OptimIT

Alfresco HTTPS setup

18.04.2012.

Alfresco installations often hold many confidential documents that are sometimes accessed over untrusted networks. This blog entry describes how to configure Alfresco to use HTTPS in the scenario where no apache, external SSL accelerator or load balancer are used for that purpose.

In this setup, Alfresco is installed with non-root user permissions, and it listens on ports 8080 and 8443. No apache installation is used, in order to demonstrate how to provide the same functionallity using just iptables and tomcat. iptables are configured to forbid direct access to alfresco ports (8080 and 8443) from the network, plus they redirect port 80 traffic to port 8080, and port 443 traffic to port 8443, which is where our secured Alfresco is listening. Note that high traffic sites, it is recommended to use SSL offloadingmechanisms (for example, by configuring the apache SSL on the same node).
If you don’t have a certificate or you are installing Alfresco in an intranet, self-signed certificate will be sufficient. Create a new JKS keystore, containing a single self-signed certificate (e.g. in /home/alfresco/.keystore):

su - alfresco
$ALFRESCO_HOME/java/bin/keytool -genkeypair -alias alfresco -keyalg RSA -validity 365

The procedure is different when importing an existing certificate signed by your own CA, please read the Tomcat documentation.

Now we have to configure Tomcat. Edit$ALFRESCO_HOME/tomcat/conf/ server.xml and modify 8080 port connector to redirect to port 443 and add 8443 port connector:

<Connector port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS" />

Edit $ALFRESCO_HOME/tomcat/conf/web.xml and insert the following inside <web-app> to force HTTPS to all web resources: 

<security-constraint>
        <web-resource-collection>
           <web-resource-name>Entire Application</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

In addition, Alfresco Share has to be configured to use HTTPS. This is especially useful if (for performance reasons) Share needs to be running on the different node than the Alfresco repository. Edit Alfresco Share config$ALFRESCO_HOME/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml and modify repository-url and alfresco endpoint to reflect HTTPS protocol and port: 

<repository-url>https://localhost:8443/alfresco</repository-url>

...

<endpoint>
        <id>alfresco</id>
        <name>Alfresco - user access</name>
        <description>Access to Alfresco Repository WebScripts that require user authentication</description>
        <connector-id>alfrescoCookie</connector-id>
        <endpoint-url>https://localhost:8443/alfresco/wcs</endpoint-url>
        <identity>user</identity>
        <external-auth>true</external-auth>
</endpoint>

Now, we can export self-signed certificate and import it to the Java Trusted Store. This allows Java to connect successfully to the Alfresco context using HTTPS (for Alfresco Share). Export the certificate from the keystore:

$ALFRESCO_HOME/java/bin/keytool -exportcert -alias alfresco -keypass changeit -storepass changeit -keystore /home/alfresco/.keystore -file server.cert

Delete the certificate if it already exists in the Java Trusted Store:

$ALFRESCO_HOME/java/bin/keytool -delete -alias alfresco -storepass changeit -keystore $ALFRESCO_HOME/java/jre/lib/security/cacerts

Finally, import the certificate to the Java Trusted Store:

$ALFRESCO_HOME/java/bin/keytool -import -alias alfresco -file server.cert -keypass changeit -storepass changeit -keystore $ALFRESCO_HOME/java/jre/lib/security/cacerts

Setup web.application.context.url and sysAdmin subsystem parameters in alfresco-global.properties:

web.application.context.url=https://127.0.0.1:8443/alfresco

alfresco.context=alfresco
alfresco.host=${localname}
alfresco.port=8443
alfresco.protocol=https

share.context=share
share.host=${localname}
share.port=8443
share.protocol=https

That should be all that is necessary for complete HTTPS enabled Alfresco installation.