SlideShare a Scribd company logo

Alfresco Certificates

Download as PPTX, PDF
Angel Borroy López
Angel Borroy López

This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.

Software
1 of 32
Angel Borroy Search Team Nov 5, 2020 Cryptographic stores in Alfresco Brown Bag
22 Cryptographic Stores in Alfresco In Theory • Electronic Certificates • Chain of Trust • Public and Private CAs • Cryptographic Stores • mTLS Protocol In Practice • When to use mTLS Communication • Cryptographic Tools • Alfresco KeyStores • Alfresco mTLS Configuration • Using Custom Certificates In Panic • Troubleshooting Java KeyStores
33 In Theory
4 $openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout Certificate: Data: Version:3(0x2) SerialNumber:4097(0x1001) SignatureAlgorithm:sha256WithRSAEncryption Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA Validity NotBefore:Jun3009:24:082020GMT NotAfter: Jun2809:24:082030GMT Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient SubjectPublicKeyInfo: PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: 00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6: d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e: 5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47: 5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e: 97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64: 73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b: e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc: 89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96: b9:e6:a0:e9:e3:d4:08:3a:87 Exponent:65537(0x10001) X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeCertType: SSL Server NetscapeComment: OpenSSL GeneratedServerCertificate X509v3SubjectKeyIdentifier: 84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72 X509v3AuthorityKeyIdentifier: keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA serial:94:78:32:24:4E:A5:07:2B X509v3KeyUsage:critical Digital Signature,KeyEncipherment X509v3ExtendedKeyUsage: TLSWebServerAuthentication X509v3SubjectAlternativeName: DNS:localhost SignatureAlgorithm:sha256WithRSAEncryption 12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45: 34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15: 87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6: 6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67: 2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79: cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5: 30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11 Electronic Certificates X509 Certificate Issuer Name DN Common Name CN Distinguished Name DN Dates valid Private Key Public Key Key Usage Policies Issuer Signature This should match with Server DNS Name RSA 1024 bits with SHA 256 Keystore Truststore
5 Electronic Certificates: File Format .pem – Base64 encoded DER certificate, password .cer, .crt, .der – Binary DER form, password .p7b, .p7c – Base 64 Ascii file with PKCS#7, just for public certificate(s) or CRL(s) .p12 – PKCS#12, may contain certificate(s) (public) and private keys, binary format (ASN.1), password .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE----- -----BEGINRSAPRIVATE KEY----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDRSAPRIVATE KEY----- -----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDPKCS7-----
6 Public and Private CAs CA (Certificate Authority) is an entity that issues electronic certificates. Public CA • Trusted Third-Party for general public, mainly oriented to final users • Issued certificates are trusted by default in Operating Systems and Browsers • The information and services we provide on these servers is open in Internet Private CA • Trusted Third-Party for internal users and services • Issued certificates aren’t trusted by default, so you need to configure computers and servers in order to trust them • The information and services we provide on these servers is restricted to Intranet PUBLICPRIVATE
7 Chain of Trust A certificate must be traceable back to the trust root it was signed with. All public certificates in the chain [server, intermediate(s), and root] need to be present in the truststore. • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. • Intermediate Certificate(s): Intermediate certificates branch of root certificates like branches of trees. They act as middle- men between the protected root certificates and the server certificates issued. • Server Certificate – The server certificate is the one issued to the specific server -----BEGINRSAPRIVATE KEY----- MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z ... nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q= -----ENDRSA PRIVATEKEY----- -----BEGINCERTIFICATE----- MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix ... nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ== -----ENDCERTIFICATE----- -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE-----
