This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.
This document provides an overview of Storage Foundation and Alfresco solutions. It discusses hardware storage concepts including drive types, interfaces, and RAID. It also covers Alfresco storage-related solutions such as the S3 connector, XAM connector, content store selector, and replication capabilities. Partnership solutions from Xenit, Star Storage, and community solutions are also mentioned. The document concludes with best practices around content store, indexes, logs, and backup/recovery.
This document discusses reindexing large repositories in Alfresco. It covers the Alfresco SOLR architecture, the indexing process, scenarios that require reindexing, alternatives for deployment during reindexing to minimize downtime, monitoring and profiling tools, and future improvements planned for Search Services 2.0 to optimize indexing performance. Benchmark results are presented showing improvements that reduced reindexing time for 1.2 billion documents from 21 days to 10 days.
This document discusses backup and disaster recovery strategies for Alfresco. It recommends scheduling regular backups of the Solr and Lucene indexes, database, and file system. Full backups should be done periodically, with incremental backups in between. Backups can be cold (system offline), warm (some services offline), or hot (live system). Restores involve recovering the indexes, database, files and configuration. Planning includes defining recovery objectives for data loss and downtime.
The document discusses Alfresco security best practices. It covers topics such as hardening the network and operating system, implementing firewall rules, assessing vulnerabilities, and compliance with standards. Best practices for the Alfresco implementation include staying current with patches, enforcing strong permissions, and deleting content when it is removed. The document provides an overview of security considerations for the Alfresco architecture, mobile access, and other deployment aspects.
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Lighton Phiri
This document summarizes an Alfresco national workshop on records management. It introduces Alfresco software and its content, process, and governance services. It discusses records management challenges in Zambia's paper-based system and benefits of Alfresco, including its certified records management features. The workshop covered Alfresco architecture, usage statistics, and demonstrated its workflow capabilities.
Practical information for Alfresco integration with AOS (Sharepoint Protocol), Google Drive, Microsoft 365, ONLYOFFICE and Collabora Online.
Additionally ADW support for ONLYOFFICE is provided by https://github.com/atolcd/adf-onlyoffice-extension#installation
This document provides an overview of Storage Foundation and Alfresco solutions. It discusses hardware storage concepts including drive types, interfaces, and RAID. It also covers Alfresco storage-related solutions such as the S3 connector, XAM connector, content store selector, and replication capabilities. Partnership solutions from Xenit, Star Storage, and community solutions are also mentioned. The document concludes with best practices around content store, indexes, logs, and backup/recovery.
This document discusses reindexing large repositories in Alfresco. It covers the Alfresco SOLR architecture, the indexing process, scenarios that require reindexing, alternatives for deployment during reindexing to minimize downtime, monitoring and profiling tools, and future improvements planned for Search Services 2.0 to optimize indexing performance. Benchmark results are presented showing improvements that reduced reindexing time for 1.2 billion documents from 21 days to 10 days.
This document discusses backup and disaster recovery strategies for Alfresco. It recommends scheduling regular backups of the Solr and Lucene indexes, database, and file system. Full backups should be done periodically, with incremental backups in between. Backups can be cold (system offline), warm (some services offline), or hot (live system). Restores involve recovering the indexes, database, files and configuration. Planning includes defining recovery objectives for data loss and downtime.
The document discusses Alfresco security best practices. It covers topics such as hardening the network and operating system, implementing firewall rules, assessing vulnerabilities, and compliance with standards. Best practices for the Alfresco implementation include staying current with patches, enforcing strong permissions, and deleting content when it is removed. The document provides an overview of security considerations for the Alfresco architecture, mobile access, and other deployment aspects.
Alfresco Workshop: Introduction to Records Management Using Alfresco Governan...Lighton Phiri
This document summarizes an Alfresco national workshop on records management. It introduces Alfresco software and its content, process, and governance services. It discusses records management challenges in Zambia's paper-based system and benefits of Alfresco, including its certified records management features. The workshop covered Alfresco architecture, usage statistics, and demonstrated its workflow capabilities.
