This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
Practical information for Alfresco integration with AOS (Sharepoint Protocol), Google Drive, Microsoft 365, ONLYOFFICE and Collabora Online.
Additionally ADW support for ONLYOFFICE is provided by https://github.com/atolcd/adf-onlyoffice-extension#installation
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
Presentation on how to move from the Alfresco Search Services product based in Apache Solr to the new Alfresco Search Enterprise integrated with Elasticsearch and Amazon Opensearch.
Practical information for Alfresco integration with AOS (Sharepoint Protocol), Google Drive, Microsoft 365, ONLYOFFICE and Collabora Online.
Additionally ADW support for ONLYOFFICE is provided by https://github.com/atolcd/adf-onlyoffice-extension#installation
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
Presentation on how to move from the Alfresco Search Services product based in Apache Solr to the new Alfresco Search Enterprise integrated with Elasticsearch and Amazon Opensearch.
Alfresco DevCon 2019 (Edinburgh)
"Transforming the Transformers" for Alfresco Content Services (ACS) 6.1 & beyond
https://community.alfresco.com/community/ecm/blog/2019/02/07/alfresco-transform-service-new-with-acs-61
Alfresco provides various content transformation options across the Digital Business Platform (DBP). In this talk, we will explore the new independently-scalable Alfresco Transform Service. This enables a new option for transforms to be asynchronously off-loaded by Alfresco Content Services (ACS).
https://devcon.alfresco.com/speaker/jan-vonka/
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
In this session, we will look first at the rich metadata that documents in your repository have, how to control the mapping of this on to your content model, and some of the interesting things this can deliver. We'll then move on to the content transformation and rendition services, and see how you can easily and powerfully generate a wide range of media from the content you already have.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
In this session, we'll discuss architectural, design and tuning best practices for building rock solid and scalable Alfresco Solutions. We'll cover the typical use cases for highly scalable Alfresco solutions, like massive injection and high concurrency, also introducing 3.3 and 3.4 Transfer / Replication services for building complex high availability enterprise architectures.
Alfresco DevCon 2019 Performance Tools of the TradeLuis Colorado
Discover tips and tools that will help you to keep your Alfresco environment in shape. Most of the best tools are free or Open Source, and this presentation will guide you through the steps to improve the performance of your system.
Alfresco node lifecyle, services and zonesSanket Mehta
This ppt explains you the details about an alfresco node lifecycle (including which alfresco database tables are affected upon node operation-like node creation, deletion). Apart from it, it also explain which particular case-sensitive alfresco service should be used (nodeService vs NodeService, searchService vs SearchService) in order to maintain security in your application. Lastly it covers zones in alfresco (authentication-related zones and application-related zones)
Alfresco 5.2 Introduces New Public REST APIs
For an update, please see: https://www.slideshare.net/jvonka/exciting-new-alfresco-apis
https://www.meetup.com/Alfresco-Meetups/events/236987848/
An overview of the new and enhanced APIs will be discussed and some of the key endpoints demonstrated via Postman so that by the time you leave you should have enough knowledge to create a simple client or integration.
These APIs will also be the foundation for new clients developed for the Alfresco Digital Business Platform.
We'll have a sneak peek at what's coming next and leave plenty of time for questions, feedback and open discussion.
Alfresco Content Modelling and Policy BehavioursJ V
Alfresco DevCon 2010 (Paris and New York)
This session starts by giving an overview of components of an Alfresco content model. We then examine the various forms of call-backs and hook-points available to the developer and give some examples of how these can be used to enforce custom business logic and model consistency.
The objective of this article is to describe what to monitor in and around Alfresco in order to have a good understanding of how the applications are performing and to be aware of potential issues.
Alfresco Web Scripts have become an important part of any Alfresco developer's tool kit and in this session we will take a deep dive into how Web Scripts can be used to provide public APIs for Alfresco extensions. After briefly reviewing the anatomy of a Web Script and discussing Alfresco's approach to Service development, we will work through an example that extends Alfresco with a simple service and creates a REST API using Web Scripts.
Infrastructure, use cases and performance considerations for
an Enterprise Grade ECM implementation up to 1B documents on AWS (Amazon Web Services EC2 and Aurora) based on the Alfresco (http://www.alfresco.com) Platform, leading Open Source Enterprise Content Management system.
