From da06269f3eb2e0f31cebdf6dfeb7aa12e6aba7a4 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Thu, 6 Jun 2019 15:32:40 +0200 Subject: [PATCH 01/13] Deployment of Alfresco and SearchServices/InsightEngine works out of the box with secure comms enabled. Remove existing default certificates. --- .../noRerank/conf/solrcore.properties | 18 +++++++++--------- .../conf/ssl-keystore-passwords.properties | 7 ------- .../conf/ssl-truststore-passwords.properties | 5 ----- .../noRerank/conf/ssl.repo.client.keystore | Bin 2766 -> 0 bytes .../noRerank/conf/ssl.repo.client.truststore | Bin 740 -> 0 bytes .../templates/rerank/conf/solrcore.properties | 18 +++++++++--------- .../conf/ssl-keystore-passwords.properties | 7 ------- .../conf/ssl-truststore-passwords.properties | 5 ----- .../rerank/conf/ssl.repo.client.keystore | Bin 2766 -> 0 bytes .../rerank/conf/ssl.repo.client.truststore | Bin 740 -> 0 bytes 10 files changed, 18 insertions(+), 42 deletions(-) delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-keystore-passwords.properties delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-truststore-passwords.properties delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl.repo.client.keystore delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl.repo.client.truststore delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-keystore-passwords.properties delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-truststore-passwords.properties delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl.repo.client.keystore delete mode 100644 search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl.repo.client.truststore diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties index 9fec43c0e..053a4f153 100644 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties +++ b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties @@ -33,17 +33,17 @@ alfresco.recordUnindexedNodes=false # encryption # none, https -alfresco.secureComms=none +alfresco.secureComms=https # ssl -alfresco.encryption.ssl.keystore.type=JCEKS -alfresco.encryption.ssl.keystore.provider= -alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore -alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties -alfresco.encryption.ssl.truststore.type=JCEKS -alfresco.encryption.ssl.truststore.provider= -alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore -alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties +#alfresco.encryption.ssl.keystore.type= +#alfresco.encryption.ssl.keystore.provider= +#alfresco.encryption.ssl.keystore.location= +#alfresco.encryption.ssl.keystore.passwordFileLocation= +#alfresco.encryption.ssl.truststore.type= +#alfresco.encryption.ssl.truststore.provider= +#alfresco.encryption.ssl.truststore.location= +#alfresco.encryption.ssl.truststore.passwordFileLocation= # Default Tracker alfresco.cron=0/10 * * * * ? * diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-keystore-passwords.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-keystore-passwords.properties deleted file mode 100644 index 5fc6a0f7e..000000000 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-keystore-passwords.properties +++ /dev/null @@ -1,7 +0,0 @@ -aliases=ssl.alfresco.ca,ssl.repo.client -# The ssl keystore password -keystore.password=kT9X6oe68t -# The password protecting the ssl repository key -ssl.repo.client.password=kT9X6oe68t -# The password protecting the ssl Alfresco CA key -ssl.alfresco.ca.password=kT9X6oe68t \ No newline at end of file diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-truststore-passwords.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-truststore-passwords.properties deleted file mode 100644 index ffbc7229e..000000000 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl-truststore-passwords.properties +++ /dev/null @@ -1,5 +0,0 @@ -aliases=alfresco.ca -# The ssl truststore password -keystore.password=kT9X6oe68t -# The password protecting the ssl Alfresco CA strust certificate -alfresco.ca.password=kT9X6oe68t \ No newline at end of file diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl.repo.client.keystore b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/ssl.repo.client.keystore deleted file mode 100644 index a2faa8cc8c74c09773c6e719043e5b93092473a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2766 zcmX?i?%X*B1_mZL=1$B>D@rX+&euy$WME*l6r5!r$iNz*XKG*xRJOpNiD?cHvo2s} zVq{|CWN5mQ{4Gb#=DGnd8>d#AN85K^Mn+av27@$1ZUas>=1>+kVJ3Gc7>9$0Db(9g z*gy~@!_LFyo0yrBnwOE9m|`ezAPW-Y;t_L%IzS;fKdq!Zu_#r+rzAzsP{cq8q=1=+ z8?M0F(Lh0**U-qo!qC9b%+TD}Buawc$Pg%CZfFh_pqon?=Oc#!BP#=QV=se2V<%H% zBf~3=qLPDb@-}DKE}6Q0`<_@K$0PT@iutD@Am&vYIh!LPnpxDA@=jU>8`-J&pt;i7dfW1w}GqJ?dB?mSr0Oe z8x=&$?Ohn3ojm-}-7=lSsqydQh1Kcrix!`pn4nsDor#%|fpKwwfgd=KW%*ddSVWkm z=G$AiSvTydWfQ5t&C%2PO7y0IJTQo5m02VV#2T|tP}GXs6P zXhZA)IlcPz9sY}Ajd-sresmEy`S{JX8}|-P6Ysp%x!vM&7+df0DQ2!oP2VS3?hMe~ zsS#^`Sdg)KVf2fa|N1v*HI}|f+;n->ZcqDpuXHVLHEXfRh;NpUpQ#(XD*b)=<9|ig zyLwCNe-*v`6Qb>w%l>-hAHxQvO8vnxEHs)g>#>;4_DUY(t9kdn#4hzw z)xP-7XV1aYLZ3QjEfMrC7Z+4t)xMvDb<(_`;zgBPswKlxs`kzm|e4?L+lgwS9hFwbya_3;}Xux*P|C4e_Cg;r0z*^pvIQPiHlCI z{Plo&L#JM`(m~@LqTM>PF0WZzp!H;?!2afc_l}-Z+*T2LLM(Ep_xU-TQf{{WY&vUY zZNqmwQ&n5+_rX22g6sP0Rp-{oeD$nRDto?p?b!qTt?a)e-&H-IzIMOPHy4p97h^w% zRQBbs_B6gUWm?oU!H9_u?f)@WnmybeID7UIaoGv}6Mmh&H78MuRqfk#qb~yLCl0<& z%-Wx-YHY4^#?j}6UiW=DAA7gOb1L37IP!dxZAyKeUK(?KW^`BgW`Q+iPM_LSm2MuFLvwUt1csRL^J8lU-z3wYT%gM1?sU zSIyP&VRgHjx=t)Ecjmn@c4j`d>UqIKKdlu951f8E zZR4u*Ia2r5%M89KAx-(Z+} z$ExCVnra4Pk}ms_**8v0$35~tXW!Yk$Z_L_bSuHwHCHUReGCg!d1v&=vAUo@=hXay zYGo!iAy@P;?JM&$970x%e~Mc>6muzUsyL+^qIz#H&b`m z2G2F*;!2yu62|kZM0L-C`LhMSXB8{(3- z#jI9JPwrcmrLkM@kZqII&pV51{y(|tEwD+q;P-6CZ66nkJPp(?;6LTv!z5E+=fRR< zvL$A&WK^1ai9_mAk<1&S&XMy%P3tBFJc=<>vCQf9J<+l{qJ~nLh_38@5MJ}Tix!vv@2ZgOUHvejZ@e4 zW^%t~tF&QsYN~qw+t<7Ozm(dYhuTx-bZLnFJa4)yaPG6u5z9r6DeZ0GDt5cMiec7+ zOyfoc(Qk>`un2ACnqMTR$gafW@KPo9AMxF4rEzA7BLnP zW~ur17H-xJdurK4>Th%Ow7wF(X&?^_Vp(Mt2?MbP>xE#jTdwhzSYf{tqNtQbU zba!gR+8-8VY+e}s;^n{o4O)$*ZxT0MUbWlPe%>oxi(AcFEHdJo<>P1S2CqtgU;g-C zk@c?LlKNjoZ~ug7yXCUKUirtcL8(%I@=EPg^NmqYmiV1K=Gt;}*You^q!`z3T3IBT G?Fj(wruG#8 diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties index 909700ff6..0d89813e5 100644 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties +++ b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties @@ -33,17 +33,17 @@ alfresco.recordUnindexedNodes=false # encryption # none, https -alfresco.secureComms=none +alfresco.secureComms=https # ssl -alfresco.encryption.ssl.keystore.type=JCEKS -alfresco.encryption.ssl.keystore.provider= -alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore -alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties -alfresco.encryption.ssl.truststore.type=JCEKS -alfresco.encryption.ssl.truststore.provider= -alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore -alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties +#alfresco.encryption.ssl.keystore.type= +#alfresco.encryption.ssl.keystore.provider= +#alfresco.encryption.ssl.keystore.location= +#alfresco.encryption.ssl.keystore.passwordFileLocation= +#alfresco.encryption.ssl.truststore.type= +#alfresco.encryption.ssl.truststore.provider= +#alfresco.encryption.ssl.truststore.location= +#alfresco.encryption.ssl.truststore.passwordFileLocation= # Default Tracker alfresco.cron=0/10 * * * * ? * diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-keystore-passwords.