Practical information for Alfresco integration with AOS (Sharepoint Protocol), Google Drive, Microsoft 365, ONLYOFFICE and Collabora Online.
Additionally ADW support for ONLYOFFICE is provided by https://github.com/atolcd/adf-onlyoffice-extension#installation
This document summarizes a presentation about Alfresco Search Services 2.0. Key points include:
- Solr was updated to remove the custom content store and leverage more built-in Solr features like replication and backups. This improved performance and reduced disk usage.
- New date fields were added that break dates down into individual components like year, month, day, etc. to enable more granular search queries.
- Asynchronous maintenance actions were introduced to schedule and retry tasks like reindexing, purging, and fixing index issues in the background.
- Security was enhanced with support for mutual TLS and storing passwords in JVM properties instead of plain text files. Performance tracking and indexing controls
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
The document provides an overview and best practices for tuning an Alfresco installation for performance. It discusses disabling unused services, limiting folder hierarchies and group nesting, monitoring resources, tuning Solr indexes and caches, and using separate servers for specific tasks like indexing. General tips include testing changes thoroughly before deploying, adjusting sizing for increased usage, and following the standard performance methodology.
The document discusses best practices for upgrading to Alfresco 6 from a previous version. It recommends backing up the database and content store from the source Alfresco, identifying any customizations, installing the new Alfresco from scratch, restoring the backups, applying customizations, and patching the database in stages if needed through intermediate "halfway" Alfresco instances. It also covers identifying deprecated features, adapting custom code to be compatible with Alfresco 6, monitoring the new installation, and addressing potential issues.
Moving From Actions & Behaviors to MicroservicesJeff Potts
My DevCon 2019 talk discusses how to make it easier to integrate Alfresco with other systems using an event-based approach. Two real world examples are discussed and demonstrated. The first is about reporting against Alfresco metadata. The second is about enriching metadata by running content through a Natural Language Processing (NLP) model. Both solutions work by listening to generic events generated by Alfresco and placed on an Apache Kafka queue. For the reporting example, the Spring Boot consumer subscribes to Kafka events, then fetches metadata via CMIS and indexes that into Elasticsearch. For the NLP example, a separate Spring Boot consumer subscribes to the same events, but in this case, fetches the content, extracts text using Apache Tika, runs the text through Apache OpenNLP, then writes back extracted entities to Alfresco via CMIS. These are relatively simple examples, but illustrate how a de-coupled, asynchronous, event-based approach can make integrating Alfresco with other systems easier.
The document summarizes Jan Vonka's presentation on Alfresco's exciting new REST APIs. It provides an overview of the REST API architecture and components. It highlights many new features in the Content Services 5.2 and Process Services 1.6 APIs, including new endpoints, operations, and enhanced APIs for sites and people. It demonstrates using the APIs via Postman. It discusses the API documentation and upcoming futures like exposing more services and improvements to the REST framework.
Alfresco Workshop: Installing Alfresco Content Services and Alfresco Governan...Lighton Phiri
The document outlines Lighton Phiri's presentation on installing and configuring Alfresco. It includes steps for installing Alfresco using the setup wizard, testing the installation, and installing Alfresco Governance Services. The presentation also covers exploring the base Alfresco installation, creating sites, and performing basic administration tasks like user management and site configuration.
Infrastructure, use cases and performance considerations for
an Enterprise Grade ECM implementation up to 1B documents on AWS (Amazon Web Services EC2 and Aurora) based on the Alfresco (http://www.alfresco.com) Platform, leading Open Source Enterprise Content Management system.
Alfresco has provided an implementation of CMIS ever since the first draft of the specification was announced. It is the CMIS repository that all others are compared to. In this session, you'll learn how Alfresco maps to the CMIS domain model and explore how CMIS services such as query behave through live examples. You'll see how easy it is to build applications against CMIS including the use of unique Alfresco features such as Aspects.
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
This talk is a technical case study showing show Metaversant solved a problem for one of their clients, Noble Research Institute. Researchers at Noble deal with very large files which are often difficult to move into and out of the Alfresco repository.
