To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
This talk is a technical case study showing show Metaversant solved a problem for one of their clients, Noble Research Institute. Researchers at Noble deal with very large files which are often difficult to move into and out of the Alfresco repository.
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
Presentation on how to move from the Alfresco Search Services product based in Apache Solr to the new Alfresco Search Enterprise integrated with Elasticsearch and Amazon Opensearch.
Infrastructure, use cases and performance considerations for
an Enterprise Grade ECM implementation up to 1B documents on AWS (Amazon Web Services EC2 and Aurora) based on the Alfresco (http://www.alfresco.com) Platform, leading Open Source Enterprise Content Management system.
EXPLAIN ANALYZE is a new query profiling tool first released in MySQL 8.0.18. This presentation covers how this new feature works, both on the surface and on the inside, and how you can use it to better understand your queries, to improve them and make them go faster.
This presentation is for everyone who has ever had to understand why a query is executed slower than anticipated, and for everyone who wants to learn more about query plans and query execution in MySQL.
This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
This talk is a technical case study showing show Metaversant solved a problem for one of their clients, Noble Research Institute. Researchers at Noble deal with very large files which are often difficult to move into and out of the Alfresco repository.
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
Presentation on how to move from the Alfresco Search Services product based in Apache Solr to the new Alfresco Search Enterprise integrated with Elasticsearch and Amazon Opensearch.
Infrastructure, use cases and performance considerations for
an Enterprise Grade ECM implementation up to 1B documents on AWS (Amazon Web Services EC2 and Aurora) based on the Alfresco (http://www.alfresco.com) Platform, leading Open Source Enterprise Content Management system.
EXPLAIN ANALYZE is a new query profiling tool first released in MySQL 8.0.18. This presentation covers how this new feature works, both on the surface and on the inside, and how you can use it to better understand your queries, to improve them and make them go faster.
This presentation is for everyone who has ever had to understand why a query is executed slower than anticipated, and for everyone who wants to learn more about query plans and query execution in MySQL.
In this session, we will look first at the rich metadata that documents in your repository have, how to control the mapping of this on to your content model, and some of the interesting things this can deliver. We'll then move on to the content transformation and rendition services, and see how you can easily and powerfully generate a wide range of media from the content you already have.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
Log Management
Log Monitoring
Log Analysis
Need for Log Analysis
Problem with Log Analysis
Some of Log Management Tool
What is ELK Stack
ELK Stack Working
Beats
Different Types of Server Logs
Example of Winlog beat, Packetbeat, Apache2 and Nginx Server log analysis
Mimikatz
Malicious File Detection using ELK
Practical Setup
Conclusion
The objective of this article is to describe what to monitor in and around Alfresco in order to have a good understanding of how the applications are performing and to be aware of potential issues.
Alfresco node lifecyle, services and zonesSanket Mehta
This ppt explains you the details about an alfresco node lifecycle (including which alfresco database tables are affected upon node operation-like node creation, deletion). Apart from it, it also explain which particular case-sensitive alfresco service should be used (nodeService vs NodeService, searchService vs SearchService) in order to maintain security in your application. Lastly it covers zones in alfresco (authentication-related zones and application-related zones)
All you need to know about transport layer securityMaarten Smeets
Many people think that using HTTPS to offer your site or service to clients makes you secure from eavesdroppers and people trying to manipulate your network traffic. Think again! In this presentation I'll dive into transport layer security. I'll elaborate on what you can achieve with SSL such as authentication, encryption and integrity and how you can achieve it. I'll talk about the client-server handshake, identity and trust, one-way and two-way SSL, keys and keystores and cipher suite choice. By means of several examples, I'll show what it can mean if you make the wrong choices in on premises and cloud scenario's. This presentation is relevant for anyone involved in securing connections between client and server using TLS and people interested in learning more about the topic of TLS in general.
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
In this session, we will look first at the rich metadata that documents in your repository have, how to control the mapping of this on to your content model, and some of the interesting things this can deliver. We'll then move on to the content transformation and rendition services, and see how you can easily and powerfully generate a wide range of media from the content you already have.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
Log Management
Log Monitoring
Log Analysis
Need for Log Analysis
Problem with Log Analysis
Some of Log Management Tool
What is ELK Stack
ELK Stack Working
Beats
Different Types of Server Logs
Example of Winlog beat, Packetbeat, Apache2 and Nginx Server log analysis
Mimikatz
Malicious File Detection using ELK
Practical Setup
Conclusion
The objective of this article is to describe what to monitor in and around Alfresco in order to have a good understanding of how the applications are performing and to be aware of potential issues.