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-keystore-passwords.properties deleted file mode 100644 index 5fc6a0f7e..000000000 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-keystore-passwords.properties +++ /dev/null @@ -1,7 +0,0 @@ -aliases=ssl.alfresco.ca,ssl.repo.client -# The ssl keystore password -keystore.password=kT9X6oe68t -# The password protecting the ssl repository key -ssl.repo.client.password=kT9X6oe68t -# The password protecting the ssl Alfresco CA key -ssl.alfresco.ca.password=kT9X6oe68t \ No newline at end of file diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-truststore-passwords.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-truststore-passwords.properties deleted file mode 100644 index ffbc7229e..000000000 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl-truststore-passwords.properties +++ /dev/null @@ -1,5 +0,0 @@ -aliases=alfresco.ca -# The ssl truststore password -keystore.password=kT9X6oe68t -# The password protecting the ssl Alfresco CA strust certificate -alfresco.ca.password=kT9X6oe68t \ No newline at end of file diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl.repo.client.keystore b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/ssl.repo.client.keystore deleted file mode 100644 index a2faa8cc8c74c09773c6e719043e5b93092473a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2766 zcmX?i?%X*B1_mZL=1$B>D@rX+&euy$WME*l6r5!r$iNz*XKG*xRJOpNiD?cHvo2s} zVq{|CWN5mQ{4Gb#=DGnd8>d#AN85K^Mn+av27@$1ZUas>=1>+kVJ3Gc7>9$0Db(9g z*gy~@!_LFyo0yrBnwOE9m|`ezAPW-Y;t_L%IzS;fKdq!Zu_#r+rzAzsP{cq8q=1=+ z8?M0F(Lh0**U-qo!qC9b%+TD}Buawc$Pg%CZfFh_pqon?=Oc#!BP#=QV=se2V<%H% zBf~3=qLPDb@-}DKE}6Q0`<_@K$0PT@iutD@Am&vYIh!LPnpxDA@=jU>8`-J&pt;i7dfW1w}GqJ?dB?mSr0Oe z8x=&$?Ohn3ojm-}-7=lSsqydQh1Kcrix!`pn4nsDor#%|fpKwwfgd=KW%*ddSVWkm z=G$AiSvTydWfQ5t&C%2PO7y0IJTQo5m02VV#2T|tP}GXs6P zXhZA)IlcPz9sY}Ajd-sresmEy`S{JX8}|-P6Ysp%x!vM&7+df0DQ2!oP2VS3?hMe~ zsS#^`Sdg)KVf2fa|N1v*HI}|f+;n->ZcqDpuXHVLHEXfRh;NpUpQ#(XD*b)=<9|ig zyLwCNe-*v`6Qb>w%l>-hAHxQvO8vnxEHs)g>#>;4_DUY(t9kdn#4hzw z)xP-7XV1aYLZ3QjEfMrC7Z+4t)xMvDb<(_`;zgBPswKlxs`kzm|e4?L+lgwS9hFwbya_3;}Xux*P|C4e_Cg;r0z*^pvIQPiHlCI z{Plo&L#JM`(m~@LqTM>PF0WZzp!H;?!2afc_l}-Z+*T2LLM(Ep_xU-TQf{{WY&vUY zZNqmwQ&n5+_rX22g6sP0Rp-{oeD$nRDto?p?b!qTt?a)e-&H-IzIMOPHy4p97h^w% zRQBbs_B6gUWm?oU!H9_u?f)@WnmybeID7UIaoGv}6Mmh&H78MuRqfk#qb~yLCl0<& z%-Wx-YHY4^#?j}6UiW=DAA7gOb1L37IP!dxZAyKeUK(?KW^`BgW`Q+iPM_LSm2MuFLvwUt1csRL^J8lU-z3wYT%gM1?sU zSIyP&VRgHjx=t)Ecjmn@c4j`d>UqIKKdlu951f8E zZR4u*Ia2r5%M89KAx-(Z+} z$ExCVnra4Pk}ms_**8v0$35~tXW!Yk$Z_L_bSuHwHCHUReGCg!d1v&=vAUo@=hXay zYGo!iAy@P;?JM&$970x%e~Mc>6muzUsyL+^qIz#H&b`m z2G2F*;!2yu62|kZM0L-C`LhMSXB8{(3- z#jI9JPwrcmrLkM@kZqII&pV51{y(|tEwD+q;P-6CZ66nkJPp(?;6LTv!z5E+=fRR< zvL$A&WK^1ai9_mAk<1&S&XMy%P3tBFJc=<>vCQf9J<+l{qJ~nLh_38@5MJ}Tix!vv@2ZgOUHvejZ@e4 zW^%t~tF&QsYN~qw+t<7Ozm(dYhuTx-bZLnFJa4)yaPG6u5z9r6DeZ0GDt5cMiec7+ zOyfoc(Qk>`un2ACnqMTR$gafW@KPo9AMxF4rEzA7BLnP zW~ur17H-xJdurK4>Th%Ow7wF(X&?^_Vp(Mt2?MbP>xE#jTdwhzSYf{tqNtQbU zba!gR+8-8VY+e}s;^n{o4O)$*ZxT0MUbWlPe%>oxi(AcFEHdJo<>P1S2CqtgU;g-C zk@c?LlKNjoZ~ug7yXCUKUirtcL8(%I@=EPg^NmqYmiV1K=Gt;}*You^q!`z3T3IBT G?Fj(wruG#8 From 8e30f4906c47263181efe2a778defaa21b715d9e Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 11:22:37 +0200 Subject: [PATCH 02/13] Restoring default properties to provide a distribution according to documentation (https://docs.alfresco.com/search-enterprise/tasks/solr-install.html) --- .../noRerank/conf/solrcore.properties | 19 ++++++++++--------- .../templates/rerank/conf/solrcore.properties | 19 ++++++++++--------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties index 053a4f153..e91ba7ee8 100644 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties +++ b/search-services/alfresco-search/src/main/resources/solr/instance/templates/noRerank/conf/solrcore.properties @@ -35,15 +35,16 @@ alfresco.recordUnindexedNodes=false # none, https alfresco.secureComms=https -# ssl -#alfresco.encryption.ssl.keystore.type= -#alfresco.encryption.ssl.keystore.provider= -#alfresco.encryption.ssl.keystore.location= -#alfresco.encryption.ssl.keystore.passwordFileLocation= -#alfresco.encryption.ssl.truststore.type= -#alfresco.encryption.ssl.truststore.provider= -#alfresco.encryption.ssl.truststore.location= -#alfresco.encryption.ssl.truststore.passwordFileLocation= +# ssl, default values +# keystore and trustore files are not provided by default +alfresco.encryption.ssl.keystore.type=JCEKS +alfresco.encryption.ssl.keystore.provider= +alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore +alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties +alfresco.encryption.ssl.truststore.type=JCEKS +alfresco.encryption.ssl.truststore.provider= +alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore +alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # Default Tracker alfresco.cron=0/10 * * * * ? * diff --git a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties index 0d89813e5..06f089370 100644 --- a/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties +++ b/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties @@ -35,15 +35,16 @@ alfresco.recordUnindexedNodes=false # none, https alfresco.secureComms=https -# ssl -#alfresco.encryption.ssl.keystore.type= -#alfresco.encryption.ssl.keystore.provider= -#alfresco.encryption.ssl.keystore.location= -#alfresco.encryption.ssl.keystore.passwordFileLocation= -#alfresco.encryption.ssl.truststore.type= -#alfresco.encryption.ssl.truststore.provider= -#alfresco.encryption.ssl.truststore.location= -#alfresco.encryption.ssl.truststore.passwordFileLocation= +# ssl, default values +# keystore and trustore files are not provided by default +alfresco.encryption.ssl.keystore.type=JCEKS +alfresco.encryption.ssl.keystore.provider= +alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore +alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties +alfresco.encryption.ssl.truststore.type=JCEKS +alfresco.encryption.ssl.truststore.provider= +alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore +alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # Default Tracker alfresco.cron=0/10 * * * * ? * From b48d65e98d725f0bcc42ea03ab14f61f4c7f1ef6 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 13:12:50 +0200 Subject: [PATCH 03/13] Skip loading SSL Settings from properties when "alfresco.secureComms" is set to "none" --- .../solr/core/CoreDescriptorDecorator.java | 34 ++++- .../solr/client/SOLRAPIClientFactory.java | 119 +++++++++++++----- 2 files changed, 117 insertions(+), 36 deletions(-) diff --git a/search-services/alfresco-search/src/main/java/org/apache/solr/core/CoreDescriptorDecorator.java