SlideShare a Scribd company logo
1 of 34
Download to read offline
April 17, 2024
©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries.
TTL #157
Troubleshooting Made Easy:
Deciphering Alfresco’s mTLS
Configuration
Angel Borroy
Developer Evangelist
• Alfresco mTLS
• Cryptographic Best Practices
• Communication Repository <> Search
• Troubleshooting Tools
• Hands on, using EC certificates
Agenda
Alfresco mTLS
Alfresco mTLS
Transform
COMMUNITY
UI
DB
Web Proxy
CA
keystore
Search
Repository
Alfresco mTLS
Messaging
Transform
ENTERPRISE
UI
DB
Web Proxy
CA
keystore
Search*
Repository
* When using Search Enterprise with Elasticsearch or OpenSearch
A Closer Look
Alfresco
Service
TLS Protocol
client
server
TLS Protocol
CA
keystore KEY
keystore TRUST
…
…
Self-Signed
Public Authority
Cryptographic Best Practices
General Guidelines
SSL
TLSv1.0
TLSv1.1
TLSv1.2*
TLSv1.3
JCEKS
JKS
PKCS12
RSA 2048 bits
ECDSA 224 bits
• Server Authentication
• Client Authentication
OpenSSL
alfresco-ssl-generator
Let’s Encrypt
TLS Protocol
TLS Protocol
client
server
TLS Protocol
Use TLSv1.3
• Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig
• Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols
• Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS
Alternatively use TLS 1.2 with ECDHE and AES-GCM
hardcoded
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
When multiple TLS versions are available in the server, the
client will select one
• The default for security handshakes in JDK 17 is TLS 1.3
Keystore Type and Certificates
Use Keystore Type PKCS12
• Avoid using non-standard formats like JKS or JCEKS
Certificates
• Algorithm
• RSA, widely supported across different platforms and libraries
• ECDSA, equivalent security with shorter key length, more
performant and efficient for mTLS
• Minimum key length
• 2048 bits for RSA
• 224 bits for EC
• Usage
• Server Authentication – OID 1.3.6.1.5.5.7.3.1
• Client Authentication – OID 1.3.6.1.5.5.7.3.2
keystore KEY
keystore TRUST
…
…
Certificate Authority
Self-Signed
• Use Alfresco SSL Generator project, which depends on
OpenSSL for certificate generation
• Use alternative software able to issue certificates
according with the previous recommendations
• Later in this session, smallstep will be used
Public Authority
• Use OpenSSL with Let’s Encrypt, set up a cron job to
re-fetch certificates regularly
• Requires active Internet connection to Alfresco containers
• Use a web hosting provider, like AWS
CA
Self-Signed
Public Authority
Comm Repository <> Search
mTLS between Repository and Search
CA
Search
Repository
Use community.sh script from Alfresco SSL Generator
$ ./community.sh
$ tree keystores
keystores
├── alfresco
│ ├── ssl.keystore
│ └── ssl.truststore
├── solr
│ ├── ssl.repo.client.keystore
│ └── ssl.repo.client.truststore
└── client
└── browser.p12
Creating Certificates and Keystores
Solr Admin Web Console
Repository Keystores
$ keytool -v -list -keystore keystores/alfresco/ssl.truststore
Alias name: alfresco.ca
Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
Alias name: ssl.repo.client
Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US
Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
$ keytool -v -list -keystore keystores/alfresco/ssl.keystore
Alias name: ssl.repo
Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US
Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
RSA 2048 bits
• Server Authentication
• Client Authentication
Repository Configuration (server)
Add following Connector to ${TOMCAT_DIR}/conf/server.xml file
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="localhost">
<SSLHostConfig hostName="localhost" protocols="TLSv1.3"
certificateVerification="required"
truststoreFile="ssl.truststore"
truststorePassword="truststore" truststoreType="PKCS12">
<Certificate certificateKeystoreFile="ssl.keystore"
certificateKeyAlias="ssl.repo" type="RSA"
certificateKeystorePassword="keystore"
certificateKeystoreType="PKCS12"/>
</SSLHostConfig>
</Connector>
Repository Configuration (client)
Add environment variables containing passwords
-Dssl-keystore.password=keystore
-Dssl-truststore.password=truststore
Set Alfresco Repository Java Properties
solr.host=localhost
solr.port.ssl=8983
solr.secureComms=https
encryption.ssl.keystore.type=PKCS12
encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore
encryption.ssl.truststore.type=PKCS12
encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore
When using the same password
for keystore and keys, no aliases
setting is required
Search Keystores
$ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore
Alias name: ssl.repo
Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
Alias name: alfresco.ca
Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US
Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
$ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore
Alias name: ssl.repo.client
Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US
Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US
RSA 2048 bits
• Server Authentication
• Client Authentication
Search Configuration (server)