Alfresco node lifecyle, services and zonesSanket Mehta
This ppt explains you the details about an alfresco node lifecycle (including which alfresco database tables are affected upon node operation-like node creation, deletion). Apart from it, it also explain which particular case-sensitive alfresco service should be used (nodeService vs NodeService, searchService vs SearchService) in order to maintain security in your application. Lastly it covers zones in alfresco (authentication-related zones and application-related zones)
All you need to know about transport layer securityMaarten Smeets
Many people think that using HTTPS to offer your site or service to clients makes you secure from eavesdroppers and people trying to manipulate your network traffic. Think again! In this presentation I'll dive into transport layer security. I'll elaborate on what you can achieve with SSL such as authentication, encryption and integrity and how you can achieve it. I'll talk about the client-server handshake, identity and trust, one-way and two-way SSL, keys and keystores and cipher suite choice. By means of several examples, I'll show what it can mean if you make the wrong choices in on premises and cloud scenario's. This presentation is relevant for anyone involved in securing connections between client and server using TLS and people interested in learning more about the topic of TLS in general.
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
Deploying Next Generation Firewalling with ASA - CXCisco Canada
This presentation will explain the technology and capabilities behind Cisco’s new context aware firewall: Cisco ASA–CX. We will introduce a new approach to firewall policy creation based on contextual attributes such as: user identity, device type and application usage.
Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.
Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.
Topics covered include:
• Properly protecting stored cardholder data - encryption, hashing, masking and truncation
• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security
• How to identify and mitigate missing encryption
This presentation is a tutorial intro to DANE (DNS Authentication of Named Entities). It describes the root problem, a possible solution using DANE, and briefly shows how you can starting using DANE and TLSA records yourself.
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
TLS/SSL - The mechanism enabling to have secured communications between 2 points over network is more important than ever. Here we deep dive into the basics and its relevance in today's world.
Prowler: Cloud Security Assessment, Auditing, Hardening, Compliance and Forensics Readiness Tool
Prowler helps to assess, audit and harden your AWS account configuration and resources. It also helps to check your configuration with CIS recommendations, and check if your cloud infrastructure is GDPR compliance or if you are ready for a proper forensic investigation. It is a command line tool that provides direct and clear information about configuration status related to security of a given AWS account, it performs more than 80 checks.
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.
Security in IaaS, attacks, hardening, incident response, forensics and all about its automation. Despite I will talk about general concept related to AWS, Azure and GCP, I will show specific demos and threats in AWS and I will go in detail with some caveats and hazards in AWS.
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoToni de la Fuente
Presentation used in the Alfresco Summit 2014 (both Barcelona and Boston).
If you want to see the demo visit: https://www.youtube.com/watch?v=i0K2Y_6JH0A
White Paper and presentation video can be found here: http://summit.alfresco.com/boston/sessions/alfresco-backup-and-recovery-tool-real-world-backup-solution
Presentación en español utilizada en el webinar sobre la nueva versión del módulo Alfresco Records Management 2.0. Para ver el video puede visitar http://www.alfresco.com/es y http://blyx.com
Cuanta más información almacenamos en Alfresco, más necesidades de protegerla tenemos. En este webinar haremos un repaso sobre los consejos de seguridad más importantes a tener en cuenta en Alfresco, tanto a nivel de aplicación como a nivel de servidor, red e intrusiones.
SOLR es el nuevo motor de indexación que incorpora Alfresco en su versión 4.0, no obstante, se puede seguir usando Lucene. En este webinar de una hora de duración, junto a Baratz (Partner Gold de Alfresco), vamos a aprender qué es SOLR, cómo funciona y cómo está soportado, como configurarlo y migrar de Lucene a Solr, qué efectos tiene en el repositorio y que mejoras nos aporta.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
3. Agenda • Requirements
• Encryption Foundations
• Encryption At-Rest
– Native on premises
– Third party on premises
– Cloud
• Encryption In-Transit
– TLS and mTLS
– Service to Service
– Service Mesh
5. Learn. Connect. Collaborate.
Requirements:
• Organization policies
and compliance
• Industry or
government
regulations
• Protect privacy
• Minimizes
unauthorized access
to data
CIA triad:
Information
Security
Integrity
Availability
Confidentiality
Authenticity
Accountability
Non-repudiation
7. Learn. Connect. Collaborate.
Foundations
• Encryption keeps confidentiality and a key un-encrypt: AES
(symmetric), Blowfish (symmetric), RSA (asymmetric)
• Hashing checks integrity of data by creating a hash or digest
with one-way function (signatures): SHA, MD5, MD4, etc.