In this session, we will look first at the rich metadata that documents in your repository have, how to control the mapping of this on to your content model, and some of the interesting things this can deliver. We'll then move on to the content transformation and rendition services, and see how you can easily and powerfully generate a wide range of media from the content you already have.
Alfresco DevCon 2019 (Edinburgh)
"Transforming the Transformers" for Alfresco Content Services (ACS) 6.1 & beyond
https://community.alfresco.com/community/ecm/blog/2019/02/07/alfresco-transform-service-new-with-acs-61
Alfresco provides various content transformation options across the Digital Business Platform (DBP). In this talk, we will explore the new independently-scalable Alfresco Transform Service. This enables a new option for transforms to be asynchronously off-loaded by Alfresco Content Services (ACS).
https://devcon.alfresco.com/speaker/jan-vonka/
This document provides instructions for installing various Alfresco components, including:
1. PostgreSQL for the database
2. The Alfresco webapp using Tomcat
3. SOLR 6 for search
4. The Alfresco Share webapp also using Tomcat
It details downloading required software, configuring properties files, starting and stopping services, and ensuring the components can communicate over localhost URLs. The overall goal is to set up a full Alfresco ECM installation with database, application server, search, and user interface components locally for testing and development.
Sizing an alfresco infrastructure has always been an interesting topic with lots of unrevealed questions. There is no perfect formula that can accurately define what is the perfect sizing for your architecture considering your use case. However, we can provide you with valuable guidance on how to size your Alfresco solution, by asking the right questions, collecting the right numbers, and taking the right assumptions on a very interesting sizing exercise.
How many alfresco servers will you need on your alfresco cluster? How many CPUs/cores do you need on those servers to handle your estimated user concurrency? How do you estimate the sizing and growth of your storage? How much memory do you need on your Solr servers? How many Solr servers do you need to get the response times you require? What are the golden rules that can drive and maintain the success of an Alfresco project?
Jose portillo dev con presentation 1138Jose Portillo
This document discusses best practices for implementing Solr sharding in Alfresco. It defines what sharding is and explains that it involves splitting a single index into multiple parts or shards to improve search performance, distribute indexing load, and scale horizontally. The document outlines different types of sharding, considerations for the number of shards, high availability, backup procedures, and common configuration settings when using Solr sharding in Alfresco.
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
This document provides an overview of securing Apache Pulsar. It discusses securing the different cluster components like Zookeeper, Bookkeeper and brokers. It describes how to enable TLS for securing communication between these components. It also covers setting up TLS, keystores and truststores for brokers and clients. The document references Pulsar and Zookeeper documentation for more details on configuring security.
This document summarizes a presentation about Alfresco Search Services 2.0. Key points include:
- Solr was updated to remove the custom content store and leverage more built-in Solr features like replication and backups. This improved performance and reduced disk usage.
- New date fields were added that break dates down into individual components like year, month, day, etc. to enable more granular search queries.
- Asynchronous maintenance actions were introduced to schedule and retry tasks like reindexing, purging, and fixing index issues in the background.
- Security was enhanced with support for mutual TLS and storing passwords in JVM properties instead of plain text files. Performance tracking and indexing controls
This is the session delivered during the Alfresco Developers Conference in Lisbon, January 2018. Learn all what you need to know to perform a proper backup and disaster recovery strategy. From a single server installation with hundreds of documents to a large deployment with multiple nodes, layers, databases and multi-million documents. What is the best way for each case?
The document provides an overview and best practices for tuning an Alfresco installation for performance. It discusses disabling unused services, limiting folder hierarchies and group nesting, monitoring resources, tuning Solr indexes and caches, and using separate servers for specific tasks like indexing. General tips include testing changes thoroughly before deploying, adjusting sizing for increased usage, and following the standard performance methodology.
