inteligr8/SearchServices
1
0
Fork 0
mirror of https://github.com/Alfresco/SearchServices.git synced 2025-09-10 14:11:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEARCH-1127 enabling SSL on ACS + SS

Browse Source
This commit is contained in:
Paul Brodner
2019-03-15 14:48:00 +00:00
parent d5344306a9
commit 6ce43daa59
12 changed files with 377 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
e2e-test/qa/Makefile
View File

@@ -53,7 +53,7 @@ clean: ## main: kill containers
# just waits for a alfresco and solr to start
wait: ## main: wait for alfresco service && solr to startup
$(helpers)/wait-service-to-start.sh && \
$(helpers)/wait-service-to-start.sh http://localhost:8083/solr
$(helpers)/wait-service-to-start.sh http://localhost:8083/solr
standard: ## main: start with standard docker-compose.yml file
make clean && $(dc) config && $(dc) up -d && make wait

4
e2e-test/qa/search/custom/Makefile
View File

@@ -10,9 +10,9 @@ endif
## ---- CUSTOM
build: ## 1 - build a custom image: $ make SCRIPTS_FOLDER=spellcheck custom-build
build: ## 1 - build a custom image: $ make SCRIPTS_FOLDER=spellcheck build
ifndef SCRIPTS_FOLDER
@echo SCRIPTS_FOLDER not defined "Usage: make SCRIPTS_FOLDER=spellcheck custom-build"
@echo SCRIPTS_FOLDER not defined "Usage: make SCRIPTS_FOLDER=spellcheck build"
exit 1
endif
$(dc-custom) build --force-rm --no-cache --pull --build-arg SCRIPTS_FOLDER=$(SCRIPTS_FOLDER)

11
e2e-test/qa/search/ssl/.env Normal file
View File

@@ -0,0 +1,11 @@
# docker-compose related environments
ALFRESCO_IMAGE=alfresco/alfresco-content-repository
ALFRESCO_TAG=6.1.0-EA3
SHARE_IMAGE=alfresco/alfresco-share
SHARE_TAG=6.0
POSTGRES_IMAGE=postgres
POSTGRES_TAG=10.1
SEARCH_IMAGE=quay.io/alfresco/search-services
SEARCH_TAG=latest
ACTIVEMQ_IMAGE=alfresco/alfresco-activemq
ACTIVEMQ_TAG=5.15.6

23
e2e-test/qa/search/ssl/Makefile Normal file
View File

@@ -0,0 +1,23 @@
include ../../Makefile
include .env
# CURRENT_DIR is the folder where this Makefile is saved
CURRENT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
ifeq ($(dc-custom),)
dc-custom:=$(dc) -f ../docker-compose.yml -f docker-compose.ssl.yml
endif
ssl: ## 0 - starts search service with SSL enabled
$(dc-custom) build && \
$(dc-custom) up -d && \
make wait
wait:
$(helpers)/wait-service-to-start.sh
clean:
$(dc-custom) kill && $(dc-custom) rm -fv
logs:
$(dc-custom) logs -f

27
e2e-test/qa/search/ssl/README.md Normal file
View File

@@ -0,0 +1,27 @@
## About
Try to start Alfresco & Search Services with SSL enabled
### How to run it
>this will clean any volumes any docker services that are running
> and starts a new alfresco and search service(s) built with ssl enabled
```shell
$ make clean ssl
```
>There are also configuration on alfresco part - where we use the shared volume of search to take the same keystore data (see [docker-compose.ssl.yml](./docker-compose.ssl.yml) )
> clean everything with `make clean`
### Test it in browser
* open Firefox and import [browser.p12](./browser.p12) certificate (when asked add password: `alfresco`). I think you can also add an exception and pass unsecure connection warning!
| Alfresco | Solr | Share |
| :------------- |:-------------| :-----|
| **SSL:** https://localhost:7070/alfresco | **SSL:** https://localhost:8084/solr | |
| **No-SSL:** http://localhost:8081/alfresco | **No-SSL:** - | **No-SSL:** http://localhost:8082/share/ |
>I've also enabled [spellcheck](./search/scripts/enable-spellcheck.sh) feature, so in Share, try to do a search for "[alfrezco](http://localhost:8082/share/page/dp/ws/faceted-search#searchTerm=alfrezco&scope=repo&sortField=null)"