b/search-services/alfresco-search/src/main/java/org/apache/solr/core/CoreDescriptorDecorator.java index 22ae4c9a1..848381ca1 100644 --- a/search-services/alfresco-search/src/main/java/org/apache/solr/core/CoreDescriptorDecorator.java +++ b/search-services/alfresco-search/src/main/java/org/apache/solr/core/CoreDescriptorDecorator.java @@ -18,12 +18,14 @@ */ package org.apache.solr.core; -import com.google.common.collect.ImmutableList; +import java.util.List; +import java.util.Properties; + import org.alfresco.solr.config.ConfigUtil; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import java.util.Properties; +import com.google.common.collect.ImmutableList; /** * This class was created solely for the purpose of exposing the coreProperties of the CoreDescriptor. @@ -32,13 +34,16 @@ import java.util.Properties; * The Substitutable Properties are defined in the substitutableProperties list. * @author Ahmed Owian * @author Gethin James + * @author aborroy */ public class CoreDescriptorDecorator { private static Log log = LogFactory.getLog(CoreDescriptorDecorator.class); private final Properties properties = new Properties(); + + private static String SECURE_COMMS_PROPERTY = "alfresco.secureComms"; - public static ImmutableList substitutableProperties = + public static ImmutableList substitutablePropertiesSecure = ImmutableList.of( "alfresco.host", "alfresco.port", @@ -54,18 +59,37 @@ public class CoreDescriptorDecorator "alfresco.encryption.ssl.keystore.provider", "alfresco.encryption.ssl.truststore.type"); + public static ImmutableList substitutablePropertiesNone = + ImmutableList.of( + "alfresco.host", + "alfresco.port", + "alfresco.baseUrl", + "alfresco.secureComms"); + public CoreDescriptorDecorator(CoreDescriptor descriptor) { properties.putAll(descriptor.coreProperties); + + List coreProperties; + String comms = ConfigUtil.locateProperty(SECURE_COMMS_PROPERTY, "none"); + if (comms.equals("https")) + { + coreProperties = substitutablePropertiesSecure; + } + else + { + coreProperties = substitutablePropertiesNone; + } + try { - substitutableProperties.forEach(prop -> + coreProperties.forEach(prop -> properties.put(prop, ConfigUtil.locateProperty(prop,properties.getProperty(prop))) ); } catch(Exception e) { - log.warn("Unable to locate alfresco host|port|baseUrl|ssl properties"); + log.warn("Unable to locate alfresco host|port|baseUrl|ssl properties", e); } } diff --git a/search-services/alfresco-solrclient-lib/src/main/java/org/alfresco/solr/client/SOLRAPIClientFactory.java b/search-services/alfresco-solrclient-lib/src/main/java/org/alfresco/solr/client/SOLRAPIClientFactory.java index b2a8efac2..0fbf5df7a 100644 --- a/search-services/alfresco-solrclient-lib/src/main/java/org/alfresco/solr/client/SOLRAPIClientFactory.java +++ b/search-services/alfresco-solrclient-lib/src/main/java/org/alfresco/solr/client/SOLRAPIClientFactory.java @@ -38,6 +38,7 @@ import org.alfresco.httpclient.HttpClientFactory; import org.alfresco.httpclient.HttpClientFactory.SecureCommsType; import org.alfresco.repo.dictionary.NamespaceDAO; import org.alfresco.service.cmr.dictionary.DictionaryService; +import org.apache.commons.httpclient.params.DefaultHttpParams; /** * This factory encapsulates the creation of a SOLRAPIClient and the management of that resource. @@ -53,10 +54,6 @@ public class SOLRAPIClientFactory // encryption related parameters private String secureCommsType; // "none", "https" - private String keyStoreType; - private String keyStoreProvider; - private String passwordFileLocation; - private String keyStoreLocation; // ssl private String sslKeyStoreType; @@ -151,24 +148,25 @@ public class SOLRAPIClientFactory if (client == null) { baseUrl = props.getProperty("alfresco.baseUrl", "/alfresco"); - keyStoreType = props.getProperty("alfresco.encryption.keystore.type", "JCEKS"); - keyStoreProvider = props.getProperty("alfresco.encryption.keystore.provider"); - passwordFileLocation = props.getProperty("alfresco.encryption.keystore.passwordFileLocation"); - keyStoreLocation = props.getProperty("alfresco.encryption.keystore.location"); - sslKeyStoreType = props.getProperty("alfresco.encryption.ssl.keystore.type", "JCEKS"); - sslKeyStoreProvider = props.getProperty("alfresco.encryption.ssl.keystore.provider", ""); - sslKeyStoreLocation = props.getProperty("alfresco.encryption.ssl.keystore.location", - "ssl.repo.client.keystore"); - sslKeyStorePasswordFileLocation = props.getProperty( - "alfresco.encryption.ssl.keystore.passwordFileLocation", "ssl-keystore-passwords.properties"); - sslTrustStoreType = props.getProperty("alfresco.encryption.ssl.truststore.type", "JCEKS"); - sslTrustStoreProvider = props.getProperty("alfresco.encryption.ssl.truststore.provider", ""); - sslTrustStoreLocation = props.getProperty("alfresco.encryption.ssl.truststore.location", - "ssl.repo.client.truststore"); - sslTrustStorePasswordFileLocation = props.getProperty( - "alfresco.encryption.ssl.truststore.passwordFileLocation", - "ssl-truststore-passwords.properties"); + // Load SSL settings only when using HTTPs protocol secureCommsType = props.getProperty("alfresco.secureComms", "none"); + if (secureCommsType.equals("https")) + { + sslKeyStoreType = getProperty(props, "alfresco.encryption.ssl.keystore.type", "JCEKS"); + sslKeyStoreProvider = getProperty(props, "alfresco.encryption.ssl.keystore.provider", ""); + sslKeyStoreLocation = getProperty(props, "alfresco.encryption.ssl.keystore.location", + "ssl.repo.client.keystore"); + sslKeyStorePasswordFileLocation = getProperty(props, + "alfresco.encryption.ssl.keystore.passwordFileLocation", + "ssl-keystore-passwords.properties"); + sslTrustStoreType = getProperty(props, "alfresco.encryption.ssl.truststore.type", "JCEKS"); + sslTrustStoreProvider = getProperty(props, "alfresco.encryption.ssl.truststore.provider", ""); + sslTrustStoreLocation = getProperty(props, "alfresco.encryption.ssl.truststore.location", + "ssl.repo.client.truststore"); + sslTrustStorePasswordFileLocation = getProperty(props, + "alfresco.encryption.ssl.truststore.passwordFileLocation", + "ssl-truststore-passwords.properties"); + } maxTotalConnections = Integer.parseInt(props.getProperty("alfresco.maxTotalConnections", "40")); maxHostConnections = Integer.parseInt(props.getProperty("alfresco.maxHostConnections", "40")); socketTimeout = Integer.parseInt(props.getProperty("alfresco.socketTimeout", "60000")); @@ -182,20 +180,79 @@ public class SOLRAPIClientFactory protected AlfrescoHttpClient getRepoClient(KeyResourceLoader keyResourceLoader) { - // TODO i18n - KeyStoreParameters keyStoreParameters = new KeyStoreParameters("SSL Key Store", sslKeyStoreType, - sslKeyStoreProvider, sslKeyStorePasswordFileLocation, sslKeyStoreLocation); - KeyStoreParameters trustStoreParameters = new KeyStoreParameters("SSL Trust Store", sslTrustStoreType, - sslTrustStoreProvider, sslTrustStorePasswordFileLocation, sslTrustStoreLocation); - SSLEncryptionParameters sslEncryptionParameters = new