The document discusses best practices for upgrading to Alfresco 6 from a previous version. It recommends backing up the database and content store from the source Alfresco, identifying any customizations, installing the new Alfresco from scratch, restoring the backups, applying customizations, and patching the database in stages if needed through intermediate "halfway" Alfresco instances. It also covers identifying deprecated features, adapting custom code to be compatible with Alfresco 6, monitoring the new installation, and addressing potential issues.
Moving From Actions & Behaviors to MicroservicesJeff Potts
My DevCon 2019 talk discusses how to make it easier to integrate Alfresco with other systems using an event-based approach. Two real world examples are discussed and demonstrated. The first is about reporting against Alfresco metadata. The second is about enriching metadata by running content through a Natural Language Processing (NLP) model. Both solutions work by listening to generic events generated by Alfresco and placed on an Apache Kafka queue. For the reporting example, the Spring Boot consumer subscribes to Kafka events, then fetches metadata via CMIS and indexes that into Elasticsearch. For the NLP example, a separate Spring Boot consumer subscribes to the same events, but in this case, fetches the content, extracts text using Apache Tika, runs the text through Apache OpenNLP, then writes back extracted entities to Alfresco via CMIS. These are relatively simple examples, but illustrate how a de-coupled, asynchronous, event-based approach can make integrating Alfresco with other systems easier.
The document summarizes Jan Vonka's presentation on Alfresco's exciting new REST APIs. It provides an overview of the REST API architecture and components. It highlights many new features in the Content Services 5.2 and Process Services 1.6 APIs, including new endpoints, operations, and enhanced APIs for sites and people. It demonstrates using the APIs via Postman. It discusses the API documentation and upcoming futures like exposing more services and improvements to the REST framework.
Alfresco Workshop: Installing Alfresco Content Services and Alfresco Governan...Lighton Phiri
The document outlines Lighton Phiri's presentation on installing and configuring Alfresco. It includes steps for installing Alfresco using the setup wizard, testing the installation, and installing Alfresco Governance Services. The presentation also covers exploring the base Alfresco installation, creating sites, and performing basic administration tasks like user management and site configuration.
Infrastructure, use cases and performance considerations for
an Enterprise Grade ECM implementation up to 1B documents on AWS (Amazon Web Services EC2 and Aurora) based on the Alfresco (http://www.alfresco.com) Platform, leading Open Source Enterprise Content Management system.
Alfresco has provided an implementation of CMIS ever since the first draft of the specification was announced. It is the CMIS repository that all others are compared to. In this session, you'll learn how Alfresco maps to the CMIS domain model and explore how CMIS services such as query behave through live examples. You'll see how easy it is to build applications against CMIS including the use of unique Alfresco features such as Aspects.
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
This talk is a technical case study showing show Metaversant solved a problem for one of their clients, Noble Research Institute. Researchers at Noble deal with very large files which are often difficult to move into and out of the Alfresco repository.
In this session, we will look first at the rich metadata that documents in your repository have, how to control the mapping of this on to your content model, and some of the interesting things this can deliver. We'll then move on to the content transformation and rendition services, and see how you can easily and powerfully generate a wide range of media from the content you already have.
Alfresco DevCon 2019 (Edinburgh)
"Transforming the Transformers" for Alfresco Content Services (ACS) 6.1 & beyond
https://community.alfresco.com/community/ecm/blog/2019/02/07/alfresco-transform-service-new-with-acs-61
Alfresco provides various content transformation options across the Digital Business Platform (DBP). In this talk, we will explore the new independently-scalable Alfresco Transform Service. This enables a new option for transforms to be asynchronously off-loaded by Alfresco Content Services (ACS).
https://devcon.alfresco.com/speaker/jan-vonka/
This document provides instructions for installing various Alfresco components, including:
1. PostgreSQL for the database
2. The Alfresco webapp using Tomcat
3. SOLR 6 for search
4. The Alfresco Share webapp also using Tomcat
It details downloading required software, configuring properties files, starting and stopping services, and ensuring the components can communicate over localhost URLs. The overall goal is to set up a full Alfresco ECM installation with database, application server, search, and user interface components locally for testing and development.