8 Cryptographic Stores Java KeyStores are used to store key material and associated certificates. • Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords for each secret- or private-key entry. • Java Key Store (JKS) • The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and associated X.509 certificates. • JCE Key Store (JCEKS) • Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also introduced a new proprietary key store format: JCEKS. • PKCS#12 • Apart from these proprietary key stores, Java also supports standard PKCS#12 format >> In Alfresco both “keystore” and “truststore” file types are Java Keystores stored in one of the formats described above (JKS, JCEKS, PKCS12)
9 mTLS Protocol TLS Client Keystore Truststore Public Key Public Key Private Key TLS Server Keystore Truststore Public Key Public Key Private Key Hello message Server Public Key Client Public Key Key Validation Encrypted Data
1010 In Practice
11 When to use mTLS Communication HTTPdefaultINSECUREHTTPprotectedwithpass HTTPS protected with mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
12 Cryptographic Tools Issuing certificates • keytool only supports self-signed certificates and a limited set of policies • openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies Managing Certificates and Java KeyStores • Command line • keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates • Window based programs (keytool wrappers) • Portecle • KeyStore Explorer https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://www.openssl.org/docs/ http://portecle.sourceforge.net https://keystore-explorer.org/index.html
13 Alfresco KeyStores: Repository https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repoand so on) are not relevant, different ones can be used keystore • Not related with mTLS configuration, but with encrypting secrets* ssl.keystore • ssl.repo is the private key used to sign HTTP requests • ssl.alfresco.ca is the public key of the CA issuing the certificates ssl.truststore • alfresco.ca is the public key of the CA issuing the certificates • ssl.repo.client is the public key of the certificate used by SOLR as client * https://docs.alfresco.com/6.2/concepts/alf-keystores.html
14 Alfresco KeyStores: SOLR https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repo and so on) are not relevant, different ones can be used ssl-repo-client.keystore • ssl.repo.client is the private key used to sign HTTP requests • alfresco.ca is the public key of the CA issuing the certificates ssl-repo-client.truststore • ssl.alfresco.ca is the public key of the CA issuing the certificates • ssl.repo is the public key of the certificate used by Repository as client • ssl.repo.client is the public key of the certificate used by SOLR as client >> Zeppelin is connecting with the Alfresco Repository, so the KeyStores are the same from SOLR
15 Alfresco KeyStores: Browser https://github.com/Alfresco/alfresco-ssl-generator Connecting to SOLR Admin Web Console (by default available in https://127.0.0.1:8983/solr) requires a client certificate • This certificate needs to be installed in Windows, Mac OS X and Linux. • When using Mozilla Firefox, the certificate needs also to be installed in that browser.
16 Alfresco mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 CLASSIC
17 Alfresco mTLSCURRENT
18 Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR Alfresco mTLS: Repository Properties https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719 #default keystoreslocation dir.keystore=classpath:alfresco/keystore # general encryption parameters(keystore) encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=AES encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secretkey keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties encryption.keystore.provider= encryption.keystore.type=pkcs12 # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # SOLRConfiguration solr.port.ssl=8984 solr.secureComms=https ENCRYPTION PROPERTIES Not related with mTLS Configuration Required even when not using mTLS KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key alfresco-global.properties docker-compose.ymlCLASSIC
19 Tomcat Server configuration to receive HTTPs queries from SOLR Alfresco mTLS: Tomcat Repository Connector $ cat /usr/local/tomcat/conf/server.xml ... <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"> </Connector> </Service> </Server> KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key server.xml Dockerfile TOMCAT CONNECTOR TLS Configuration CLASSIC
20 Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco Alfresco mTLS: SOLR Properties https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44 # ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=JCEKS alfresco.encryption.ssl.keystore.provider= alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties # ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=JCEKS alfresco.encryption.ssl.truststore.provider= alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # AlfrescoRepositoryconfiguration alfresco.port.ssl=8443 alfresco.secureComms=https KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solrcore.properties CLASSIC
21 Jetty Server configuration to receive HTTPs queries from Alfresco Alfresco mTLS: Jetty SOLR Server $ cat /opt/alfresco-search-services/solr.in.sh # ssl.repo.client.keystore SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE_PASSWORD=password # ssl.repo.client.truststore SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE_PASSWORD=password # Jetty mTLS configuration SOLR_SSL_NEED_CLIENT_AUTH=true KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solr.in.sh solr.in.cmdCLASSIC