Java Environment Variables
-Dsolr.jetty.truststore.password=truststore
-Dsolr.jetty.keystore.password=keystore
-Djdk.tls.client.protocols=TLSv1.3
OS Environment Variables (or modify solr.in.[sh|cmd] file)
SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore"
SOLR_SSL_KEY_STORE_PASSWORD: "keystore"
SOLR_SSL_KEY_STORE_TYPE: "PKCS12"
SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore"
SOLR_SSL_TRUST_STORE_PASSWORD: "truststore"
SOLR_SSL_TRUST_STORE_TYPE: "PKCS12"
SOLR_SSL_NEED_CLIENT_AUTH: "true"
Search Configuration (client)
Add environment variables containing passwords
-Dssl-keystore.password=keystore
-Dssl-truststore.password=truststore
Set solrcore.properties Java Properties (in each core or in template)
alfresco.host=localhost
alfresco.port=8443
alfresco.secureComms=https
alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-
services/keystore/ssl.repo.client.keystore
alfresco.encryption.ssl.keystore.type=PKCS12
alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-
services/keystore/ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.type=PKCS12
When using the same password
for keystore and keys, no aliases
setting is required
Sample deployment with Docker Compose
https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
Troubleshooting tools
Available tools
Transform
UI
DB
Web Proxy
Search
Repository
alfresco-http-java-client
solr-http-java-client
mtls-conf-app
https://github.com/aborroy/alfresco-mtls-debugging-kit
Alfresco Repository
Admin Web Console
Deploy as addon
alfresco-http-java-client.jar
crypto-utils.jar
Source code
https://github.com/aborroy/alfresco-mtls-debugging-
kit/tree/main/addons/alfresco-http-java-client
App URL
http://localhost:8080/alfresco/s/admin/admin-search-client
Credentials
ADMINISTRATOR, default admin/admin
Alfresco Search Services
Solr REST API Action
Deploy as plugin
alfresco-http-java-client.jar
solr-http-java-client.jar
config/solr.xml
Source code
https://github.com/aborroy/alfresco-mtls-debugging-
kit/tree/main/addons/solr-http-java-client
App URL
https://localhost:8983/solr/admin/cores?action=HTTP-
CLIENT&coreName=alfresco
Credentials
Client certificate, like browser.p12
Command line
Spring Boot command line application
Run as program
$ java -jar target/mtls-conf-app.jar
ERRORS for ENDPOINT:
Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint.
ERRORS DETAIL:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to
requested target
Source code
https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
Hands on, using EC certificates
Lab
Use ECC 256 bits certificates for ECDSA with step-ca
• Around 10% faster than RSA 2048 bits for Alfresco mTLS
• Less bandwidth consumption
• Higher security (as RSA 2048 is equivalent to ECC 224)
Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca
# Start step-ca container, default CA will be created in “step” folder
$ docker compose up
# Install step CLI
$ brew install step
# Get CA password
$ cat step/secrets/password
ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
Lab
# Create a certificate for alfresco, use “keystore” password to protect the key
$ step certificate create alfresco alfresco.crt alfresco.key 
--profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt 
--ca-key step/secrets/root_ca_key
# Create a certificate for solr, use “keystore” password to protect the key
$ step certificate create solr solr.crt solr.key 
--profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt 
--ca-key step/secrets/root_ca_key
Lab
# Build Keystore and Truststore for alfresco
$ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key 
-out alfresco.pkcs12 -name alfresco -noiter -nomaciter
$ keytool -import -alias solr -file solr.crt -keystore 
alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore
$ keytool -import -alias ca -file step/certs/root_ca.crt -keystore 
alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore
# Build Keystore and Truststore for solr
$ openssl pkcs12 -export -in solr.crt -inkey solr.key 
-out solr.pkcs12 -name solr -noiter -nomaciter
$ keytool -import -alias alfresco -file alfresco.crt -keystore 
solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
$ keytool -import -alias ca -file step/certs/root_ca.crt -keystore 
solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
Lab
# Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12)
$ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt
# Modify compose.yaml to use the new keystores
Alfresco
• keystore=alfresco.pkcs12
• truststore=alfresco-truststore.pkcs12
• cert-alias=alfresco
• cert-type=EC
Solr
• keystore=solr.pkcs12
• truststore=solr-truststore.pkcs12
Lab
# Bonus verification
$ nmap --script ssl-enum-ciphers -p 8983 localhost
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1)
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1)
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1)
$ nmap --script ssl-enum-ciphers -p 8443 localhost
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519)
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
Cryptographic
Best Practices
Thanks!