SSLEncryptionParameters(keyStoreParameters, - trustStoreParameters); - - HttpClientFactory httpClientFactory = new HttpClientFactory(SecureCommsType.getType(secureCommsType), + HttpClientFactory httpClientFactory = null; + + if (secureCommsType.equals("https")) + { + KeyStoreParameters keyStoreParameters = new KeyStoreParameters("SSL Key Store", sslKeyStoreType, + sslKeyStoreProvider, sslKeyStorePasswordFileLocation, sslKeyStoreLocation); + KeyStoreParameters trustStoreParameters = new KeyStoreParameters("SSL Trust Store", sslTrustStoreType, + sslTrustStoreProvider, sslTrustStorePasswordFileLocation, sslTrustStoreLocation); + SSLEncryptionParameters sslEncryptionParameters = new SSLEncryptionParameters(keyStoreParameters, + trustStoreParameters); + httpClientFactory = new HttpClientFactory(SecureCommsType.getType(secureCommsType), sslEncryptionParameters, keyResourceLoader, null, null, alfrescoHost, alfrescoPort, alfrescoPortSSL, maxTotalConnections, maxHostConnections, socketTimeout); - // TODO need to make port configurable depending on secure comms, or just make redirects work + } + else + { + httpClientFactory = new PlainHttpClientFactory(alfrescoHost, alfrescoPort, maxTotalConnections, maxHostConnections); + } + AlfrescoHttpClient repoClient = httpClientFactory.getRepoClient(alfrescoHost, alfrescoPortSSL); repoClient.setBaseUrl(baseUrl); return repoClient; + } + + /** + * Return property value from system (passed as -D argument). + * If the system property does not exists, return local value from solrcore.properties + * If the local property does not exists, return default value + * + * @param props Local properties file (solrcore.properties) + * @param key The property key + * @return The value + */ + private String getProperty(Properties props, String key, String defaultValue) + { + String value = System.getProperties().getProperty(key); + if (value == null) + { + value = props.getProperty(key); + } + if (value == null) + { + value = defaultValue; + } + return value; + } + + /** + * Local class to avoid loading sslEntryptionParameters for plain http connections. + * + * @author aborroy + * + */ + class PlainHttpClientFactory extends HttpClientFactory + { + public PlainHttpClientFactory(String host, int port, int maxTotalConnections, int maxHostConnections) + { + setSecureCommsType("none"); + setHost(host); + setPort(port); + setMaxTotalConnections(maxTotalConnections); + setMaxHostConnections(maxHostConnections); + init(); + } + + @Override + public void init() + { + DefaultHttpParams.setHttpParamsFactory(new NonBlockingHttpParamsFactory()); + } + + } + } + From f0969693ce0fccf6a3e5d01d1214b69f4d8c9145 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 13:14:00 +0200 Subject: [PATCH 04/13] Allow passing Java environment variables with mixed uppercase and lowercase keys, like "alfresco.encryption.ssl.truststore.passwordFileLocation" and "alfresco.encryption.ssl.keystore.passwordFileLocation" --- .../src/main/java/org/alfresco/solr/config/ConfigUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/search-services/alfresco-search/src/main/java/org/alfresco/solr/config/ConfigUtil.java b/search-services/alfresco-search/src/main/java/org/alfresco/solr/config/ConfigUtil.java index 663f5b5c3..a02fd159a 100644 --- a/search-services/alfresco-search/src/main/java/org/alfresco/solr/config/ConfigUtil.java +++ b/search-services/alfresco-search/src/main/java/org/alfresco/solr/config/ConfigUtil.java @@ -52,7 +52,7 @@ public class ConfigUtil { { String propertyValue = null; - String propertyKey = propertyName.toLowerCase(); + String propertyKey = propertyName; String jndiKey = convertPropertyNameToJNDIPath(propertyKey); String envVar = convertPropertyNameToEnvironmentParam(propertyKey); From 888aca6bc9d0fa436b2a30a0652e737cab5141ab Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 13:14:45 +0200 Subject: [PATCH 05/13] Describing how to start SOLR from Distribution ZIP using Mutual Auth TLS (SSL) and Plain HTTP. --- search-services/README.md | 149 ++++++++++++++++++++++++++++++++++---- 1 file changed, 134 insertions(+), 15 deletions(-) diff --git a/search-services/README.md b/search-services/README.md index f5caddb21..be8bbdd29 100644 --- a/search-services/README.md +++ b/search-services/README.md @@ -7,49 +7,168 @@ Alfresco Search Services using Alfresco and Apache Solr Git: ```bash -git clone https://github.com/Alfresco/SearchServices.git +$ git clone https://github.com/Alfresco/SearchServices.git ``` ### Use Maven -Build project: + +Build the project: ```bash -mvn clean install +$ mvn clean install -DskipTests=true ``` -All the resources needed for the docker image will be available under packaging/target/docker-resources/ +All the resources required to run Alfresco Search Services will be available under `packaging/target` folder. ### Start Alfresco Search Services from source -To run Alfresco Search Services locally first build the zip file using: + +To run Alfresco Search Services locally, building the ZIP distribution file is required. ```bash -mvn clean install +$ mvn clean install -DskipTests=true ``` -Extract the zip file and launch Alfresco Search Services using: +After the project is successfully built, ZIP can be extracted. ```bash -cd packaging/target -unzip alfresco-search-services-*.zip -cd alfresco-search-services/solr -./bin/solr start -Dcreate.alfresco.defaults=alfresco,archive +$ cd packaging/target +$ unzip alfresco-search-services-*.zip +$ cd alfresco-search-services ``` -If you also start an ACS instance then index will be populated. By default Alfresco Search Services runs on port 8983, but this can be set by supplying e.g. `-p 8083` to the "solr start" command. +From Alfresco *Search Services 1.3.0.3*, distribution ZIP is released with Mutual Auth TLS (SSL) by default. So before starting the service, generating secure keys for SSL communication is required. You can find detailed information for this step at [Alfresco documentation](https://docs.alfresco.com/search-enterprise/tasks/generate-keys-ssl.html). + +The `keystores` folder generated by the SSL Tool contains the keystores and truststores for SSL configuration. In the following steps, it's assumed that SSL Tool has been executed from `/tmp` or `C:\tmp` folder. + +```bash +$ tree /tmp/keystores/ +keystores/ +├── alfresco +│   ├── keystore +│   ├── keystore-passwords.properties +│   ├── ssl-keystore-passwords.properties +│   ├── ssl-truststore-passwords.properties +│   ├── ssl.keystore +│   └── ssl.truststore +├── client +│   └── browser.p12 +├── solr +│   ├── ssl-keystore-passwords.properties +│   ├── ssl-truststore-passwords.properties +│   ├── ssl.repo.client.keystore +│   └── ssl.repo.client.truststore +└── zeppelin + ├── ssl.repo.client.keystore + └── ssl.repo.client.truststore +``` + +SOLR SSL configuration files are available in `/tmp/keystores/solr` folder. + +These files must be copied to `rerank` configuration folder. + +``` +$ cp /tmp/keystores/solr/* solrhome/templates/rerank/conf +``` + + +If you are running from a *Linux* or *Mac OS X* machine, add following lines to `solr.in.sh` file. + +``` +SOLR_SSL_KEY_STORE=/tmp/keystores/solr/ssl.repo.client.keystore +SOLR_SSL_KEY_STORE_PASSWORD=keystore +SOLR_SSL_KEY_STORE_TYPE=JCEKS +SOLR_SSL_TRUST_STORE=/tmp/keystores/solr/ssl.repo.client.truststore +SOLR_SSL_TRUST_STORE_PASSWORD=truststore +SOLR_SSL_TRUST_STORE_TYPE=JCEKS +SOLR_SSL_NEED_CLIENT_AUTH=true +SOLR_SSL_WANT_CLIENT_AUTH=false +``` + +If you are running from a *Windows* machine, add following lines to `solr.in.cmd` file. + +``` +set SOLR_SSL_KEY_STORE=C:\tmp\keystores\solr\ssl.repo.client.keystore +SOLR_SSL_KEY_STORE_PASSWORD=keystore +SOLR_SSL_KEY_STORE_TYPE=JCEKS +SOLR_SSL_TRUST_STORE=C:\tmp\keystores\solr\ssl.repo.client.truststore +SOLR_SSL_TRUST_STORE_PASSWORD=truststore +SOLR_SSL_TRUST_STORE_TYPE=JCEKS +SOLR_SSL_NEED_CLIENT_AUTH=true +SOLR_SSL_WANT_CLIENT_AUTH=false +``` + +Once this settings are ready, start SOLR service from command line: + +``` +$ ./solr/bin/solr start "-Dcreate.alfresco.defaults=alfresco,archive \ +-Dsolr.ssl.checkPeerName=false \ +-Dsolr.allow.unsafe.resourceloading=true" -f +``` + +SOLR will create Alfresco cores (`alfresco` and `archive`) when starting, and configuration from `rerank` template will be copied to each core and if you also started an ACS instance running in [https://localhost:8443/alfresco](https://localhost:8443/alfresco) then the index will be populated. + +SOLR Web Console will be available at: + +[https://localhost:8983/solr](https://localhost:8983/solr) + +**Note** Client certificate `browser.p12`, generated by the SSL Tool, is required to be installed in your browser in order to access to this Web Console. + +By default Alfresco Search Services runs on port 8983, but this can be set by supplying e.g. `-p 8083` to the "solr start" command. To set up remote debugging (on port 5005) start Alfresco Search Services with the following command and then connect using your IDE: ```bash -./bin/solr start -a "-Dcreate.alfresco.defaults=alfresco,archive -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005" +$ ./solr/bin/solr start -a "-Dcreate.alfresco.defaults=alfresco,archive \ +-Dsolr.ssl.checkPeerName=false \ +-Dsolr.allow.unsafe.resourceloading=true \ +-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005" -f ``` To stop Alfresco Search Services: ```bash -./bin/solr stop +$ ./solr/bin/solr stop ``` -### Docker +**Using Plain HTTP** + +If you want to use Plain HTTP for SOLR instead of Mutual Auth TLS (SSL), use following steps. + +```bash +$ mvn clean install -DskipTests=true +``` + +After the project is successfully built, ZIP can be extracted. + +```bash +$ cd packaging/target +$ unzip alfresco-search-services-*.zip +$ cd alfresco-search-services +``` + +Change default Alfresco Communication protocol to `none`. + +```bash +$ sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' solrhome/templates/rerank/conf/solrcore.properties +``` + +*Note* Above line is written in GNU sed, you can use `gsed` from Mac OS X or just edit the file with a Text Editor. + +Start SOLR service from command line: + +``` +$ ./solr/bin/solr start "-Dcreate.alfresco.defaults=alfresco,archive" -f +``` + +SOLR will create Alfresco cores (`alfresco` and `archive`) when starting, and configuration from `rerank` template will be copied to each core and if you also started an ACS instance running in [http://localhost:8080/alfresco](http://localhost:8080/alfresco) then the index will be populated. + +SOLR Web Console will be available at: + +[http://localhost:8983/solr](http://localhost:8983/solr) + + +### Use Alfresco Search Services Docker Image + To build the docker image: ```bash From 3d0b5f868a27f504583aa7d8c4ed7cf05beacd99 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 13:27:58 +0200 Subject: [PATCH 06/13] Describing how to start SOLR from Distribution ZIP using Mutual Auth TLS (SSL) and Plain HTTP. --- search-services/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/search-services/README.md b/search-services/README.md index be8bbdd29..20635a0ae 100644 --- a/search-services/README.md +++ b/search-services/README.md @@ -105,7 +105,9 @@ $ ./solr/bin/solr start "-Dcreate.alfresco.defaults=alfresco,archive \ -Dsolr.allow.unsafe.resourceloading=true" -f ``` -SOLR will create Alfresco cores (`alfresco` and `archive`) when starting, and configuration from `rerank` template will be copied to each core and if you also started an ACS instance running in [https://localhost:8443/alfresco](https://localhost:8443/alfresco) then the index will be populated. +SOLR will create Alfresco cores (`alfresco` and `archive`) when starting, and configuration from `rerank` template will be copied to each core. + +If you also started an ACS instance running in [https://localhost:8443/alfresco](https://localhost:8443/alfresco) with the keystores provided by the SSL Tool (`keystores/alfresco` folder), then the index will be populated. SOLR Web Console will be available at: From 007e5a2669e5571fe8fd2b97b4f2c336e312e2c8 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 13:51:15 +0200 Subject: [PATCH 07/13] This change should not apply to containers and it should remain secure comms as none. --- .../packaging/src/docker/search_config_setup.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/search-services/packaging/src/docker/search_config_setup.sh b/search-services/packaging/src/docker/search_config_setup.sh index 9697b7bc5..8c5843f43 100644 --- a/search-services/packaging/src/docker/search_config_setup.sh +++ b/search-services/packaging/src/docker/search_config_setup.sh @@ -18,4 +18,18 @@ if [[ ! -z "$SOLR_JAVA_MEM" ]]; then sed -i -e "s/.*SOLR_JAVA_MEM=.*/SOLR_JAVA_MEM=\"$SOLR_JAVA_MEM\"/g" $SOLR_IN_FILE fi +# By default Docker Image is using plain HTTP for communications with Repository +# TLS Mutual Auth can be enabled by setting ALFRESCO_SECURE_COMMS to any value different from 'none' ('https' is recommended) +if [[ -z "$ALFRESCO_SECURE_COMMS" || "none" == "$ALFRESCO_SECURE_COMMS" ]]; then + sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/templates/rerank/conf/solrcore.properties + sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/templates/noRerank/conf/solrcore.properties + # Apply also the setting to existing SOLR cores property files when existing + if [[ -f ${PWD}/solrhome/alfresco/conf/solrcore.properties ]]; then + sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/alfresco/conf/solrcore.properties + fi + if [[ -f ${PWD}/solrhome/archive/conf/solrcore.properties ]]; then + sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/archive/conf/solrcore.properties + fi +fi + bash -c "$@" \ No newline at end of file From 946c8edb85f93eb1b4c98cd3c561b864b9fe02d4 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 13:51:45 +0200 Subject: [PATCH 08/13] Describing how to start SOLR from the Docker Image using Mutual Auth TLS (SSL) and Plain HTTP. --- search-services/README.md | 58 +++++++++++++++++-- .../packaging/src/docker/Dockerfile | 2 + 2 files