22 Alfresco mTLS: SOLR Endpoints Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server Search Queries https://127.0.0.1:8983/solr/alfresco/afts https://127.0.0.1:8983/solr/alfresco/browse https://127.0.0.1:8983/solr/alfresco/cmis https://127.0.0.1:8983/solr/alfresco/query https://127.0.0.1:8983/solr/alfresco/select SQL Queries https://127.0.0.1:8983/solr/alfresco/sql Admin Actions https://127.0.0.1:8983/solr/admin
23 Alfresco mTLS: Repository Endpoints Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server Indexing requests https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets https://127.0.0.1:8443/alfresco/service/api/solr/acls https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders https://127.0.0.1:8443/alfresco/service/api/solr/metadata https://127.0.0.1:8443/alfresco/service/api/solr/model https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff https://127.0.0.1:8443/alfresco/service/api/solr/nodes https://127.0.0.1:8443/alfresco/service/api/solr/textContent https://127.0.0.1:8443/alfresco/service/api/solr/transactions
24 Alfresco mTLS: Sharding mTLS Configuration can be applied to SOLR Shards in the same way. • The same KeyStores can be used for every Shard • A new certificate ssl.client.repocan be generated for each Shard • You need to add these new certificates to Alfresco Repository truststore (ssl.truststore) Sample configuration using DB_ID for two shards is available in: https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
25 DEMO TIME: Using Custom Certificates 1 - Starting with a working mTLS configuration • Docker Compose for Alfresco Repository • ZIP Distribution file for Alfresco Search SOLR 2 - Create new KeyStores with different values 3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties 4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty • Use pkcs12 as KeyStore Type • Use password as password for the KeyStores CLASSIC $ ./run.sh -alfrescoversioncommunity -keysize 4096 -keystoretype PKCS12 -keystorepass password -truststoretypePKCS12 -truststorepasspassword -alfrescoformatclassic https://github.com/Alfresco/alfresco-ssl-generator
2626
27 Common mistakes: Searching If you are experimenting problems when searching from Alfresco, Share or from the REST API: • Review Alfresco Repository configuration > alfresco-global.properties • Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 solr.port.ssl=8983 solr.secureComms=https dir.keystore=/usr/local/tomcat/alf_data/keystore # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true
28 Common mistakes: Indexing If you are experimenting problems when indexing from SOLR: • Review Alfresco Tomcat configuration > server.xml • Review SOLR properties configuration > solrcore.properties https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector> alfresco.secureComms=https alfresco.port.ssl=8443 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.keystore.provider=JCEKS alfresco.encryption.ssl.truststore.type= alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.truststore.provider=JCEKS alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.type= alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
29 Troubleshooting: cURL Testing the configuration with CURL Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format: $ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000" In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format $ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"
30 Troubleshooting: Debugging Debugging the configuration The best approach to debug SSL Handshake is not using the Log4j categories, but setting this Java parameter for both Solr and Alfresco web apps: -Djavax.net.debug=ssl:handshake "ClientHello": { "clientversion" :"TLSv1.2", "random" : "79 4D93 54 F9 5983 0C 75 58 73 F8 DE3A 3C B695 57 8F 72 A4FE 92 BBD089 50 C3 A011 849C", "session id" : "49 6134 4C 45 80 A069 75 E3 92 C2 7DF6 2E04 70 3F 6C 4DA191 F0 B8CE79 1C 3B 15 0B 11 F5", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), ... ]", "compression methods" : "00", "extensions" : [ ] } ) "ServerHello": { "server version" : "TLSv1.2", "random" : "30 8C EEE3 E3 08 6D38 FDBC47 5E 9AC5 4C A5AD14 3E 97 DB3E DAC9 BE61 F9 0F88 F3 25 10", "session id" : "", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiatedconnection>] }, "ec_point_formats (11)": { "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2] } ] }
31 Troubleshooting: Resources Alfresco Documentation https://docs.alfresco.com/search-community/tasks/solr-install.html https://docs.alfresco.com/search-community/concepts/solr-troubleshooting.html Alfresco Hub https://hub.alfresco.com/t5/alfresco-content-services-blog/creating-self-signed-ssl-certificates-for-solr/ba-p/288477 https://hub.alfresco.com/t5/alfresco-content-services-blog/using-ssl-with-alfresco-search-services-and-solr-6/ba-p/292687 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by- default/ba-p/287905 Blog posts https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/
Thank you!