Sizing an alfresco infrastructure has always been an interesting topic with lots of unrevealed questions. There is no perfect formula that can accurately define what is the perfect sizing for your architecture considering your use case. However, we can provide you with valuable guidance on how to size your Alfresco solution, by asking the right questions, collecting the right numbers, and taking the right assumptions on a very interesting sizing exercise.
How many alfresco servers will you need on your alfresco cluster? How many CPUs/cores do you need on those servers to handle your estimated user concurrency? How do you estimate the sizing and growth of your storage? How much memory do you need on your Solr servers? How many Solr servers do you need to get the response times you require? What are the golden rules that can drive and maintain the success of an Alfresco project?
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
A Pulsar instance consists of one or more Pulsar clusters. Clusters, in turn, consist of a broker cluster, a bookkeeper cluster and a zookeeper cluster. While this provides a modular and flexible design, there is a lot of bytes flowing over the network. In an application that is paranoid about security that is a lot of connections, both intra cluster and inter-cluster, to secure. At nutanix we have deploy pulsar in a secure environment and run it through a lot of security audits for infrastructure certifications.
In this talks, we will go over how we set up authentication and authorization on all the network communications to make our pulsar deployment secure.
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
Experience in implementing SSL between Oracle DB and Oracle Clients" - presentation will explain how to configure implement SSL between Oracle DB/Client
Alfresco DevCon 2019 (Edinburgh)
"Transforming the Transformers" for Alfresco Content Services (ACS) 6.1 & beyond
https://community.alfresco.com/community/ecm/blog/2019/02/07/alfresco-transform-service-new-with-acs-61
Alfresco provides various content transformation options across the Digital Business Platform (DBP). In this talk, we will explore the new independently-scalable Alfresco Transform Service. This enables a new option for transforms to be asynchronously off-loaded by Alfresco Content Services (ACS).
https://devcon.alfresco.com/speaker/jan-vonka/
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
In this session, we will look first at the rich metadata that documents in your repository have, how to control the mapping of this on to your content model, and some of the interesting things this can deliver. We'll then move on to the content transformation and rendition services, and see how you can easily and powerfully generate a wide range of media from the content you already have.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
In this session, we'll discuss architectural, design and tuning best practices for building rock solid and scalable Alfresco Solutions. We'll cover the typical use cases for highly scalable Alfresco solutions, like massive injection and high concurrency, also introducing 3.3 and 3.4 Transfer / Replication services for building complex high availability enterprise architectures.
Alfresco DevCon 2019 Performance Tools of the TradeLuis Colorado
Discover tips and tools that will help you to keep your Alfresco environment in shape. Most of the best tools are free or Open Source, and this presentation will guide you through the steps to improve the performance of your system.
Alfresco node lifecyle, services and zonesSanket Mehta
This ppt explains you the details about an alfresco node lifecycle (including which alfresco database tables are affected upon node operation-like node creation, deletion). Apart from it, it also explain which particular case-sensitive alfresco service should be used (nodeService vs NodeService, searchService vs SearchService) in order to maintain security in your application. Lastly it covers zones in alfresco (authentication-related zones and application-related zones)
Alfresco 5.2 Introduces New Public REST APIs
For an update, please see: https://www.slideshare.net/jvonka/exciting-new-alfresco-apis
https://www.meetup.com/Alfresco-Meetups/events/236987848/
An overview of the new and enhanced APIs will be discussed and some of the key endpoints demonstrated via Postman so that by the time you leave you should have enough knowledge to create a simple client or integration.
These APIs will also be the foundation for new clients developed for the Alfresco Digital Business Platform.
We'll have a sneak peek at what's coming next and leave plenty of time for questions, feedback and open discussion.
Alfresco Content Modelling and Policy BehavioursJ V
Alfresco DevCon 2010 (Paris and New York)
This session starts by giving an overview of components of an Alfresco content model. We then examine the various forms of call-backs and hook-points available to the developer and give some examples of how these can be used to enforce custom business logic and model consistency.
The objective of this article is to describe what to monitor in and around Alfresco in order to have a good understanding of how the applications are performing and to be aware of potential issues.
Alfresco Web Scripts have become an important part of any Alfresco developer's tool kit and in this session we will take a deep dive into how Web Scripts can be used to provide public APIs for Alfresco extensions. After briefly reviewing the anatomy of a Web Script and discussing Alfresco's approach to Service development, we will work through an example that extends Alfresco with a simple service and creates a REST API using Web Scripts.
