SlideShare a Scribd company logo

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

Angel Borroy López
Angel Borroy López

n this session, we'll simplify the complexities of configuring and troubleshooting mutual TLS (mTLS) within Alfresco environments. Attendees will gain practical insights into certificate management, trust validation, and common challenges encountered during configuration. We'll showcase and provide custom tools for troubleshooting during the session. These tools can be used with ZIP, Ansible, Docker and Kubernetes deployments. Event description available in https://hub.alfresco.com/t5/news-announcements/ttl-157-troubleshooting-made-easy-deciphering-alfresco-s-mtls/ba-p/319735/jump-to/first-unread-message

Software
1 of 34
Download to read offline
April 17, 2024 ©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries. TTL #157 Troubleshooting Made Easy: Deciphering Alfresco’s mTLS Configuration Angel Borroy Developer Evangelist
• Alfresco mTLS • Cryptographic Best Practices • Communication Repository <> Search • Troubleshooting Tools • Hands on, using EC certificates Agenda
Alfresco mTLS
Alfresco mTLS Transform COMMUNITY UI DB Web Proxy CA keystore Search Repository
Alfresco mTLS Messaging Transform ENTERPRISE UI DB Web Proxy CA keystore Search* Repository * When using Search Enterprise with Elasticsearch or OpenSearch
A Closer Look Alfresco Service TLS Protocol client server TLS Protocol CA keystore KEY keystore TRUST … … Self-Signed Public Authority
Cryptographic Best Practices
General Guidelines SSL TLSv1.0 TLSv1.1 TLSv1.2* TLSv1.3 JCEKS JKS PKCS12 RSA 2048 bits ECDSA 224 bits • Server Authentication • Client Authentication OpenSSL alfresco-ssl-generator Let’s Encrypt
TLS Protocol TLS Protocol client server TLS Protocol Use TLSv1.3 • Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig • Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols • Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS Alternatively use TLS 1.2 with ECDHE and AES-GCM hardcoded • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 When multiple TLS versions are available in the server, the client will select one • The default for security handshakes in JDK 17 is TLS 1.3
Keystore Type and Certificates Use Keystore Type PKCS12 • Avoid using non-standard formats like JKS or JCEKS Certificates • Algorithm • RSA, widely supported across different platforms and libraries • ECDSA, equivalent security with shorter key length, more performant and efficient for mTLS • Minimum key length • 2048 bits for RSA • 224 bits for EC • Usage • Server Authentication – OID 1.3.6.1.5.5.7.3.1 • Client Authentication – OID 1.3.6.1.5.5.7.3.2 keystore KEY keystore TRUST … …
Certificate Authority Self-Signed • Use Alfresco SSL Generator project, which depends on OpenSSL for certificate generation • Use alternative software able to issue certificates according with the previous recommendations • Later in this session, smallstep will be used Public Authority • Use OpenSSL with Let’s Encrypt, set up a cron job to re-fetch certificates regularly • Requires active Internet connection to Alfresco containers • Use a web hosting provider, like AWS CA Self-Signed Public Authority
Comm Repository <> Search
mTLS between Repository and Search CA Search Repository
Use community.sh script from Alfresco SSL Generator $ ./community.sh $ tree keystores keystores ├── alfresco │ ├── ssl.keystore │ └── ssl.truststore ├── solr │ ├── ssl.repo.client.keystore │ └── ssl.repo.client.truststore └── client └── browser.p12 Creating Certificates and Keystores Solr Admin Web Console
Repository Keystores $ keytool -v -list -keystore keystores/alfresco/ssl.truststore Alias name: alfresco.ca Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/alfresco/ssl.keystore Alias name: ssl.repo Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
Repository Configuration (server) Add following Connector to ${TOMCAT_DIR}/conf/server.xml file <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.3" certificateVerification="required" truststoreFile="ssl.truststore" truststorePassword="truststore" truststoreType="PKCS12"> <Certificate certificateKeystoreFile="ssl.keystore" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="keystore" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
Repository Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set Alfresco Repository Java Properties solr.host=localhost solr.port.ssl=8983 solr.secureComms=https encryption.ssl.keystore.type=PKCS12 encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore encryption.ssl.truststore.type=PKCS12 encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore When using the same password for keystore and keys, no aliases setting is required