Recommended

From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfrescoToni de la Fuente
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondStefan Kopf
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and AlfrescoToni de la Fuente
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperToni de la Fuente
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1Luis Cabaceira
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1Luis Cabaceira
 
Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019J V
 

Recommended

From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfrescoToni de la Fuente
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondStefan Kopf
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and AlfrescoToni de la Fuente
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperToni de la Fuente
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1Luis Cabaceira
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1Luis Cabaceira
 
Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019J V
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Angel Borroy López
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
 
Alfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeAlfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeLuis Colorado
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoAngel Borroy López
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfrescoUE
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionFrancesco Corti
 
Alfresco devcon 2019: How to track user activities without using the audit fu...
Alfresco devcon 2019: How to track user activities without using the audit fu...Alfresco devcon 2019: How to track user activities without using the audit fu...
Alfresco devcon 2019: How to track user activities without using the audit fu...konok
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoringMiguel Rodriguez
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2Luis Cabaceira
 
CUST-10 Customizing the Upload File(s) dialog in Alfresco Share
CUST-10 Customizing the Upload File(s) dialog in Alfresco ShareCUST-10 Customizing the Upload File(s) dialog in Alfresco Share
CUST-10 Customizing the Upload File(s) dialog in Alfresco ShareAlfresco Software
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesSanket Mehta
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content TransformationAlfresco Software
 
Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose Portillo
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 

More Related Content

What's hot

Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Angel Borroy López
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
 
Alfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeAlfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeLuis Colorado
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoAngel Borroy López
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfrescoUE
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionFrancesco Corti
 
Alfresco devcon 2019: How to track user activities without using the audit fu...
Alfresco devcon 2019: How to track user activities without using the audit fu...Alfresco devcon 2019: How to track user activities without using the audit fu...
Alfresco devcon 2019: How to track user activities without using the audit fu...konok
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoringMiguel Rodriguez
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
CUST-10 Customizing the Upload File(s) dialog in Alfresco Share
CUST-10 Customizing the Upload File(s) dialog in Alfresco ShareCUST-10 Customizing the Upload File(s) dialog in Alfresco Share
CUST-10 Customizing the Upload File(s) dialog in Alfresco ShareAlfresco Software
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesSanket Mehta
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content TransformationAlfresco Software
 
Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose Portillo
 

What's hot (20)

Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco Repository
 
Alfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the TradeAlfresco DevCon 2019 Performance Tools of the Trade
Alfresco DevCon 2019 Performance Tools of the Trade
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin Ideas
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
 
Alfresco devcon 2019: How to track user activities without using the audit fu...
Alfresco devcon 2019: How to track user activities without using the audit fu...Alfresco devcon 2019: How to track user activities without using the audit fu...
Alfresco devcon 2019: How to track user activities without using the audit fu...
 
Guide to alfresco monitoring
Guide to alfresco monitoringGuide to alfresco monitoring
Guide to alfresco monitoring
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
 
CUST-10 Customizing the Upload File(s) dialog in Alfresco Share
CUST-10 Customizing the Upload File(s) dialog in Alfresco ShareCUST-10 Customizing the Upload File(s) dialog in Alfresco Share
CUST-10 Customizing the Upload File(s) dialog in Alfresco Share
 
Alfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zonesAlfresco node lifecyle, services and zones
Alfresco node lifecyle, services and zones
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
 
Metadata Extraction and Content Transformation
Metadata Extraction and Content TransformationMetadata Extraction and Content Transformation
Metadata Extraction and Content Transformation
 
Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138
 

Similar to Alfresco Certificates

Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTrivadis
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 

Similar to Alfresco Certificates (20)

Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
 
Java security
Java securityJava security
Java security
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 

More from Angel Borroy López

Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherAngel Borroy López
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1Angel Borroy López
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoAngel Borroy López
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Angel Borroy López
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeAngel Borroy López
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAngel Borroy López
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para DockerAngel Borroy López
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfAngel Borroy López
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsAngel Borroy López
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrAngel Borroy López
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and ThenAngel Borroy López
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaAngel Borroy López
 
How to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverHow to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverAngel Borroy López
 
10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should KnowAngel Borroy López
 

More from Angel Borroy López (20)

Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and Then
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
 
How to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverHow to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last Forever
 
10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know
 
Upgrading to Alfresco 6
Upgrading to Alfresco 6Upgrading to Alfresco 6
Upgrading to Alfresco 6
 