Infrastructure, use cases and performance considerations for
an Enterprise Grade ECM implementation up to 1B documents on AWS (Amazon Web Services EC2 and Aurora) based on the Alfresco (http://www.alfresco.com) Platform, leading Open Source Enterprise Content Management system.
Sizing an alfresco infrastructure has always been an interesting topic with lots of unrevealed questions. There is no perfect formula that can accurately define what is the perfect sizing for your architecture considering your use case. However, we can provide you with valuable guidance on how to size your Alfresco solution, by asking the right questions, collecting the right numbers, and taking the right assumptions on a very interesting sizing exercise.
How many alfresco servers will you need on your alfresco cluster? How many CPUs/cores do you need on those servers to handle your estimated user concurrency? How do you estimate the sizing and growth of your storage? How much memory do you need on your Solr servers? How many Solr servers do you need to get the response times you require? What are the golden rules that can drive and maintain the success of an Alfresco project?
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
A Pulsar instance consists of one or more Pulsar clusters. Clusters, in turn, consist of a broker cluster, a bookkeeper cluster and a zookeeper cluster. While this provides a modular and flexible design, there is a lot of bytes flowing over the network. In an application that is paranoid about security that is a lot of connections, both intra cluster and inter-cluster, to secure. At nutanix we have deploy pulsar in a secure environment and run it through a lot of security audits for infrastructure certifications.
In this talks, we will go over how we set up authentication and authorization on all the network communications to make our pulsar deployment secure.
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
Experience in implementing SSL between Oracle DB and Oracle Clients" - presentation will explain how to configure implement SSL between Oracle DB/Client
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
In this baller talk, we will be addressing the elephant in the room that no one ever wants to look at or talk about: security. We generally never want to talk about configuring security because if we do, we allocate risk of penetration by exposing ourselves to exploitation. However, this leads to a lot of confusion around proper Kafka security best practices and how to appropriately lock down a cluster when you are starting out. In this talk we will demystify the elephant in the room without deconstructing it limb by limb. We will give you a notion of how to configure the following for BOTH clients and servers: * TLS or Kerberos Authentication * Encrypt your network traffic via TLS * Perform authorization via access control lists (ACLs) We will also demonstrate the above with a GitHub repo you can try out for yourself. Lastly, we will present a reference implementation of oauth if that suits your fancy. All in all you should walk away with a pretty decent understanding of the necessary aspects required for a secure Kafka environment.
A pragmatic approach to using public / private certificates in keystores in Java.
Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.
Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.
n this session, we'll simplify the complexities of configuring and troubleshooting mutual TLS (mTLS) within Alfresco environments. Attendees will gain practical insights into certificate management, trust validation, and common challenges encountered during configuration.
We'll showcase and provide custom tools for troubleshooting during the session. These tools can be used with ZIP, Ansible, Docker and Kubernetes deployments.
Event description available in https://hub.alfresco.com/t5/news-announcements/ttl-157-troubleshooting-made-easy-deciphering-alfresco-s-mtls/ba-p/319735/jump-to/first-unread-message
Yaroslav talks more about Mobile Security and his experience doing it on iOS platforms.
You can see his full lecture here: https://www.youtube.com/watch?v=_f7pmwi0yfs
Yaroslav Vorontsov works as a software architect at DataArt. Over the course of his professional career, he has taken part in many projects from different industrial domains, managed to grow from an intern to a tech lead quickly. He has also won two major prizes at two consecutive THacks in Berlin as a member of DataArt teams, participated in local developers’ communities and taught about 100 students in total for 3 years at the university. When he's not working, Yaroslav enjoys playing and watching football, and exploring new countries with his wife.
IT talk is an open community, where anyone interested in technologies can participate. It is a real opportunity for IT professionals, teachers, students and even novice developers to share knowledge, network & discuss technical solutions and even present them at the next IT Talk seminars!
Website: http://dataart.bg/
Facebook: https://www.facebook.com/dataartbulgaria/
YouTube: https://www.youtube.com/channel/UCFYE6-NmhDFhFtx4gGkHXGQ
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Using Generative AI and Content Service Platforms togetherAngel Borroy López
Slides for FOSDEM 2024 session: https://fosdem.org/2024/schedule/event/fosdem-2024-1858-using-generative-ai-and-content-service-platforms-together/
Describes a framework that provides GenAI operations for documents using a REST API. LLMs are stored locally, so no data is sent away.