• Encoding is for maintaining data usability and can be reversed
by employing the same algorithm that encoded the content:
ASCII, Unicode, URL Encoding, Base64
• Obfuscation is used to prevent people from understanding the
meaning of something, like source code
8. Learn. Connect. Collaborate.
Symmetric key encryption
Alice wants to send an encrypted
message to Boriss:
Key
(1234)
Plaintext
Ciphertext
A B C D E F G H I J K
99rwV+HMzEX4ux1O9t0TwQ==
Algorithm
Blowfish, AES,
DES, TripleDES,
etc.
They both use
the same key to
encrypt and
decryptThis process is usually FAST
9. Learn. Connect. Collaborate.
Asymmetric key encryption: public and private keys
Alice wants to send an encrypted
message to Boriss:
Alice uses Boriss’
Public Key
(1234)
Plaintext
Ciphertext
A B C D E F G H I J K
99rwV+HMzEX4ux1O9t0TwQ==
Algorithm
RSA, ElGamal,
etc.
Boriss uses his Private
Key to decrypt
(5678)
Alice only
needs to know
Bob’s public
keyThis process is usually SLOW
11. Learn. Connect. Collaborate.
Tools and Common File Formats
• Many tools like OpenSSL, keytool, cfssl, mkcert, minica
• Encoding:
– DER: binary cert encoded with DER .cer or .crt files
– PEM: ASCII (base64 encoded) cert .cer or .crt or .pem files
“----BEGIN CERTIFICATE----” “----END CERTIFICATE----”
• File extension:
– .crt: Unix/Linux convention for a DER or Base64 PEM
– .cer: MS convention for a DER or Base64 PEM
– .key: public or private key PKCS#8. DER or PEM
13. Learn. Connect. Collaborate.
What is encryption at-rest?
Protect stored data from unauthorized access
using encryption at block, file, directory, file
system or full disk level with keys
14. Learn. Connect. Collaborate.
Where do we store information today?
• Alfresco CS Content Store
• Alfresco CS Database
• Alfresco CS Indexes
• Alfresco CS Shared File Store (new Transformation Service)
• Alfresco PS Database
• Alfresco Identity Database (Keycloak)
• Alfresco mobile Apps
DBs
DBs
DBs
File
System
Network
Storage
15. Learn. Connect. Collaborate.
How can we encrypt stored data?
• Natively → Encryption add-on for Alfresco Content Store (application
side encryption)
Repo Storage
doc doc doc doc
Encrypted content
store feature
added
DB
Indexes /
Transformations
• Uses Java Cryptography Extension
(supports HW encryption)
• Each content element encrypted with
individual symmetric key (AES 128 bit
default). Symmetric keys are stored in
alf_content_url_encryption table
• Content keys then encrypted with
asymmetric master key-pair (RSA)
16. Learn. Connect. Collaborate.
How can we encrypt stored data?
• Third parties → for Alfresco Content Store and everything else
Repo Storage
doc doc doc doc
Encrypted content
store feature
added
DB
Indexes /
Transformations
• File system level tools
• AWS EBS or S3 Server Side
Encryption, RDS volume
encryption
• MSSQL or Oracle TDE
19. Learn. Connect. Collaborate.
Intro
• What is encryption in-transit?
• TLS and mTLS
• SSL Offloading
• Our Research and POCs:
– Service to Service
– Service Mesh
20. Learn. Connect. Collaborate.
What is encryption in-transit?
Protect moving data from unauthorized
access using encryption on the wire with
protocols like TLS or IPsec and keys
21. Learn. Connect. Collaborate.
TLS and mTLS
• SSL/TLS History:
– 1995: SSL v2 (deprecated in 2011)
– 1996: SSL v3 (deprecated in 2015)
– 1999: TLS 1.0 (deprecation 2020) *
– 2006: TLS 1.1 (deprecation 2020) *
– 2008: TLS 1.2 *
– 2018: TLS 1.3
* Vulnerable depending on browser or cipher
used (POODLE, FREAK RC4 attacks and
others)
• TLS: are cryptographic protocols
that provide communications
security over a computer network.
It uses symmetric cryptography
to encrypt data transmitted and
public-key cryptography for
authentication. Authentication
usually is from the server side only
(using X.509 certs).
• mTLS: mutual authentication using
X.509 cert, commonly used
between servers, applications or
services.