changed, 54 insertions(+), 6 deletions(-) diff --git a/search-services/README.md b/search-services/README.md index 20635a0ae..60e8b37ef 100644 --- a/search-services/README.md +++ b/search-services/README.md @@ -171,31 +171,77 @@ SOLR Web Console will be available at: ### Use Alfresco Search Services Docker Image -To build the docker image: +Once the project has been built, the Docker image can be also built: ```bash -cd packaging/target/docker-resources/ -docker build -t searchservices:develop . +$ cd packaging/target/docker-resources/ +$ docker build -t searchservices:develop . ``` +*Search Services* Docker image is configured with **Plain HTTP** by default. + + To run the docker image: ```bash -docker run -p 8983:8983 searchservices:develop +$ docker run -p 8983:8983 -e SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive searchservices:develop ``` +SOLR Web Console will be available at: + +[http://localhost:8983/solr](http://localhost:8983/solr) + + +**Additional configuration** + To pass an environment variable: ```bash -docker run -e SOLR_JAVA_MEM=“-Xms4g -Xmx4g” -p 8983:8983 searchservices:develop +$ docker run -e SOLR_JAVA_MEM=“-Xms4g -Xmx4g” -p 8983:8983 searchservices:develop ``` To pass several environment variables (e.g. SOLR\_ALFRESCO\_HOST, SOLR\_ALFRESCO\_PORT, SOLR\_SOLR\_HOST, SOLR\_SOLR\_PORT, SOLR\_CREATE\_ALFRESCO\_DEFAULTS, SOLR\_HEAP, etc.): ```bash -docker run -e SOLR_ALFRESCO_HOST=localhost -e SOLR_ALFRESCO_PORT=8080 -p 8983:8983 searchservices:develop +$ docker run -e SOLR_ALFRESCO_HOST=localhost -e SOLR_ALFRESCO_PORT=8080 -p 8983:8983 searchservices:develop ``` + +**Using Mutual Auth TLS (SSL)** + +This Docker image is exposing as VOLUME the folder `/opt/alfresco-search-services/keystores`, that can be used to mount `keystores` folder from host. + +Additionally, SOLR Jetty server must be configured to start in SSL Mode using `SOLR\_SSL\_*` environment variables. + +Following command will start Search Services with SSL using keystores located at `/tmp/keystores/solr/tmp/keystores/solr`. Note that the internal folders are relative to `/opt/alfresco-search-services/keystores`, as this is the Docker container folder exposed to hold the keystores. + +```bash +$ docker run -p 8983:8983 \ +-v /tmp/keystores/solr:/opt/alfresco-search-services/keystores \ +-e ALFRESCO_SECURE_COMMS=https \ +-e SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive \ +-e SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystores/ssl.repo.client.keystore \ +-e SOLR_SSL_KEY_STORE_PASSWORD=keystore \ +-e SOLR_SSL_KEY_STORE_TYPE=JCEKS \ +-e SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystores/ssl.repo.client.truststore \ +-e SOLR_SSL_TRUST_STORE_PASSWORD=truststore \ +-e SOLR_SSL_TRUST_STORE_TYPE=JCEKS \ +-e SOLR_SSL_NEED_CLIENT_AUTH=true \ +-e SOLR_OPTS="-Dsolr.ssl.checkPeerName=false \ +-Dsolr.allow.unsafe.resourceloading=true \ +-Dalfresco.encryption.ssl.keystore.type=JCEKS +-Dalfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystores/ssl.repo.client.keystore +-Dalfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystores/ssl-keystore-passwords.properties +-Dalfresco.encryption.ssl.truststore.type=JCEKS +-Dalfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystores/ssl.repo.client.truststore +-Dalfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystores/ssl-truststore-passwords.properties +" \ +searchservices:develop +``` + + +### Use Alfresco Search Services Docker Image with Docker Compose + docker-compose files can be used to start up Search Services with Alfresco and Share. There are two docker-composes files available. Depending on the version you want to start either change to 5.x or 6.x. E.g. ```bash diff --git a/search-services/packaging/src/docker/Dockerfile b/search-services/packaging/src/docker/Dockerfile index bf2f001f1..230214ca9 100644 --- a/search-services/packaging/src/docker/Dockerfile +++ b/search-services/packaging/src/docker/Dockerfile @@ -42,6 +42,8 @@ WORKDIR $DIST_DIR VOLUME $DIST_DIR/data VOLUME $DIST_DIR/solrhome +# Expose a folder to mount keystores in the host (required for Mutual TLS Auth) +VOLUME $DIST_DIR/keystores EXPOSE 8983 USER ${USERNAME} From c41002a88c11941496cbecb2ab1d41630b90f235 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Fri, 7 Jun 2019 14:09:49 +0200 Subject: [PATCH 09/13] Describing how to use SOLR from as a service in Docker Compose using Mutual Auth TLS (SSL) and Plain HTTP. --- search-services/README.md | 93 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 92 insertions(+), 1 deletion(-) diff --git a/search-services/README.md b/search-services/README.md index 60e8b37ef..44894395e 100644 --- a/search-services/README.md +++ b/search-services/README.md @@ -211,7 +211,9 @@ $ docker run -e SOLR_ALFRESCO_HOST=localhost -e SOLR_ALFRESCO_PORT=8080 -p 8983: This Docker image is exposing as VOLUME the folder `/opt/alfresco-search-services/keystores`, that can be used to mount `keystores` folder from host. -Additionally, SOLR Jetty server must be configured to start in SSL Mode using `SOLR\_SSL\_*` environment variables. +When an environment variable `ALFRESCO_SECURE_COMMS=https` is passed to the Docker container, SOLR will be started using SSL mode. + +Additionally, SOLR Jetty server must be configured to start in SSL Mode using `SOLR_SSL_*` environment variables and Search Services must be configured by using Java environment variables starting with `alfresco.encryption.ssl.*` Following command will start Search Services with SSL using keystores located at `/tmp/keystores/solr/tmp/keystores/solr`. Note that the internal folders are relative to `/opt/alfresco-search-services/keystores`, as this is the Docker container folder exposed to hold the keystores. @@ -239,9 +241,97 @@ $ docker run -p 8983:8983 \ searchservices:develop ``` +SOLR Web Console will be available at: + +[https://localhost:8983/solr](https://localhost:8983/solr) + + +**Public Docker repository** + +This Docker Image is available at Alfresco Docker Hub: + +[https://hub.docker.com/r/alfresco/alfresco-search-services](https://hub.docker.com/r/alfresco/alfresco-search-services) + +To use the public image instead of the local one (`searchservices:develop`) just use `alfresco/alfresco-search-services:1.3.x.x` labels. + ### Use Alfresco Search Services Docker Image with Docker Compose +Sample configuration in a Docker Compose file using **Plain HTTP** protocol to communicate with Alfresco Repository. + +``` +solr6: + image: searchservices:develop + mem_limit: 2500m + environment: + # Solr needs to know how to register itself with Alfresco + SOLR_ALFRESCO_HOST: "alfresco" + SOLR_ALFRESCO_PORT: "8080" + # Alfresco needs to know how to call solr + SOLR_SOLR_HOST: "solr6" + SOLR_SOLR_PORT: "8983" + # SSL settings + #Create the default alfresco and archive cores + SOLR_CREATE_ALFRESCO_DEFAULTS: "alfresco,archive" + SOLR_JAVA_MEM: "-Xms2g -Xmx2g" + ports: + - 8083:8983 #Browser port +``` + +SOLR Web Console will be available at: + +[http://localhost:8983/solr](http://localhost:8983/solr) + + +Sample configuration in a Docker Compose file using **Mutual Auth TLS (SSL)** protocol to communicate with Alfresco Repository. + +``` +solr6: + image: searchservices:develop + mem_limit: 2500m + environment: + # Solr needs to know how to register itself with Alfresco + SOLR_ALFRESCO_HOST: "alfresco" + SOLR_ALFRESCO_PORT: "8443" + # Alfresco needs to know how to call solr + SOLR_SOLR_HOST: "solr6" + SOLR_SOLR_PORT: "8983" + # SSL settings + ALFRESCO_SECURE_COMMS: "https" + SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" + SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" + SOLR_SSL_TRUST_STORE_TYPE: "JCEKS" + SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" + SOLR_SSL_KEY_STORE_PASSWORD: "keystore" + SOLR_SSL_KEY_STORE_TYPE: "JCEKS" + SOLR_SSL_NEED_CLIENT_AUTH: "true" + #Create the default alfresco and archive cores + SOLR_CREATE_ALFRESCO_DEFAULTS: "alfresco,archive" + SOLR_JAVA_MEM: "-Xms2g -Xmx2g" + SOLR_OPTS: " + -Dsolr.ssl.checkPeerName=false + -Dsolr.allow.unsafe.resourceloading=true + -Dalfresco.encryption.ssl.keystore.type=JCEKS + -Dalfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystores/ssl.repo.client.keystore + -Dalfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystores/ssl-keystore-passwords.properties + -Dalfresco.encryption.ssl.truststore.type=JCEKS + -Dalfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystores/ssl.repo.client.truststore + -Dalfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystores/ssl-truststore-passwords.properties + " + ports: + - 8083:8983 #Browser port + volumes: + - ./keystores/solr:/opt/alfresco-search-services/keystores +``` + +SOLR Web Console will be available at: + +[https://localhost:8983/solr](https://localhost:8983/solr) + + + +**Samples for development use only** + docker-compose files can be used to start up Search Services with Alfresco and Share. There are two docker-composes files available. Depending on the version you want to start either change to 5.x or 6.x. E.g. ```bash @@ -260,6 +350,7 @@ If you start version 5.x instead you can also access the API Explorer: * API Explorer: http://localhost:8084/api-explorer ### License + Copyright (C) 2005 - 2017 Alfresco Software Limited This file is part of the Alfresco software. From a102d9fde3ebbc97030f24acbe82455f8459c37e Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Mon, 10 Jun 2019 14:52:52 +0200 Subject: [PATCH 10/13] Update README.md for ZIP Distribution SS and IE. --- .../packaging/src/main/resources/README.MD | 22 +++++-------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/search-services/packaging/src/main/resources/README.MD b/search-services/packaging/src/main/resources/README.MD index 011c6e2c6..a49795840 100644 --- a/search-services/packaging/src/main/resources/README.MD +++ b/search-services/packaging/src/main/resources/README.MD @@ -1,28 +1,16 @@ ## Alfresco Search Services + Alfresco Search Services ${project.version} using Apache Solr ${solr.version} -## Solr 6 -Solr 6 is now available as a drop in replacement for Solr 4 with Alfresco 5.2. +Find out more about Solr 6 and how to be installed at: -Solr 6 brings with it a number of new features: +* Community users: https://docs.alfresco.com/search-community/concepts/search-home.html - - SHARDING by DATE, PROPERTY & DBID - - FINGERPRINTS to find similar documents - - Indexing Multiple Document Versions - - Full SSL support with sharding +* Enterprise users: https://docs.alfresco.com/search-enterprise/concepts/search-home.html -Find out more about Solr 6 and how it differs here: http://docs.alfresco.com/5.2/concepts/solr6-home.html - -### Install & Run -**Please read the [Installation Documentation](http://docs.alfresco.com/5.2/concepts/solr6-install-config.html).** - -To run, unzip then -``` -solr/bin/solr start -``` ### License -Copyright (C) 2005 - 2017 Alfresco Software Limited +Copyright (C) 2005 - 2019 Alfresco Software Limited This file is part of the Alfresco software. If the software was purchased under a paid Alfresco license, the terms of From 812653ed209e00afec945982a92bc65960d914c0 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Wed, 12 Jun 2019 16:22:40 +0200 Subject: [PATCH 11/13] Search Services Docker Image is released with Mutual Auth TLS by default. --- search-services/README.md | 55 ++++++++++--------- .../src/docker/search_config_setup.sh | 6 +- 2 files changed, 32 insertions(+), 29 deletions(-) diff --git a/search-services/README.md b/search-services/README.md index 44894395e..d3df27e54 100644 --- a/search-services/README.md +++ b/search-services/README.md @@ -36,9 +36,9 @@ $ unzip alfresco-search-services-*.zip $ cd alfresco-search-services ``` -From Alfresco *Search Services 1.3.0.3*, distribution ZIP is released with Mutual Auth TLS (SSL) by default. So before starting the service, generating secure keys for SSL communication is required. You can find detailed information for this step at [Alfresco documentation](https://docs.alfresco.com/search-enterprise/tasks/generate-keys-ssl.html). +From Alfresco *Search Services 1.3.0.3*, distribution ZIP is released with Mutual Authentication TLS (SSL) by default. So before starting the service, generating secure keys for SSL communication is required. You can find detailed information for this step at [Alfresco documentation](https://docs.alfresco.com/search-enterprise/tasks/generate-keys-ssl.html). -The `keystores` folder generated by the SSL Tool contains the keystores and truststores for SSL configuration. In the following steps, it's assumed that SSL Tool has been executed from `/tmp` or `C:\tmp` folder. +The `keystores` folder generated by the SSL Tool contains the keystores and truststores for SSL configuration. In the following steps, it's assumed that SSL Tool has been executed from `/tmp` or `C:\tmp` folder. ```bash $ tree /tmp/keystores/ @@ -62,7 +62,7 @@ keystores/ └── ssl.repo.client.truststore ``` -SOLR SSL configuration files are available in `/tmp/keystores/solr` folder. +SOLR SSL configuration files are available in `/tmp/keystores/solr` folder. These files must be copied to `rerank` configuration folder. @@ -178,49 +178,35 @@ $ cd packaging/target/docker-resources/ $ docker build -t searchservices:develop . ``` -*Search Services* Docker image is configured with **Plain HTTP** by default. +*Search Services* Docker image is configured with with **Mutual Authentication TLS (SSL)** by default. +**Configuration** -To run the docker image: +To pass an environment variable, it can be used the "-e" argument: ```bash -$ docker run -p 8983:8983 -e SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive searchservices:develop +$ docker run -e SOLR_JAVA_MEM="-Xms4g -Xmx4g" -p 8983:8983 searchservices:develop ``` -SOLR Web Console will be available at: - -[http://localhost:8983/solr](http://localhost:8983/solr) - - -**Additional configuration** - -To pass an environment variable: - -```bash -$ docker run -e SOLR_JAVA_MEM=“-Xms4g -Xmx4g” -p 8983:8983 searchservices:develop -``` - -To pass several environment variables (e.g. SOLR\_ALFRESCO\_HOST, SOLR\_ALFRESCO\_PORT, SOLR\_SOLR\_HOST, SOLR\_SOLR\_PORT, SOLR\_CREATE\_ALFRESCO\_DEFAULTS, SOLR\_HEAP, etc.): +To pass several environment variables (e.g. SOLR\_ALFRESCO\_HOST, SOLR\_ALFRESCO\_PORT, SOLR\_SOLR\_HOST, SOLR\_SOLR\_PORT, SOLR\_CREATE\_ALFRESCO\_DEFAULTS, SOLR\_HEAP, etc.), just include the "-e" argument as times as required: ```bash $ docker run -e SOLR_ALFRESCO_HOST=localhost -e SOLR_ALFRESCO_PORT=8080 -p 8983:8983 searchservices:develop ``` - **Using Mutual Auth TLS (SSL)** This Docker image is exposing as VOLUME the folder `/opt/alfresco-search-services/keystores`, that can be used to mount `keystores` folder from host. -When an environment variable `ALFRESCO_SECURE_COMMS=https` is passed to the Docker container, SOLR will be started using SSL mode. +By default Docker image is using SSL, but an environment variable `ALFRESCO_SECURE_COMMS=https` can be also passed to the Docker container to declare explicitly the SSL mode. -Additionally, SOLR Jetty server must be configured to start in SSL Mode using `SOLR_SSL_*` environment variables and Search Services must be configured by using Java environment variables starting with `alfresco.encryption.ssl.*` +Additionally, SOLR Jetty server must be configured to start in SSL Mode using `SOLR_SSL_*` environment variables and Search Services must be configured by using Java environment variables starting with `alfresco.encryption.ssl.*` Following command will start Search Services with SSL using keystores located at `/tmp/keystores/solr/tmp/keystores/solr`. Note that the internal folders are relative to `/opt/alfresco-search-services/keystores`, as this is the Docker container folder exposed to hold the keystores. ```bash $ docker run -p 8983:8983 \ -v /tmp/keystores/solr:/opt/alfresco-search-services/keystores \ --e ALFRESCO_SECURE_COMMS=https \ -e SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive \ -e SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystores/ssl.repo.client.keystore \ -e SOLR_SSL_KEY_STORE_PASSWORD=keystore \ @@ -245,6 +231,22 @@ SOLR Web Console will be available at: [https://localhost:8983/solr](https://localhost:8983/solr) +*Note* You must install the `browser.p12` certificate in your browser in order to access to this URL. + +**Using Plain HTTP** + +By default Docker image is using SSL, so it's required to add an environment variable `ALFRESCO_SECURE_COMMS=none` to use SOLR in plain HTTP mode. + +To run the docker image: + +```bash +$ docker run -p 8983:8983 -e ALFRESCO_SECURE_COMMS=none -e SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive searchservices:develop +``` + +SOLR Web Console will be available at: + +[http://localhost:8983/solr](http://localhost:8983/solr) + **Public Docker repository** @@ -270,7 +272,8 @@ solr6: # Alfresco needs to know how to call solr SOLR_SOLR_HOST: "solr6" SOLR_SOLR_PORT: "8983" - # SSL settings + # HTTP settings + ALFRESCO_SECURE_COMMS: "none" #Create the default alfresco and archive cores SOLR_CREATE_ALFRESCO_DEFAULTS: "alfresco,archive" SOLR_JAVA_MEM: "-Xms2g -Xmx2g" @@ -344,7 +347,7 @@ This will start up Alfresco, Postgres, Share and SearchServices. You can access * Alfresco: http://localhost:8081/alfresco * Share: http://localhost:8082/share * Solr: http://localhost:8083/solr - + If you start version 5.x instead you can also access the API Explorer: * API Explorer: http://localhost:8084/api-explorer diff --git a/search-services/packaging/src/docker/search_config_setup.sh b/search-services/packaging/src/docker/search_config_setup.sh index 8c5843f43..8a108e5c4 100644 --- a/search-services/packaging/src/docker/search_config_setup.sh +++ b/search-services/packaging/src/docker/search_config_setup.sh @@ -18,9 +18,9 @@ if [[ ! -z "$SOLR_JAVA_MEM" ]]; then sed -i -e "s/.*SOLR_JAVA_MEM=.*/SOLR_JAVA_MEM=\"$SOLR_JAVA_MEM\"/g" $SOLR_IN_FILE fi -# By default Docker Image is using plain HTTP for communications with Repository -# TLS Mutual Auth can be enabled by setting ALFRESCO_SECURE_COMMS to any value different from 'none' ('https' is recommended) -if [[ -z "$ALFRESCO_SECURE_COMMS" || "none" == "$ALFRESCO_SECURE_COMMS" ]]; then +# By default Docker Image is using TLS Mutual Authentication (SSL) for communications with Repository +# Plain HTTP can be enabled by setting ALFRESCO_SECURE_COMMS to 'none' +if [[ "none" == "$ALFRESCO_SECURE_COMMS" ]]; then sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/templates/rerank/conf/solrcore.properties sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/templates/noRerank/conf/solrcore.properties # Apply also the setting to existing SOLR cores property files when existing From e0f4b787a8feee22e179210357dc7d989452e850 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Thu, 13 Jun 2019 16:39:58 +0200 Subject: [PATCH 12/13] Zeppelin is provided in plain HTTP, but detailed instructions are provided for configuration with SSL. --- search-services/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/search-services/README.md b/search-services/README.md index d3df27e54..a8c7bbf85 100644 --- a/search-services/README.md +++ b/search-services/README.md @@ -202,7 +202,7 @@ By default Docker image is using SSL, but an environment variable `ALFRESCO_SECU Additionally, SOLR Jetty server must be configured to start in SSL Mode using `SOLR_SSL_*` environment variables and Search Services must be configured by using Java environment variables starting with `alfresco.encryption.ssl.*` -Following command will start Search Services with SSL using keystores located at `/tmp/keystores/solr/tmp/keystores/solr`. Note that the internal folders are relative to `/opt/alfresco-search-services/keystores`, as this is the Docker container folder exposed to hold the keystores. +Following command will start Search Services with SSL using keystores located at `/tmp/keystores/solr`. Note that the internal folders are relative to `/opt/alfresco-search-services/keystores`, as this is the Docker container folder exposed to hold the keystores. ```bash $ docker run -p 8983:8983 \ From 879c138006fa4569a34514ac8d53f2c008084f19 Mon Sep 17 00:00:00 2001 From: Angel Borroy Date: Mon, 17 Jun 2019 10:24:54 +0200 Subject: [PATCH 13/13] Use Plain HTTP by default for SOLR to communicate with Alfresco Repository. --- search-services/packaging/src/docker/6.x/docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/search-services/packaging/src/docker/6.x/docker-compose.yml b/search-services/packaging/src/docker/6.x/docker-compose.yml index a200a0136..73c0243db 100644 --- a/search-services/packaging/src/docker/6.x/docker-compose.yml +++ b/search-services/packaging/src/docker/6.x/docker-compose.yml @@ -45,6 +45,8 @@ services: - SOLR_SOLR_PORT=8983 #Create the default alfresco and archive cores - SOLR_CREATE_ALFRESCO_DEFAULTS=alfresco,archive + #HTTP by default + - ALFRESCO_SECURE_COMMS=none ports: - 8083:8983 #Browser port activemq: