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5: 30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11 Electronic Certificates X509 Certificate Issuer Name DN Common Name CN Distinguished Name DN Dates valid Private Key Public Key Key Usage Policies Issuer Signature This should match with Server DNS Name RSA 1024 bits with SHA 256 Keystore Truststore
  • 5. 5 Electronic Certificates: File Format .pem – Base64 encoded DER certificate, password .cer, .crt, .der – Binary DER form, password .p7b, .p7c – Base 64 Ascii file with PKCS#7, just for public certificate(s) or CRL(s) .p12 – PKCS#12, may contain certificate(s) (public) and private keys, binary format (ASN.1), password .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE----- -----BEGINRSAPRIVATE KEY----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDRSAPRIVATE KEY----- -----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDPKCS7-----
  • 6. 6 Public and Private CAs CA (Certificate Authority) is an entity that issues electronic certificates. Public CA • Trusted Third-Party for general public, mainly oriented to final users • Issued certificates are trusted by default in Operating Systems and Browsers • The information and services we provide on these servers is open in Internet Private CA • Trusted Third-Party for internal users and services • Issued certificates aren’t trusted by default, so you need to configure computers and servers in order to trust them • The information and services we provide on these servers is restricted to Intranet PUBLICPRIVATE
  • 7. 7 Chain of Trust A certificate must be traceable back to the trust root it was signed with. All public certificates in the chain [server, intermediate(s), and root] need to be present in the truststore. • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. • Intermediate Certificate(s): Intermediate certificates branch of root certificates like branches of trees. They act as middle- men between the protected root certificates and the server certificates issued. • Server Certificate – The server certificate is the one issued to the specific server -----BEGINRSAPRIVATE KEY----- MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z ... nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q= -----ENDRSA PRIVATEKEY----- -----BEGINCERTIFICATE----- MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix ... nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ== -----ENDCERTIFICATE----- -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE-----
  • 8. 8 Cryptographic Stores Java KeyStores are used to store key material and associated certificates. • Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords for each secret- or private-key entry. • Java Key Store (JKS) • The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and associated X.509 certificates. • JCE Key Store (JCEKS) • Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also introduced a new proprietary key store format: JCEKS. • PKCS#12 • Apart from these proprietary key stores, Java also supports standard PKCS#12 format >> In Alfresco both “keystore” and “truststore” file types are Java Keystores stored in one of the formats described above (JKS, JCEKS, PKCS12)
  • 9. 9 mTLS Protocol TLS Client Keystore Truststore Public Key Public Key Private Key TLS Server Keystore Truststore Public Key Public Key Private Key Hello message Server Public Key Client Public Key Key Validation Encrypted Data
  • 11. 11 When to use mTLS Communication HTTPdefaultINSECUREHTTPprotectedwithpass HTTPS protected with mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
  • 12. 12 Cryptographic Tools Issuing certificates • keytool only supports self-signed certificates and a limited set of policies • openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies Managing Certificates and Java KeyStores • Command line • keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates • Window based programs (keytool wrappers) • Portecle • KeyStore Explorer https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://www.openssl.org/docs/ http://portecle.sourceforge.net https://keystore-explorer.org/index.html
  • 13. 13 Alfresco KeyStores: Repository https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repoand so on) are not relevant, different ones can be used keystore • Not related with mTLS configuration, but with encrypting secrets* ssl.keystore • ssl.repo is the private key used to sign HTTP requests • ssl.alfresco.ca is the public key of the CA issuing the certificates ssl.truststore • alfresco.ca is the public key of the CA issuing the certificates • ssl.repo.client is the public key of the certificate used by SOLR as client * https://docs.alfresco.com/6.2/concepts/alf-keystores.html
  • 14. 14 Alfresco KeyStores: SOLR https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repo and so on) are not relevant, different ones can be used ssl-repo-client.keystore • ssl.repo.client is the private key used to sign HTTP requests • alfresco.ca is the public key of the CA issuing the certificates ssl-repo-client.truststore • ssl.alfresco.ca is the public key of the CA issuing the certificates • ssl.repo is the public key of the certificate used by Repository as client • ssl.repo.client is the public key of the certificate used by SOLR as client >> Zeppelin is connecting with the Alfresco Repository, so the KeyStores are the same from SOLR
  • 15. 15 Alfresco KeyStores: Browser https://github.com/Alfresco/alfresco-ssl-generator Connecting to SOLR Admin Web Console (by default available in https://127.0.0.1:8983/solr) requires a client certificate • This certificate needs to be installed in Windows, Mac OS X and Linux. • When using Mozilla Firefox, the certificate needs also to be installed in that browser.