It also includes a sample integration with a Content Service Platform (Alfresco), to enhance documents and pictures context information.
Session recording is available in https://ftp.fau.de/fosdem/2024/h2213/fosdem-2024-1858-using-generative-ai-and-content-service-platforms-together.av1.webm
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
Oractical guide on integrating Alfresco Community with On-Premise Generative AI.
This session outlines the steps to enhance both existing and new content, demonstrating features such as classification, summarization, translation, and prompting. But this framework allows you to include additional features.
Source code is available in https://github.com/aborroy/alfresco-genai
This presentation describes different methods to produce Alfresco Docker Assets for Docker Compose deployment.
From the previous methods (based in Python, Yeoman and Docker) to the Docker Init with Templates approach.
The recent launch of the Docker Init command has significantly simplified the process of generating Dockerfiles and Docker Compose templates for containerized applications. This presentation aims to explore the evolution of Docker deployment resources generation process, comparing its approach prior to the Docker Init command release and discussing the way forward. Before the introduction of the Docker Init command, I've been delivering some projects like the "alfresco-docker-installer"[1], which provides custom scripts and configurations to streamline the process of deploying Alfresco in Docker containers. These kinds of projects use tools like Yeoman or raw Python. There are some differences between a Docker Template for a technology (Go, Python, Node or Rust) and a Docker Template for a product (like Alfresco) that may be covered when generating automatic deployment resources. This presentation will delve into the methodologies employed before the Docker Init command:
Custom Dockerfile Extension
Compose Template for a complete product deployment, including a set of services like the database, content repository, search engine, or web application
Configuration Management, including techniques such as environment variable injection, externalized configuration files, and configuration overrides
Following the release of the Docker Init command, this presentation will provide insights into the possibilities and advantages it brings to complex products Docker deployment process. A PoC of a Docker Plugin, including this product-oriented approach for docker init, will be demoed live. >> Note that the Open Source Alfresco product is used only to explain the concepts of building a Docker Compose generator with a real example.
This deck includes a description of the Transform Service available for Alfresco 7.4.0.
Secure configuration sample, relying on mTLS, is also discussed.
This presentation describes how to use Podman to replace Docker in the Alfresco 7.4.0 development process.
Alfresco platform is built using containerization technology. Alfresco can utilize containerization platforms like Podman, which provide the necessary tools and infrastructure to create, manage, and run containers.
Podman is presented as an alternative to Docker. Both Docker and Podman can be used effectively for Alfresco development. So consider your familiarity with the tools, preferred workflow, ecosystem support, security requirements, and any specific performance considerations to make the best choice for your Alfresco development needs.
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeAngel Borroy López
Presentación realizada en Openexpo Europe 2023:
https://openexpoeurope.com/es/session/cuando-hyland-encontro-a-alfresco-evolucion-de-servicios-de-codigo-abierto-en-un-mundo-cloud-native/
Presenta una visión evolutiva de las plataformas de gestión documental: ECM, CSP y Cloud Native.
Incluye información relevante de los productos Alfresco, Nuxeo y Hyland Experience.
This presentation describes how to use the BPM Engine included with Alfresco ACS repository.
All the different APIs are covered: Workflow Console UI, REST API and Java API.
Support material for the blog post available in https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-7-3-upgrading-to-transform-core-3-0-0/ba-p/315364
This presentation describes the differences between Alfresco Transform Engine and Alfresco Transform Core 3.0.0.
Deployment, configuration and extension topics for Transform Core are covered.
DockerCon EU 2022 Slides: "Docker Onboarding"
Sesión en español para presentar los recursos disponibles para comenzar con Docker.
La sesión está disponible en la página del evento de Docker:
https://docker.events.cube365.net/dockercon/2022/communityroom/WH6PqrceCvsn7P2W7
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
2. 22
Cryptographic Stores in Alfresco
In Theory
• Electronic Certificates
• Chain of Trust
• Public and Private CAs
• Cryptographic Stores
• mTLS Protocol
In Practice
• When to use mTLS Communication
• Cryptographic Tools
• Alfresco KeyStores
• Alfresco mTLS Configuration
• Using Custom Certificates
In Panic
• Troubleshooting
Java KeyStores
4. 4
$openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout
Certificate:
Data:
Version:3(0x2)
SerialNumber:4097(0x1001)
SignatureAlgorithm:sha256WithRSAEncryption
Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA
Validity
NotBefore:Jun3009:24:082020GMT
NotAfter: Jun2809:24:082030GMT
Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient
SubjectPublicKeyInfo:
PublicKeyAlgorithm:rsaEncryption
Public-Key:(1024bit)
Modulus:
00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6:
d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e:
5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47:
5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e:
97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64:
73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b:
e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc:
89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96:
b9:e6:a0:e9:e3:d4:08:3a:87
Exponent:65537(0x10001)
X509v3extensions:
X509v3BasicConstraints:
CA:FALSE
NetscapeCertType:
SSL Server
NetscapeComment:
OpenSSL GeneratedServerCertificate
X509v3SubjectKeyIdentifier:
84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72
X509v3AuthorityKeyIdentifier:
keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC
DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA
serial:94:78:32:24:4E:A5:07:2B
X509v3KeyUsage:critical
Digital Signature,KeyEncipherment
X509v3ExtendedKeyUsage:
TLSWebServerAuthentication
X509v3SubjectAlternativeName:
DNS:localhost
SignatureAlgorithm:sha256WithRSAEncryption
12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45:
34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15:
87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6:
6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67:
2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79:
cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5:
30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11
Electronic Certificates X509 Certificate
Issuer Name
DN
Common Name
CN
Distinguished Name
DN
Dates valid
Private Key Public Key
Key Usage
Policies
Issuer Signature
This should match with
Server DNS Name
RSA 1024 bits
with SHA 256
Keystore Truststore
5. 5
Electronic Certificates: File Format
.pem – Base64 encoded DER certificate, password
.cer, .crt, .der – Binary DER form, password
.p7b, .p7c – Base 64 Ascii file with PKCS#7, just for
public certificate(s) or CRL(s)
.p12 – PKCS#12, may contain certificate(s) (public)
and private keys, binary format (ASN.1), password
.pfx – PFX, predecessor of PKCS#12 (usually
contains data in PKCS#12 format, e.g., with PFX files
generated in IIS)
-----BEGINCERTIFICATE-----
MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE
...
HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDCERTIFICATE-----
-----BEGINRSAPRIVATE KEY-----
MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
...
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDRSAPRIVATE KEY-----
-----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE
...
HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDPKCS7-----
6. 6
Public and Private CAs
CA (Certificate Authority) is an entity that issues electronic
certificates.
Public CA
• Trusted Third-Party for general public, mainly oriented to final users
• Issued certificates are trusted by default in Operating Systems and Browsers
• The information and services we provide on these servers is open in Internet
Private CA
• Trusted Third-Party for internal users and services
• Issued certificates aren’t trusted by default, so you need to configure computers and
servers in order to trust them
• The information and services we provide on these servers is restricted to Intranet
PUBLICPRIVATE
7. 7
Chain of Trust
A certificate must be traceable back to the trust root it was signed
with.
All public certificates in the chain [server, intermediate(s), and
root] need to be present in the truststore.
• Root Certificate: A root certificate is a digital certificate that
belongs to the issuing Certificate Authority.
• Intermediate Certificate(s): Intermediate certificates branch
of root certificates like branches of trees. They act as middle-
men between the protected root certificates and the server
certificates issued.
• Server Certificate – The server certificate is the one issued to
the specific server
-----BEGINRSAPRIVATE KEY-----
MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z
...
nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q=
-----ENDRSA PRIVATEKEY-----
-----BEGINCERTIFICATE-----
MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix
...
nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ==
-----ENDCERTIFICATE-----
-----BEGINCERTIFICATE-----
MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
...
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDCERTIFICATE-----
8. 8
Cryptographic Stores
Java KeyStores are used to store key material and associated certificates.
• Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords
for each secret- or private-key entry.
• Java Key Store (JKS)
• The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and
associated X.509 certificates.
• JCE Key Store (JCEKS)
• Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also
introduced a new proprietary key store format: JCEKS.
• PKCS#12
• Apart from these proprietary key stores, Java also supports standard PKCS#12 format
>> In Alfresco both “keystore” and “truststore” file types are Java Keystores
stored in one of the formats described above (JKS, JCEKS, PKCS12)
9. 9
mTLS Protocol
TLS Client
Keystore
Truststore
Public Key
Public Key
Private Key
TLS Server
Keystore
Truststore
Public Key
Public Key
Private Key
Hello message
Server Public Key
Client Public Key
Key Validation
Encrypted Data
11. 11
When to use mTLS Communication
HTTPdefaultINSECUREHTTPprotectedwithpass
HTTPS protected with mTLS
https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
12. 12
Cryptographic Tools
Issuing certificates
• keytool only supports self-signed certificates and a limited set of policies
• openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies
Managing Certificates and Java KeyStores
• Command line
• keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates
• Window based programs (keytool wrappers)
• Portecle
• KeyStore Explorer
https://docs.oracle.com/en/java/javase/11/tools/keytool.html
https://www.openssl.org/docs/
http://portecle.sourceforge.net
https://keystore-explorer.org/index.html
13. 13
Alfresco KeyStores: Repository
https://github.com/Alfresco/alfresco-ssl-generator
By default all the KeyStores are stored in JCEKS format
KeyStore and private certificates are protected by password
The alias (ssl.repoand so on) are not relevant, different ones can be used
keystore
• Not related with mTLS configuration, but with encrypting secrets*
ssl.keystore
• ssl.repo is the private key used to sign HTTP requests
• ssl.alfresco.ca is the public key of the CA issuing the certificates
ssl.truststore
• alfresco.ca is the public key of the CA issuing the certificates
• ssl.repo.client is the public key of the certificate used by SOLR as client
* https://docs.alfresco.com/6.2/concepts/alf-keystores.html
14. 14
Alfresco KeyStores: SOLR
https://github.com/Alfresco/alfresco-ssl-generator
By default all the KeyStores are stored in JCEKS format
KeyStore and private certificates are protected by password
The alias (ssl.repo and so on) are not relevant, different ones can be used
ssl-repo-client.keystore
• ssl.repo.client is the private key used to sign HTTP requests
• alfresco.ca is the public key of the CA issuing the certificates
ssl-repo-client.truststore
• ssl.alfresco.ca is the public key of the CA issuing the certificates
• ssl.repo is the public key of the certificate used by Repository as client
• ssl.repo.client is the public key of the certificate used by SOLR as client
>> Zeppelin is connecting with the Alfresco Repository, so the KeyStores
are the same from SOLR
18. 18
Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR
Alfresco mTLS: Repository Properties
https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719
#default keystoreslocation
dir.keystore=classpath:alfresco/keystore
# general encryption parameters(keystore)
encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator
encryption.keyAlgorithm=AES
encryption.cipherAlgorithm=AES/CBC/PKCS5Padding
# secretkey keystore configuration
encryption.keystore.location=${dir.keystore}/keystore
encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties
encryption.keystore.provider=
encryption.keystore.type=pkcs12
# ssl.keystore
encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
encryption.ssl.keystore.provider=
encryption.ssl.keystore.type=JCEKS
encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties
# ssl.truststore
encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
encryption.ssl.truststore.provider=
encryption.ssl.truststore.type=JCEKS
encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
# SOLRConfiguration
solr.port.ssl=8984
solr.secureComms=https
ENCRYPTION PROPERTIES
Not related with mTLS Configuration
Required even when not using mTLS
KEYSTORE
Includes Repository private key
TRUSTSTORE
Includes CA public key and
SOLR client public key
alfresco-global.properties
docker-compose.ymlCLASSIC
19. 19
Tomcat Server configuration to receive HTTPs queries from SOLR
Alfresco mTLS: Tomcat Repository Connector
$ cat /usr/local/tomcat/conf/server.xml
...