Recently uploaded

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 

Recently uploaded (20)

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 

Alfresco Certificates

  • 1. Angel Borroy Search Team Nov 5, 2020 Cryptographic stores in Alfresco Brown Bag
  • 2. 22 Cryptographic Stores in Alfresco In Theory • Electronic Certificates • Chain of Trust • Public and Private CAs • Cryptographic Stores • mTLS Protocol In Practice • When to use mTLS Communication • Cryptographic Tools • Alfresco KeyStores • Alfresco mTLS Configuration • Using Custom Certificates In Panic • Troubleshooting Java KeyStores
  • 4. 4 $openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout Certificate: Data: Version:3(0x2) SerialNumber:4097(0x1001) SignatureAlgorithm:sha256WithRSAEncryption Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA Validity NotBefore:Jun3009:24:082020GMT NotAfter: Jun2809:24:082030GMT Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient SubjectPublicKeyInfo: PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: 00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6: d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e: 5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47: 5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e: 97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64: 73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b: e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc: 89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96: b9:e6:a0:e9:e3:d4:08:3a:87 Exponent:65537(0x10001) X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeCertType: SSL Server NetscapeComment: OpenSSL GeneratedServerCertificate X509v3SubjectKeyIdentifier: 84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72 X509v3AuthorityKeyIdentifier: keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA serial:94:78:32:24:4E:A5:07:2B X509v3KeyUsage:critical Digital Signature,KeyEncipherment X509v3ExtendedKeyUsage: TLSWebServerAuthentication X509v3SubjectAlternativeName: DNS:localhost SignatureAlgorithm:sha256WithRSAEncryption 12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45: 34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15: 87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6: 6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67: 2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79: cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5: 30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11 Electronic Certificates X509 Certificate Issuer Name DN Common Name CN Distinguished Name DN Dates valid Private Key Public Key Key Usage Policies Issuer Signature This should match with Server DNS Name RSA 1024 bits with SHA 256 Keystore Truststore
  • 5. 5 Electronic Certificates: File Format .pem – Base64 encoded DER certificate, password .cer, .crt, .der – Binary DER form, password .p7b, .p7c – Base 64 Ascii file with PKCS#7, just for public certificate(s) or CRL(s) .p12 – PKCS#12, may contain certificate(s) (public) and private keys, binary format (ASN.1), password .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE----- -----BEGINRSAPRIVATE KEY----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDRSAPRIVATE KEY----- -----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDPKCS7-----
  • 6. 6 Public and Private CAs CA (Certificate Authority) is an entity that issues electronic certificates. Public CA • Trusted Third-Party for general public, mainly oriented to final users • Issued certificates are trusted by default in Operating Systems and Browsers • The information and services we provide on these servers is open in Internet Private CA • Trusted Third-Party for internal users and services • Issued certificates aren’t trusted by default, so you need to configure computers and servers in order to trust them • The information and services we provide on these servers is restricted to Intranet PUBLICPRIVATE
  • 7. 7 Chain of Trust A certificate must be traceable back to the trust root it was signed with. All public certificates in the chain [server, intermediate(s), and root] need to be present in the truststore. • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. • Intermediate Certificate(s): Intermediate certificates branch of root certificates like branches of trees. They act as middle- men between the protected root certificates and the server certificates issued. • Server Certificate – The server certificate is the one issued to the specific server -----BEGINRSAPRIVATE KEY----- MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z ... nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q= -----ENDRSA PRIVATEKEY----- -----BEGINCERTIFICATE----- MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix ... nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ== -----ENDCERTIFICATE----- -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE-----
  • 8. 8 Cryptographic Stores Java KeyStores are used to store key material and associated certificates. • Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords for each secret- or private-key entry. • Java Key Store (JKS) • The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and associated X.509 certificates. • JCE Key Store (JCEKS) • Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also introduced a new proprietary key store format: JCEKS. • PKCS#12 • Apart from these proprietary key stores, Java also supports standard PKCS#12 format >> In Alfresco both “keystore” and “truststore” file types are Java Keystores stored in one of the formats described above (JKS, JCEKS, PKCS12)
  • 9. 9 mTLS Protocol TLS Client Keystore Truststore Public Key Public Key Private Key TLS Server Keystore Truststore Public Key Public Key Private Key Hello message Server Public Key Client Public Key Key Validation Encrypted Data
  • 11. 11 When to use mTLS Communication HTTPdefaultINSECUREHTTPprotectedwithpass HTTPS protected with mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
  • 12. 12 Cryptographic Tools Issuing certificates • keytool only supports self-signed certificates and a limited set of policies • openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies Managing Certificates and Java KeyStores • Command line • keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates • Window based programs (keytool wrappers) • Portecle • KeyStore Explorer https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://www.openssl.org/docs/ http://portecle.sourceforge.net https://keystore-explorer.org/index.html
  • 13. 13 Alfresco KeyStores: Repository https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repoand so on) are not relevant, different ones can be used keystore • Not related with mTLS configuration, but with encrypting secrets* ssl.keystore • ssl.repo is the private key used to sign HTTP requests • ssl.alfresco.ca is the public key of the CA issuing the certificates ssl.truststore • alfresco.ca is the public key of the CA issuing the certificates • ssl.repo.client is the public key of the certificate used by SOLR as client * https://docs.alfresco.com/6.2/concepts/alf-keystores.html
  • 14. 14 Alfresco KeyStores: SOLR https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repo and so on) are not relevant, different ones can be used ssl-repo-client.keystore • ssl.repo.client is the private key used to sign HTTP requests • alfresco.ca is the public key of the CA issuing the certificates ssl-repo-client.truststore • ssl.alfresco.ca is the public key of the CA issuing the certificates • ssl.repo is the public key of the certificate used by Repository as client • ssl.repo.client is the public key of the certificate used by SOLR as client >> Zeppelin is connecting with the Alfresco Repository, so the KeyStores are the same from SOLR
  • 15. 15 Alfresco KeyStores: Browser https://github.com/Alfresco/alfresco-ssl-generator Connecting to SOLR Admin Web Console (by default available in https://127.0.0.1:8983/solr) requires a client certificate • This certificate needs to be installed in Windows, Mac OS X and Linux. • When using Mozilla Firefox, the certificate needs also to be installed in that browser.
  • 18. 18 Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR Alfresco mTLS: Repository Properties https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719 #default keystoreslocation dir.keystore=classpath:alfresco/keystore # general encryption parameters(keystore) encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=AES encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secretkey keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties encryption.keystore.provider= encryption.keystore.type=pkcs12 # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # SOLRConfiguration solr.port.ssl=8984 solr.secureComms=https ENCRYPTION PROPERTIES Not related with mTLS Configuration Required even when not using mTLS KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key alfresco-global.properties docker-compose.ymlCLASSIC
  • 19. 19 Tomcat Server configuration to receive HTTPs queries from SOLR Alfresco mTLS: Tomcat Repository Connector $ cat /usr/local/tomcat/conf/server.xml ... <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"> </Connector> </Service> </Server> KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key server.xml Dockerfile TOMCAT CONNECTOR TLS Configuration CLASSIC
  • 20. 20 Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco Alfresco mTLS: SOLR Properties https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44 # ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=JCEKS alfresco.encryption.ssl.keystore.provider= alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties # ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=JCEKS alfresco.encryption.ssl.truststore.provider= alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # AlfrescoRepositoryconfiguration alfresco.port.ssl=8443 alfresco.secureComms=https KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solrcore.properties CLASSIC
  • 21. 21 Jetty Server configuration to receive HTTPs queries from Alfresco Alfresco mTLS: Jetty SOLR Server $ cat /opt/alfresco-search-services/solr.in.sh # ssl.repo.client.keystore SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE_PASSWORD=password # ssl.repo.client.truststore SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE_PASSWORD=password # Jetty mTLS configuration SOLR_SSL_NEED_CLIENT_AUTH=true KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solr.in.sh solr.in.cmdCLASSIC