188
e2e-test/qa/search/ssl/alfresco/6.1-server.xml Normal file
View File

@@ -0,0 +1,188 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
Server=" "
connectionTimeout="20000"
redirectPort="8443" />
<!--base on:
http://docs.alfresco.com/6.1/tasks/configure-ssl-test.html
http://docs.alfresco.com/community/concepts/configure-ssl-intro.html
-->
<Connector port="7070"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig certificateVerification="required"
truststoreFile="/keystore/ssl.repo.client.truststore"
truststorePassword="kT9X6oe68t"
truststoreType="JCEKS" >
<Certificate certificateKeystoreFile="/keystore/ssl.repo.client.keystore"
certificateKeystorePassword="kT9X6oe68t"
certificateKeystoreType="JCEKS" />
</SSLHostConfig>
</Connector>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b" />
</Host>
</Engine>
</Service>
</Server>

5
e2e-test/qa/search/ssl/alfresco/Dockerfile Normal file
View File

@@ -0,0 +1,5 @@
ARG ALFRESCO_TAG=6.1.0-EA3
FROM quay.io/alfresco/alfresco-content-repository:$ALFRESCO_TAG
LABEL creator="Paul Brodner" maintainer="Alfresco Search Services Team"
COPY 6.1-server.xml /usr/local/tomcat/conf/server.xml

BIN
e2e-test/qa/search/ssl/browser.p12 Normal file
View File

Binary file not shown.

64
e2e-test/qa/search/ssl/docker-compose.ssl.yml Normal file
View File

@@ -0,0 +1,64 @@
version: '3'
services:
alfresco:
image: alfresco-content-repository-ssl:${ALFRESCO_TAG}
build:
context: ./ssl/alfresco
environment:
JAVA_OPTS : "
-Ddb.driver=org.postgresql.Driver
-Ddb.username=alfresco
-Ddb.password=alfresco
-Ddb.url=jdbc:postgresql://postgres:5432/alfresco
-Dsolr.host=search
-Dsolr.port=8443
-Dsolr.port.ssl=8443
-Dalfresco.protocol=https
-Dalfresco.port.ssl=7070
-Dsolr.secureComms=https
-Dalfresco.secureComms=https
-Dalfresco.encryption.ssl.keystore.type=JCEKS
-Dalfresco.encryption.ssl.keystore.provider=
-Dalfresco.encryption.ssl.keystore.location=/keystore/ssl.repo.client.keystore
-Dalfresco.encryption.ssl.keystore.passwordFileLocation=/keystore/ssl-keystore-passwords.properties
-Dalfresco.encryption.ssl.truststore.type=JCEKS
-Dalfresco.encryption.ssl.truststore.provider=
-Dalfresco.encryption.ssl.truststore.location=/keystore/ssl.repo.client.truststore
-Dalfresco.encryption.ssl.truststore.passwordFileLocation=/keystore/ssl-truststore-passwords.properties
-Dsolr.base.url=/solr
-Dindex.subsystem.name=solr6
-Dalfresco.restApi.basicAuthScheme=true
-Ddeployment.method=DOCKER_COMPOSE
-Dcsrf.filter.enabled=false
-Dmessaging.broker.url=\"failover:(nio://activemq:61616)?timeout=3000&jms.useCompression=true\"
"
ports:
- "7203:7203" #JMX connect via service:jmx:rmi:///jndi/rmi://localhost:7203/jmxrmi
- "5005:5005" #Java debugging
- "8081:8080" #Browser port for Alfresco
- "7070:7070" #SSL Browser port for Alfresco
volumes:
- shared-volume:/keystore
search:
image: search-services-ssl:${SEARCH_TAG}
build:
context: ./ssl/search
environment:
SOLR_SSL_KEY_STORE: /opt/alfresco-search-services/solrhome/templates/rerank/conf/ssl.repo.client.keystore
SOLR_SSL_KEY_STORE_PASSWORD: kT9X6oe68t
SOLR_SSL_KEY_STORE_TYPE: JCEKS
SOLR_SSL_TRUST_STORE: /opt/alfresco-search-services/solrhome/templates/rerank/conf/ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE_PASSWORD: kT9X6oe68t
SOLR_SSL_TRUST_STORE_TYPE: JCEKS
SOLR_SSL_NEED_CLIENT_AUTH: "true"
SOLR_SSL_WANT_CLIENT_AUTH: "false"
SOLR_PORT: 8443
ports:
- 8083:8983 #Browser port
- 8084:8443 #SSL Port
volumes:
- shared-volume:/opt/alfresco-search-services/solrhome/templates/rerank/conf
volumes:
shared-volume:

15
e2e-test/qa/search/ssl/search/Dockerfile Normal file
View File

@@ -0,0 +1,15 @@
ARG SEARCH_TAG=latest
FROM quay.io/alfresco/search-services:$SEARCH_TAG
LABEL creator="Paul Brodner" maintainer="Alfresco Search Services Team"
USER root
RUN echo " &" >> $DIST_DIR/solr/bin/search_config_setup.sh && \
echo "bash -c \"find $DIST_DIR/scripts/ -maxdepth 1 -type f -executable -name '*.sh' -exec {} \\;\"" >> $DIST_DIR/solr/bin/search_config_setup.sh && \
echo "bash -c \"tail -f $DIST_DIR/logs/solr.log\"" >> $DIST_DIR/solr/bin/search_config_setup.sh
USER solr
COPY scripts/* ${DIST_DIR}/scripts/
# we need this, because we tail on it in the search_config_setup.sh (see above)
RUN touch ./logs/solr.log

19
e2e-test/qa/search/ssl/search/scripts/enable-spellcheck.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env bash
set -ex
echo "Enabling SpellCheck"
cat <<EOF >> /opt/alfresco-search-services/solrhome/conf/shared.properties
# Enabling SpellCheck
# configuration:
# * http://docs.alfresco.com/6.0/concepts/solr-shared-properties.html
# * https://docs.alfresco.com/5.2/tasks/solr6-install-withoutSSL.html
# test it: http://docs.alfresco.com/6.0/concepts/search-api-spellcheck.html
# Suggestable Properties
alfresco.suggestable.property.0={http://www.alfresco.org/model/content/1.0}name
alfresco.suggestable.property.1={http://www.alfresco.org/model/content/1.0}title
alfresco.suggestable.property.2={http://www.alfresco.org/model/content/1.0}description
alfresco.suggestable.property.3={http://www.alfresco.org/model/content/1.0}content
EOF

22
e2e-test/qa/search/ssl/search/scripts/update-solrcore.properties.sh Executable file
View File

@@ -0,0 +1,22 @@
set -ex
# author: paul brodner
#
# it seems 'archive' and 'alfresco' cores are using the rerank templates (/opt/alfresco-search-services/solrhome/templates/rerank/) by default
# When solr starts and 'archive' and 'alfresco' cores are created
# data from /opt/alfresco-search-services/solrhome/templates/rerank/ is applied
echo "Enabling SSL"
cat <<EOF >> /opt/alfresco-search-services/solrhome/templates/rerank/conf/solrcore.properties
alfresco.port=7070
alfresco.protocol=https
alfresco.port.ssl=7070
alfresco.secureComms=https
solr.port=8443
solr.port.ssl=8443
solr.secureComms=https
solr.solrConnectTimeout=5000
enable.alfresco.tracking=true
EOF