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS"
keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore"
keystorePass="kT9X6oe68t" keystoreType="JCEKS"
truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore"
truststorePass="kT9X6oe68t" truststoreType="JCEKS">
</Connector>
</Service>
</Server>
KEYSTORE
Includes Repository private key
TRUSTSTORE
Includes CA public key and
SOLR client public key
server.xml
Dockerfile
TOMCAT CONNECTOR
TLS Configuration
CLASSIC
20. 20
Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco
Alfresco mTLS: SOLR Properties
https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44
# ssl.repo.client.keystore
alfresco.encryption.ssl.keystore.type=JCEKS
alfresco.encryption.ssl.keystore.provider=
alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore
alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties
# ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.type=JCEKS
alfresco.encryption.ssl.truststore.provider=
alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties
# AlfrescoRepositoryconfiguration
alfresco.port.ssl=8443
alfresco.secureComms=https
KEYSTORE
Includes SOLR private key
TRUSTSTORE
Includes CA public key,
Repository client public key and
SOLR client public key
solrcore.properties
CLASSIC
21. 21
Jetty Server configuration to receive HTTPs queries from Alfresco
Alfresco mTLS: Jetty SOLR Server
$ cat /opt/alfresco-search-services/solr.in.sh
# ssl.repo.client.keystore
SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore
SOLR_SSL_KEY_STORE_TYPE=JCEKS
SOLR_SSL_KEY_STORE_PASSWORD=password
# ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore
SOLR_SSL_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Jetty mTLS configuration
SOLR_SSL_NEED_CLIENT_AUTH=true
KEYSTORE
Includes SOLR private key
TRUSTSTORE
Includes CA public key,
Repository client public key and
SOLR client public key
solr.in.sh
solr.in.cmdCLASSIC
22. 22
Alfresco mTLS: SOLR Endpoints
Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server
Search Queries
https://127.0.0.1:8983/solr/alfresco/afts
https://127.0.0.1:8983/solr/alfresco/browse
https://127.0.0.1:8983/solr/alfresco/cmis
https://127.0.0.1:8983/solr/alfresco/query
https://127.0.0.1:8983/solr/alfresco/select
SQL Queries
https://127.0.0.1:8983/solr/alfresco/sql
Admin Actions
https://127.0.0.1:8983/solr/admin
23. 23
Alfresco mTLS: Repository Endpoints
Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server
Indexing requests
https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets
https://127.0.0.1:8443/alfresco/service/api/solr/acls
https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders
https://127.0.0.1:8443/alfresco/service/api/solr/metadata
https://127.0.0.1:8443/alfresco/service/api/solr/model
https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff
https://127.0.0.1:8443/alfresco/service/api/solr/nodes
https://127.0.0.1:8443/alfresco/service/api/solr/textContent
https://127.0.0.1:8443/alfresco/service/api/solr/transactions
24. 24
Alfresco mTLS: Sharding
mTLS Configuration can be applied to SOLR Shards in the same way.
• The same KeyStores can be used for every Shard
• A new certificate ssl.client.repocan be generated for each Shard
• You need to add these new certificates to Alfresco Repository truststore (ssl.truststore)
Sample configuration using DB_ID for two shards is available in:
https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
25. 25
DEMO TIME: Using Custom Certificates
1 - Starting with a working mTLS configuration
• Docker Compose for Alfresco Repository
• ZIP Distribution file for Alfresco Search SOLR
2 - Create new KeyStores with different values
3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties
4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty
• Use pkcs12 as KeyStore Type
• Use password as password for the KeyStores
CLASSIC
$ ./run.sh
-alfrescoversioncommunity
-keysize 4096
-keystoretype PKCS12 -keystorepass password
-truststoretypePKCS12 -truststorepasspassword
-alfrescoformatclassic
https://github.com/Alfresco/alfresco-ssl-generator
27. 27
Common mistakes: Searching
If you are experimenting problems when searching
from Alfresco, Share or from the REST API:
• Review Alfresco Repository configuration > alfresco-global.properties
• Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd
https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422
solr.port.ssl=8983
solr.secureComms=https
dir.keystore=/usr/local/tomcat/alf_data/keystore
# ssl.keystore
encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
encryption.ssl.keystore.type=JCEKS
encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties
# ssl.truststore
encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
encryption.ssl.truststore.type=JCEKS
encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t
SOLR_SSL_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore
SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t
SOLR_SSL_KEY_STORE_TYPE=JCEKS
SOLR_SSL_NEED_CLIENT_AUTH=true
28. 28
Common mistakes: Indexing
If you are experimenting problems when indexing from SOLR:
• Review Alfresco Tomcat configuration > server.xml
• Review SOLR properties configuration > solrcore.properties
https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
SSLEnabled="true" maxThreads="150" scheme="https"
keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore"
keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true"
truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore"
truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS">
</Connector>
alfresco.secureComms=https
alfresco.port.ssl=8443
alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore
alfresco.encryption.ssl.keystore.provider=JCEKS
alfresco.encryption.ssl.truststore.type=
alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore
alfresco.encryption.ssl.truststore.provider=JCEKS
alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties
alfresco.encryption.ssl.keystore.type=
alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
29. 29
Troubleshooting: cURL
Testing the configuration with CURL
Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format:
$ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v
"https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000"
In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format
$ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v
"https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"