Search Keystores $ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore Alias name: ssl.repo Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: alfresco.ca Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
Search Configuration (server) Java Environment Variables -Dsolr.jetty.truststore.password=truststore -Dsolr.jetty.keystore.password=keystore -Djdk.tls.client.protocols=TLSv1.3 OS Environment Variables (or modify solr.in.[sh|cmd] file) SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" SOLR_SSL_KEY_STORE_PASSWORD: "keystore" SOLR_SSL_KEY_STORE_TYPE: "PKCS12" SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" SOLR_SSL_TRUST_STORE_TYPE: "PKCS12" SOLR_SSL_NEED_CLIENT_AUTH: "true"
Search Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set solrcore.properties Java Properties (in each core or in template) alfresco.host=localhost alfresco.port=8443 alfresco.secureComms=https alfresco.encryption.ssl.keystore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=PKCS12 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=PKCS12 When using the same password for keystore and keys, no aliases setting is required
Sample deployment with Docker Compose https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
Troubleshooting tools
Available tools Transform UI DB Web Proxy Search Repository alfresco-http-java-client solr-http-java-client mtls-conf-app https://github.com/aborroy/alfresco-mtls-debugging-kit
Alfresco Repository Admin Web Console Deploy as addon alfresco-http-java-client.jar crypto-utils.jar Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/alfresco-http-java-client App URL http://localhost:8080/alfresco/s/admin/admin-search-client Credentials ADMINISTRATOR, default admin/admin
Alfresco Search Services Solr REST API Action Deploy as plugin alfresco-http-java-client.jar solr-http-java-client.jar config/solr.xml Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/solr-http-java-client App URL https://localhost:8983/solr/admin/cores?action=HTTP- CLIENT&coreName=alfresco Credentials Client certificate, like browser.p12
Command line Spring Boot command line application Run as program $ java -jar target/mtls-conf-app.jar ERRORS for ENDPOINT: Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint. ERRORS DETAIL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Source code https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
Hands on, using EC certificates
Lab Use ECC 256 bits certificates for ECDSA with step-ca • Around 10% faster than RSA 2048 bits for Alfresco mTLS • Less bandwidth consumption • Higher security (as RSA 2048 is equivalent to ECC 224) Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca # Start step-ca container, default CA will be created in “step” folder $ docker compose up # Install step CLI $ brew install step # Get CA password $ cat step/secrets/password ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
Lab # Create a certificate for alfresco, use “keystore” password to protect the key $ step certificate create alfresco alfresco.crt alfresco.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key # Create a certificate for solr, use “keystore” password to protect the key $ step certificate create solr solr.crt solr.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key
Lab # Build Keystore and Truststore for alfresco $ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key -out alfresco.pkcs12 -name alfresco -noiter -nomaciter $ keytool -import -alias solr -file solr.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore # Build Keystore and Truststore for solr $ openssl pkcs12 -export -in solr.crt -inkey solr.key -out solr.pkcs12 -name solr -noiter -nomaciter $ keytool -import -alias alfresco -file alfresco.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
Lab # Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12) $ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt # Modify compose.yaml to use the new keystores Alfresco • keystore=alfresco.pkcs12 • truststore=alfresco-truststore.pkcs12 • cert-alias=alfresco • cert-type=EC Solr • keystore=solr.pkcs12 • truststore=solr-truststore.pkcs12
Lab # Bonus verification $ nmap --script ssl-enum-ciphers -p 8983 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) $ nmap --script ssl-enum-ciphers -p 8443 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Cryptographic Best Practices
Thanks!

Recommended

OCI Oracle Functions Deployment
OCI Oracle Functions Deployment OCI Oracle Functions Deployment
OCI Oracle Functions Deployment Toni Epple
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for DevelopersJeff Potts
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingAngel Borroy López
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIBuilding Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIJeff Potts
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT AgentsFernando Lopez Aguilar
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisTiago Simões
 

Recommended

OCI Oracle Functions Deployment
OCI Oracle Functions Deployment OCI Oracle Functions Deployment
OCI Oracle Functions Deployment Toni Epple
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for DevelopersJeff Potts
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingAngel Borroy López
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIBuilding Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIJeff Potts
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT AgentsFernando Lopez Aguilar
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisTiago Simões
 
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...Microsoft Technet France
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for SalesforceJared Ottley
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates Angel Borroy López
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...Jan Löffler
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherKarim Vaes
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...Amazon Web Services
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1Jeff Potts
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTAnatoliy Odukha
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanAlex Ellis
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the CloudFabio Ferrari
 
Rhel5
Rhel5Rhel5
Rhel5Yash Gulati
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registryVipin Mandale
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherAngel Borroy López
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
 

More Related Content

Similar to Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...Microsoft Technet France
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for SalesforceJared Ottley
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...Jan Löffler
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherKarim Vaes
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...Amazon Web Services
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1Jeff Potts
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTAnatoliy Odukha
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanAlex Ellis
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the CloudFabio Ferrari
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registryVipin Mandale
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 

Similar to Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration (20)

[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for Salesforce
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand REST
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - Milan
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the Cloud
 
Rhel5
Rhel5Rhel5
Rhel5
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 

More from Angel Borroy López

Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherAngel Borroy López
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1Angel Borroy López
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoAngel Borroy López
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Angel Borroy López
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeAngel Borroy López
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAngel Borroy López
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoAngel Borroy López
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para DockerAngel Borroy López
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfAngel Borroy López
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsAngel Borroy López
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Angel Borroy López
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrAngel Borroy López
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and ThenAngel Borroy López
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaAngel Borroy López
 

More from Angel Borroy López (20)

Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and Then
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
 

Recently uploaded

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?Watsoo Telematics
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 

Recently uploaded (20)