More Related Content

Similar to Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
Jan Löffler
 

Similar to Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration (20)

[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for Salesforce
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
 
Terraform - Taming Modern Clouds
Terraform  - Taming Modern CloudsTerraform  - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand REST
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - Milan
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Better Operations into the Cloud
Better Operations  into the CloudBetter Operations  into the Cloud
Better Operations into the Cloud
 
Rhel5
Rhel5Rhel5
Rhel5
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 

More from Angel Borroy López

Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
Angel Borroy López
 

More from Angel Borroy López (20)

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearch
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
 

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 

Recently uploaded (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

  • 1.
  • 2. April 17, 2024 ©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries. TTL #157 Troubleshooting Made Easy: Deciphering Alfresco’s mTLS Configuration Angel Borroy Developer Evangelist
  • 3. • Alfresco mTLS • Cryptographic Best Practices • Communication Repository <> Search • Troubleshooting Tools • Hands on, using EC certificates Agenda
  • 6. Alfresco mTLS Messaging Transform ENTERPRISE UI DB Web Proxy CA keystore Search* Repository * When using Search Enterprise with Elasticsearch or OpenSearch
  • 7. A Closer Look Alfresco Service TLS Protocol client server TLS Protocol CA keystore KEY keystore TRUST … … Self-Signed Public Authority
  • 9. General Guidelines SSL TLSv1.0 TLSv1.1 TLSv1.2* TLSv1.3 JCEKS JKS PKCS12 RSA 2048 bits ECDSA 224 bits • Server Authentication • Client Authentication OpenSSL alfresco-ssl-generator Let’s Encrypt
  • 10. TLS Protocol TLS Protocol client server TLS Protocol Use TLSv1.3 • Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig • Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols • Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS Alternatively use TLS 1.2 with ECDHE and AES-GCM hardcoded • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 When multiple TLS versions are available in the server, the client will select one • The default for security handshakes in JDK 17 is TLS 1.3
  • 11. Keystore Type and Certificates Use Keystore Type PKCS12 • Avoid using non-standard formats like JKS or JCEKS Certificates • Algorithm • RSA, widely supported across different platforms and libraries • ECDSA, equivalent security with shorter key length, more performant and efficient for mTLS • Minimum key length • 2048 bits for RSA • 224 bits for EC • Usage • Server Authentication – OID 1.3.6.1.5.5.7.3.1 • Client Authentication – OID 1.3.6.1.5.5.7.3.2 keystore KEY keystore TRUST … …
  • 12. Certificate Authority Self-Signed • Use Alfresco SSL Generator project, which depends on OpenSSL for certificate generation • Use alternative software able to issue certificates according with the previous recommendations • Later in this session, smallstep will be used Public Authority • Use OpenSSL with Let’s Encrypt, set up a cron job to re-fetch certificates regularly • Requires active Internet connection to Alfresco containers • Use a web hosting provider, like AWS CA Self-Signed Public Authority
  • 14. mTLS between Repository and Search CA Search Repository
  • 15. Use community.sh script from Alfresco SSL Generator $ ./community.sh $ tree keystores keystores ├── alfresco │ ├── ssl.keystore │ └── ssl.truststore ├── solr │ ├── ssl.repo.client.keystore │ └── ssl.repo.client.truststore └── client └── browser.p12 Creating Certificates and Keystores Solr Admin Web Console
  • 16. Repository Keystores $ keytool -v -list -keystore keystores/alfresco/ssl.truststore Alias name: alfresco.ca Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/alfresco/ssl.keystore Alias name: ssl.repo Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
  • 17. Repository Configuration (server) Add following Connector to ${TOMCAT_DIR}/conf/server.xml file <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.3" certificateVerification="required" truststoreFile="ssl.truststore" truststorePassword="truststore" truststoreType="PKCS12"> <Certificate certificateKeystoreFile="ssl.keystore" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="keystore" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