  • 18. 18 Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR Alfresco mTLS: Repository Properties https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719 #default keystoreslocation dir.keystore=classpath:alfresco/keystore # general encryption parameters(keystore) encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=AES encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secretkey keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties encryption.keystore.provider= encryption.keystore.type=pkcs12 # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # SOLRConfiguration solr.port.ssl=8984 solr.secureComms=https ENCRYPTION PROPERTIES Not related with mTLS Configuration Required even when not using mTLS KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key alfresco-global.properties docker-compose.ymlCLASSIC
  • 19. 19 Tomcat Server configuration to receive HTTPs queries from SOLR Alfresco mTLS: Tomcat Repository Connector $ cat /usr/local/tomcat/conf/server.xml ... <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"> </Connector> </Service> </Server> KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key server.xml Dockerfile TOMCAT CONNECTOR TLS Configuration CLASSIC
  • 20. 20 Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco Alfresco mTLS: SOLR Properties https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44 # ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=JCEKS alfresco.encryption.ssl.keystore.provider= alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties # ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=JCEKS alfresco.encryption.ssl.truststore.provider= alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # AlfrescoRepositoryconfiguration alfresco.port.ssl=8443 alfresco.secureComms=https KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solrcore.properties CLASSIC
  • 21. 21 Jetty Server configuration to receive HTTPs queries from Alfresco Alfresco mTLS: Jetty SOLR Server $ cat /opt/alfresco-search-services/solr.in.sh # ssl.repo.client.keystore SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE_PASSWORD=password # ssl.repo.client.truststore SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE_PASSWORD=password # Jetty mTLS configuration SOLR_SSL_NEED_CLIENT_AUTH=true KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solr.in.sh solr.in.cmdCLASSIC
  • 22. 22 Alfresco mTLS: SOLR Endpoints Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server Search Queries https://127.0.0.1:8983/solr/alfresco/afts https://127.0.0.1:8983/solr/alfresco/browse https://127.0.0.1:8983/solr/alfresco/cmis https://127.0.0.1:8983/solr/alfresco/query https://127.0.0.1:8983/solr/alfresco/select SQL Queries https://127.0.0.1:8983/solr/alfresco/sql Admin Actions https://127.0.0.1:8983/solr/admin
  • 23. 23 Alfresco mTLS: Repository Endpoints Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server Indexing requests https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets https://127.0.0.1:8443/alfresco/service/api/solr/acls https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders https://127.0.0.1:8443/alfresco/service/api/solr/metadata https://127.0.0.1:8443/alfresco/service/api/solr/model https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff https://127.0.0.1:8443/alfresco/service/api/solr/nodes https://127.0.0.1:8443/alfresco/service/api/solr/textContent https://127.0.0.1:8443/alfresco/service/api/solr/transactions
  • 24. 24 Alfresco mTLS: Sharding mTLS Configuration can be applied to SOLR Shards in the same way. • The same KeyStores can be used for every Shard • A new certificate ssl.client.repocan be generated for each Shard • You need to add these new certificates to Alfresco Repository truststore (ssl.truststore) Sample configuration using DB_ID for two shards is available in: https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
  • 25. 25 DEMO TIME: Using Custom Certificates 1 - Starting with a working mTLS configuration • Docker Compose for Alfresco Repository • ZIP Distribution file for Alfresco Search SOLR 2 - Create new KeyStores with different values 3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties 4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty • Use pkcs12 as KeyStore Type • Use password as password for the KeyStores CLASSIC $ ./run.sh -alfrescoversioncommunity -keysize 4096 -keystoretype PKCS12 -keystorepass password -truststoretypePKCS12 -truststorepasspassword -alfrescoformatclassic https://github.com/Alfresco/alfresco-ssl-generator
  • 26. 2626
  • 27. 27 Common mistakes: Searching If you are experimenting problems when searching from Alfresco, Share or from the REST API: • Review Alfresco Repository configuration > alfresco-global.properties • Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 solr.port.ssl=8983 solr.secureComms=https dir.keystore=/usr/local/tomcat/alf_data/keystore # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true
  • 28. 28 Common mistakes: Indexing If you are experimenting problems when indexing from SOLR: • Review Alfresco Tomcat configuration > server.xml • Review SOLR properties configuration > solrcore.properties https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector> alfresco.secureComms=https alfresco.port.ssl=8443 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.keystore.provider=JCEKS alfresco.encryption.ssl.truststore.type= alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.truststore.provider=JCEKS alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.type= alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
  • 29. 29 Troubleshooting: cURL Testing the configuration with CURL Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format: $ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000" In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format $ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"
  • 30. 30 Troubleshooting: Debugging Debugging the configuration The best approach to debug SSL Handshake is not using the Log4j categories, but setting this Java parameter for both Solr and Alfresco web apps: -Djavax.net.debug=ssl:handshake "ClientHello": { "clientversion" :"TLSv1.2", "random" : "79 4D93 54 F9 5983 0C 75 58 73 F8 DE3A 3C B695 57 8F 72 A4FE 92 BBD089 50 C3 A011 849C", "session id" : "49 6134 4C 45 80 A069 75 E3 92 C2 7DF6 2E04 70 3F 6C 4DA191 F0 B8CE79 1C 3B 15 0B 11 F5", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), ... ]", "compression methods" : "00", "extensions" : [ ] } ) "ServerHello": { "server version" : "TLSv1.2", "random" : "30 8C EEE3 E3 08 6D38 FDBC47 5E 9AC5 4C A5AD14 3E 97 DB3E DAC9 BE61 F9 0F88 F3 25 10", "session id" : "", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiatedconnection>] }, "ec_point_formats (11)": { "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2] } ] }
  • 31. 31 Troubleshooting: Resources Alfresco Documentation https://docs.alfresco.com/search-community/tasks/solr-install.html https://docs.alfresco.com/search-community/concepts/solr-troubleshooting.html Alfresco Hub https://hub.alfresco.com/t5/alfresco-content-services-blog/creating-self-signed-ssl-certificates-for-solr/ba-p/288477 https://hub.alfresco.com/t5/alfresco-content-services-blog/using-ssl-with-alfresco-search-services-and-solr-6/ba-p/292687 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by- default/ba-p/287905 Blog posts https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/