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

  • 1.
  • 2. April 17, 2024 ©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries. TTL #157 Troubleshooting Made Easy: Deciphering Alfresco’s mTLS Configuration Angel Borroy Developer Evangelist
  • 3. • Alfresco mTLS • Cryptographic Best Practices • Communication Repository <> Search • Troubleshooting Tools • Hands on, using EC certificates Agenda
  • 6. Alfresco mTLS Messaging Transform ENTERPRISE UI DB Web Proxy CA keystore Search* Repository * When using Search Enterprise with Elasticsearch or OpenSearch
  • 7. A Closer Look Alfresco Service TLS Protocol client server TLS Protocol CA keystore KEY keystore TRUST … … Self-Signed Public Authority
  • 9. General Guidelines SSL TLSv1.0 TLSv1.1 TLSv1.2* TLSv1.3 JCEKS JKS PKCS12 RSA 2048 bits ECDSA 224 bits • Server Authentication • Client Authentication OpenSSL alfresco-ssl-generator Let’s Encrypt
  • 10. TLS Protocol TLS Protocol client server TLS Protocol Use TLSv1.3 • Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig • Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols • Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS Alternatively use TLS 1.2 with ECDHE and AES-GCM hardcoded • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 When multiple TLS versions are available in the server, the client will select one • The default for security handshakes in JDK 17 is TLS 1.3
  • 11. Keystore Type and Certificates Use Keystore Type PKCS12 • Avoid using non-standard formats like JKS or JCEKS Certificates • Algorithm • RSA, widely supported across different platforms and libraries • ECDSA, equivalent security with shorter key length, more performant and efficient for mTLS • Minimum key length • 2048 bits for RSA • 224 bits for EC • Usage • Server Authentication – OID 1.3.6.1.5.5.7.3.1 • Client Authentication – OID 1.3.6.1.5.5.7.3.2 keystore KEY keystore TRUST … …
  • 12. Certificate Authority Self-Signed • Use Alfresco SSL Generator project, which depends on OpenSSL for certificate generation • Use alternative software able to issue certificates according with the previous recommendations • Later in this session, smallstep will be used Public Authority • Use OpenSSL with Let’s Encrypt, set up a cron job to re-fetch certificates regularly • Requires active Internet connection to Alfresco containers • Use a web hosting provider, like AWS CA Self-Signed Public Authority
  • 14. mTLS between Repository and Search CA Search Repository
  • 15. Use community.sh script from Alfresco SSL Generator $ ./community.sh $ tree keystores keystores ├── alfresco │ ├── ssl.keystore │ └── ssl.truststore ├── solr │ ├── ssl.repo.client.keystore │ └── ssl.repo.client.truststore └── client └── browser.p12 Creating Certificates and Keystores Solr Admin Web Console
  • 16. Repository Keystores $ keytool -v -list -keystore keystores/alfresco/ssl.truststore Alias name: alfresco.ca Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/alfresco/ssl.keystore Alias name: ssl.repo Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
  • 17. Repository Configuration (server) Add following Connector to ${TOMCAT_DIR}/conf/server.xml file <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.3" certificateVerification="required" truststoreFile="ssl.truststore" truststorePassword="truststore" truststoreType="PKCS12"> <Certificate certificateKeystoreFile="ssl.keystore" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="keystore" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
  • 18. Repository Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set Alfresco Repository Java Properties solr.host=localhost solr.port.ssl=8983 solr.secureComms=https encryption.ssl.keystore.type=PKCS12 encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore encryption.ssl.truststore.type=PKCS12 encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore When using the same password for keystore and keys, no aliases setting is required
  • 19. Search Keystores $ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore Alias name: ssl.repo Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: alfresco.ca Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
  • 20. Search Configuration (server) Java Environment Variables -Dsolr.jetty.truststore.password=truststore -Dsolr.jetty.keystore.password=keystore -Djdk.tls.client.protocols=TLSv1.3 OS Environment Variables (or modify solr.in.[sh|cmd] file) SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" SOLR_SSL_KEY_STORE_PASSWORD: "keystore" SOLR_SSL_KEY_STORE_TYPE: "PKCS12" SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" SOLR_SSL_TRUST_STORE_TYPE: "PKCS12" SOLR_SSL_NEED_CLIENT_AUTH: "true"
  • 21. Search Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set solrcore.properties Java Properties (in each core or in template) alfresco.host=localhost alfresco.port=8443 alfresco.secureComms=https alfresco.encryption.ssl.keystore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=PKCS12 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=PKCS12 When using the same password for keystore and keys, no aliases setting is required
  • 22. Sample deployment with Docker Compose https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
  • 25. Alfresco Repository Admin Web Console Deploy as addon alfresco-http-java-client.jar crypto-utils.jar Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/alfresco-http-java-client App URL http://localhost:8080/alfresco/s/admin/admin-search-client Credentials ADMINISTRATOR, default admin/admin
  • 26. Alfresco Search Services Solr REST API Action Deploy as plugin alfresco-http-java-client.jar solr-http-java-client.jar config/solr.xml Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/solr-http-java-client App URL https://localhost:8983/solr/admin/cores?action=HTTP- CLIENT&coreName=alfresco Credentials Client certificate, like browser.p12
  • 27. Command line Spring Boot command line application Run as program $ java -jar target/mtls-conf-app.jar ERRORS for ENDPOINT: Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint. ERRORS DETAIL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Source code https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
  • 28. Hands on, using EC certificates
  • 29. Lab Use ECC 256 bits certificates for ECDSA with step-ca • Around 10% faster than RSA 2048 bits for Alfresco mTLS • Less bandwidth consumption • Higher security (as RSA 2048 is equivalent to ECC 224) Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca # Start step-ca container, default CA will be created in “step” folder $ docker compose up # Install step CLI $ brew install step # Get CA password $ cat step/secrets/password ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
  • 30. Lab # Create a certificate for alfresco, use “keystore” password to protect the key $ step certificate create alfresco alfresco.crt alfresco.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key # Create a certificate for solr, use “keystore” password to protect the key $ step certificate create solr solr.crt solr.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key
  • 31. Lab # Build Keystore and Truststore for alfresco $ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key -out alfresco.pkcs12 -name alfresco -noiter -nomaciter $ keytool -import -alias solr -file solr.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore # Build Keystore and Truststore for solr $ openssl pkcs12 -export -in solr.crt -inkey solr.key -out solr.pkcs12 -name solr -noiter -nomaciter $ keytool -import -alias alfresco -file alfresco.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
  • 32. Lab # Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12) $ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt # Modify compose.yaml to use the new keystores Alfresco • keystore=alfresco.pkcs12 • truststore=alfresco-truststore.pkcs12 • cert-alias=alfresco • cert-type=EC Solr • keystore=solr.pkcs12 • truststore=solr-truststore.pkcs12
  • 33. Lab # Bonus verification $ nmap --script ssl-enum-ciphers -p 8983 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) $ nmap --script ssl-enum-ciphers -p 8443 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Cryptographic Best Practices