  • 18. Repository Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set Alfresco Repository Java Properties solr.host=localhost solr.port.ssl=8983 solr.secureComms=https encryption.ssl.keystore.type=PKCS12 encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore encryption.ssl.truststore.type=PKCS12 encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore When using the same password for keystore and keys, no aliases setting is required
  • 19. Search Keystores $ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore Alias name: ssl.repo Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: alfresco.ca Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
  • 20. Search Configuration (server) Java Environment Variables -Dsolr.jetty.truststore.password=truststore -Dsolr.jetty.keystore.password=keystore -Djdk.tls.client.protocols=TLSv1.3 OS Environment Variables (or modify solr.in.[sh|cmd] file) SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" SOLR_SSL_KEY_STORE_PASSWORD: "keystore" SOLR_SSL_KEY_STORE_TYPE: "PKCS12" SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" SOLR_SSL_TRUST_STORE_TYPE: "PKCS12" SOLR_SSL_NEED_CLIENT_AUTH: "true"
  • 21. Search Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set solrcore.properties Java Properties (in each core or in template) alfresco.host=localhost alfresco.port=8443 alfresco.secureComms=https alfresco.encryption.ssl.keystore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=PKCS12 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=PKCS12 When using the same password for keystore and keys, no aliases setting is required
  • 22. Sample deployment with Docker Compose https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
  • 25. Alfresco Repository Admin Web Console Deploy as addon alfresco-http-java-client.jar crypto-utils.jar Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/alfresco-http-java-client App URL http://localhost:8080/alfresco/s/admin/admin-search-client Credentials ADMINISTRATOR, default admin/admin
  • 26. Alfresco Search Services Solr REST API Action Deploy as plugin alfresco-http-java-client.jar solr-http-java-client.jar config/solr.xml Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/solr-http-java-client App URL https://localhost:8983/solr/admin/cores?action=HTTP- CLIENT&coreName=alfresco Credentials Client certificate, like browser.p12
  • 27. Command line Spring Boot command line application Run as program $ java -jar target/mtls-conf-app.jar ERRORS for ENDPOINT: Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint. ERRORS DETAIL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Source code https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
  • 28. Hands on, using EC certificates
  • 29. Lab Use ECC 256 bits certificates for ECDSA with step-ca • Around 10% faster than RSA 2048 bits for Alfresco mTLS • Less bandwidth consumption • Higher security (as RSA 2048 is equivalent to ECC 224) Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca # Start step-ca container, default CA will be created in “step” folder $ docker compose up # Install step CLI $ brew install step # Get CA password $ cat step/secrets/password ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
  • 30. Lab # Create a certificate for alfresco, use “keystore” password to protect the key $ step certificate create alfresco alfresco.crt alfresco.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key # Create a certificate for solr, use “keystore” password to protect the key $ step certificate create solr solr.crt solr.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key
  • 31. Lab # Build Keystore and Truststore for alfresco $ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key -out alfresco.pkcs12 -name alfresco -noiter -nomaciter $ keytool -import -alias solr -file solr.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore # Build Keystore and Truststore for solr $ openssl pkcs12 -export -in solr.crt -inkey solr.key -out solr.pkcs12 -name solr -noiter -nomaciter $ keytool -import -alias alfresco -file alfresco.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
  • 32. Lab # Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12) $ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt # Modify compose.yaml to use the new keystores Alfresco • keystore=alfresco.pkcs12 • truststore=alfresco-truststore.pkcs12 • cert-alias=alfresco • cert-type=EC Solr • keystore=solr.pkcs12 • truststore=solr-truststore.pkcs12
  • 33. Lab # Bonus verification $ nmap --script ssl-enum-ciphers -p 8983 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) $ nmap --script ssl-enum-ciphers -p 8443 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Cryptographic Best Practices