  • 22. 22 Alfresco mTLS: SOLR Endpoints Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server Search Queries https://127.0.0.1:8983/solr/alfresco/afts https://127.0.0.1:8983/solr/alfresco/browse https://127.0.0.1:8983/solr/alfresco/cmis https://127.0.0.1:8983/solr/alfresco/query https://127.0.0.1:8983/solr/alfresco/select SQL Queries https://127.0.0.1:8983/solr/alfresco/sql Admin Actions https://127.0.0.1:8983/solr/admin
  • 23. 23 Alfresco mTLS: Repository Endpoints Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server Indexing requests https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets https://127.0.0.1:8443/alfresco/service/api/solr/acls https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders https://127.0.0.1:8443/alfresco/service/api/solr/metadata https://127.0.0.1:8443/alfresco/service/api/solr/model https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff https://127.0.0.1:8443/alfresco/service/api/solr/nodes https://127.0.0.1:8443/alfresco/service/api/solr/textContent https://127.0.0.1:8443/alfresco/service/api/solr/transactions
  • 24. 24 Alfresco mTLS: Sharding mTLS Configuration can be applied to SOLR Shards in the same way. • The same KeyStores can be used for every Shard • A new certificate ssl.client.repocan be generated for each Shard • You need to add these new certificates to Alfresco Repository truststore (ssl.truststore) Sample configuration using DB_ID for two shards is available in: https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
  • 25. 25 DEMO TIME: Using Custom Certificates 1 - Starting with a working mTLS configuration • Docker Compose for Alfresco Repository • ZIP Distribution file for Alfresco Search SOLR 2 - Create new KeyStores with different values 3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties 4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty • Use pkcs12 as KeyStore Type • Use password as password for the KeyStores CLASSIC $ ./run.sh -alfrescoversioncommunity -keysize 4096 -keystoretype PKCS12 -keystorepass password -truststoretypePKCS12 -truststorepasspassword -alfrescoformatclassic https://github.com/Alfresco/alfresco-ssl-generator
  • 26. 2626
  • 27. 27 Common mistakes: Searching If you are experimenting problems when searching from Alfresco, Share or from the REST API: • Review Alfresco Repository configuration > alfresco-global.properties • Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 solr.port.ssl=8983 solr.secureComms=https dir.keystore=/usr/local/tomcat/alf_data/keystore # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true
  • 28. 28 Common mistakes: Indexing If you are experimenting problems when indexing from SOLR: • Review Alfresco Tomcat configuration > server.xml • Review SOLR properties configuration > solrcore.properties https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector> alfresco.secureComms=https alfresco.port.ssl=8443 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.keystore.provider=JCEKS alfresco.encryption.ssl.truststore.type= alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.truststore.provider=JCEKS alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.type= alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
  • 29. 29 Troubleshooting: cURL Testing the configuration with CURL Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format: $ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000" In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format $ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"
  • 30. 30 Troubleshooting: Debugging Debugging the configuration The best approach to debug SSL Handshake is not using the Log4j categories, but setting this Java parameter for both Solr and Alfresco web apps: -Djavax.net.debug=ssl:handshake "ClientHello": { "clientversion" :"TLSv1.2", "random" : "79 4D93 54 F9 5983 0C 75 58 73 F8 DE3A 3C B695 57 8F 72 A4FE 92 BBD089 50 C3 A011 849C", "session id" : "49 6134 4C 45 80 A069 75 E3 92 C2 7DF6 2E04 70 3F 6C 4DA191 F0 B8CE79 1C 3B 15 0B 11 F5", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), ... ]", "compression methods" : "00", "extensions" : [ ] } ) "ServerHello": { "server version" : "TLSv1.2", "random" : "30 8C EEE3 E3 08 6D38 FDBC47 5E 9AC5 4C A5AD14 3E 97 DB3E DAC9 BE61 F9 0F88 F3 25 10", "session id" : "", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiatedconnection>] }, "ec_point_formats (11)": { "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2] } ] }
  • 31. 31 Troubleshooting: Resources Alfresco Documentation https://docs.alfresco.com/search-community/tasks/solr-install.html https://docs.alfresco.com/search-community/concepts/solr-troubleshooting.html Alfresco Hub https://hub.alfresco.com/t5/alfresco-content-services-blog/creating-self-signed-ssl-certificates-for-solr/ba-p/288477 https://hub.alfresco.com/t5/alfresco-content-services-blog/using-ssl-with-alfresco-search-services-and-solr-6/ba-p/292687 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by- default/ba-p/287905 Blog posts https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/