22. Learn. Connect. Collaborate.
SSL Offloading
Repo Storage
doc doc doc doc
DBs
File System
Indexes /
Transformations
Service A
Service B
Service C
Service D
Service E Service F
HTTP over
TLS
LB
Plain HTTP
23. Learn. Connect. Collaborate.
How does TLS and mTLS look like together?
Repo Storage
doc doc doc doc
DBs
File System
Indexes /
Transformations
Service A
Service B
Service C
Service D
Service E Service FJDBC over
TLS
HTTP over
TLS
HTTP over
TLS with
mutual
Authenticati
on = mTLS
LB
HTTP over
TLS
24. Learn. Connect. Collaborate.
mTLS: Java Implementation High Level Overview
Service A
Service C
Service B
-Service A is client of Service
B and server for Service C
-Service B is client for Service
C and server for Service A
-Service C is client for Service
A and server for Service B
Client Server
keystore
truststore
keystore
truststore
1. Service connection requested
2. Provides server certificate
3. Client
verifies
server cert
authenticity
using CA
cert
4. Provides client certificate
5. Server
Verifies
client cert
authenticity
using CA
cert
6. They agree and share a
symmetric session key for
encryption and decryption and
communication starts
Server
Certific
ate
Server
Private
Key
CA
Certific
ate
CA
Certific
ate
Client
Certific
ate
Client
Private
Key
25. Disclaimer
• The information contained in these presentations is intended to inform the
developer community based on a working prototype and should not be relied
upon in making purchasing decisions.
• The content is for informational purposes only and may not be incorporated into
any contract.
• The information presented is not a commitment, promise, or legal obligation to
deliver any material, code or functionality.
• Any references to the development, release, and timing of any features or
functionality described for these products remains at Alfresco's sole discretion
• Product capabilities, timeframes and features are subject to change and should
not be viewed as Alfresco commitments.
26. Learn. Connect. Collaborate.
Our Research
Service to Service Service Mesh
Remember:
We want to see what is the best way to implement encryption and authentication between services!
Tested with Alfresco CS 6.1, our Helm charts and EKS in AWS.
32. Learn. Connect. Collaborate.
Service-to-Service Encryption in-transit and
Authentication POC
• mTLS configuration per service/microservice
• Automated with customized Helm chart and
services
• Repo and Solr communication was already
mTLS
• Limitations:
– Repository service can’t do mTLS with
transformation services: handshake fails
– SSL certificate CN must match with
domain name of internal services
(requires usage of a CA)
– mTLS between ELB and ingress
– Automating certificate generation via
Helm chart
Kudos to Abdul Mohammed!
33. Learn. Connect. Collaborate.
Service Mesh Intro
• Challenges managing microservice architecture or service-oriented architecture
– Multiple services, different IP, different hosts
– Routing and discovery challenges
– Network security challenges
– Compatibility
– Multi-level network awareness
• Patterns:
– Sidecar
– Ambassador
– Adapter or Node Agent
• Known open source options:
– Istio (Google, IBM and Lyft) - mTLS stable
– Linkerd (Buoyant.io) - mTLS experimental
– Consul (Hashicorp) - mTLS through Consul Connect
– App Mesh (AWS) preview - no mTLS support
34. Learn. Connect. Collaborate.
Istio Requirements and Features
• Requirements:
– For us: end-to-end encryption and authentication
– Discovery, load balancing, failure recovery, metrics, monitoring, A/B testing, canary
releases, rate limiting and access control.
• Istio Features:
– Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic.
– Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault
injection.
– A pluggable policy layer and configuration API supporting access controls, rate limits and
quotas.
– Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress
and egress.
– Secure service-to-service communication in a cluster with strong identity-based
authentication and authorization.
35. Learn. Connect. Collaborate.
Istio Architecture
● Data Plane
● Control Plane
● Components:
● Envoy: proxy per
{micro}service
● Mixer: policies,
telemetry and plugins
● Pilot: service discovery
● Citadel: manages certs
for authorization and
authentication
● Galley: istio API
● Others: ingress and
egress gateways,
injector, etc.
https://istio.io/docs/concepts/security/architecture.svg
40. Learn. Connect. Collaborate.
References and
Recommended
Lectures
• Liz Rice: GopherCon 2018: The Go Programmer's Guide to Secure
Connections https://www.youtube.com/watch?v=kxKLYDLzuHA
• Hanno: CCC 2018: The Rocky Road to TLS 1.3 and better Internet
Encryption https://media.ccc.de/v/35c3-9607-
the_rocky_road_to_tls_1_3_and_better_internet_encryption