Sizing an alfresco infrastructure has always been an interesting topic with lots of unrevealed questions. There is no perfect formula that can accurately define what is the perfect sizing for your architecture considering your use case. However, we can provide you with valuable guidance on how to size your Alfresco solution, by asking the right questions, collecting the right numbers, and taking the right assumptions on a very interesting sizing exercise.
How many alfresco servers will you need on your alfresco cluster? How many CPUs/cores do you need on those servers to handle your estimated user concurrency? How do you estimate the sizing and growth of your storage? How much memory do you need on your Solr servers? How many Solr servers do you need to get the response times you require? What are the golden rules that can drive and maintain the success of an Alfresco project?
Jose portillo dev con presentation 1138Jose Portillo
This document discusses best practices for implementing Solr sharding in Alfresco. It defines what sharding is and explains that it involves splitting a single index into multiple parts or shards to improve search performance, distribute indexing load, and scale horizontally. The document outlines different types of sharding, considerations for the number of shards, high availability, backup procedures, and common configuration settings when using Solr sharding in Alfresco.
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
This document provides an overview of securing Apache Pulsar. It discusses securing the different cluster components like Zookeeper, Bookkeeper and brokers. It describes how to enable TLS for securing communication between these components. It also covers setting up TLS, keystores and truststores for brokers and clients. The document references Pulsar and Zookeeper documentation for more details on configuring security.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
This document discusses the application uses of DNSSEC and the Domain Name System Security Extensions protocol. It provides examples of how cryptographic keys can be stored and authenticated using DNSSEC records like SSHFP, TLSA, and OPENPGPKEY. These records allow applications to securely obtain keys from the DNS to enable or strengthen application layer security protocols for services like SSH, TLS, PGP, and email. The document focuses on how the TLSA record and DANE protocol can help address issues with the public certificate authority model by providing name constraints and directly authenticating certificates in the DNS.
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
In this baller talk, we will be addressing the elephant in the room that no one ever wants to look at or talk about: security. We generally never want to talk about configuring security because if we do, we allocate risk of penetration by exposing ourselves to exploitation. However, this leads to a lot of confusion around proper Kafka security best practices and how to appropriately lock down a cluster when you are starting out. In this talk we will demystify the elephant in the room without deconstructing it limb by limb. We will give you a notion of how to configure the following for BOTH clients and servers: * TLS or Kerberos Authentication * Encrypt your network traffic via TLS * Perform authorization via access control lists (ACLs) We will also demonstrate the above with a GitHub repo you can try out for yourself. Lastly, we will present a reference implementation of oauth if that suits your fancy. All in all you should walk away with a pretty decent understanding of the necessary aspects required for a secure Kafka environment.
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTrivadis
The document discusses securing Apache Kafka. It covers:
1. Network security, host firewalls, and Linux user concepts can provide general security.
2. Zookeeper security includes SASL authentication between Zookeeper nodes and brokers, and authorization via access control lists (ACLs).
3. Kafka security includes encryption via SSL, SASL authentication like Kerberos or SCRAM, and authorization via ACLs managed in Zookeeper.
4. A demo shows generating certificates, configuring brokers and clients for SSL, and using ACLs to control access between principals.
This document discusses secure connections in Java using SSL/TLS. It provides information on key concepts like keystores, certificates, and truststores. It also demonstrates how to set up a basic client-server application with mutual authentication using self-signed certificates and keytool to generate and manage the certificates. Troubleshooting tips are provided for common exceptions encountered.
The document provides instructions for attending an Oracle Support Advisor Webcast on troubleshooting issues with TCPS configuration and communication on databases, including how to access the recording and ask questions. It lists two options for attending - listening through computer audio or calling in by phone. It also provides the webinar ID and dial-in details needed to join the teleconference.
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
Slide deck used during Tech Talk Live #110 in October 2017. Phil Meadows and myself discussed about Alfresco products security and I went through Alfresco CS security best practices.
n this session, we'll simplify the complexities of configuring and troubleshooting mutual TLS (mTLS) within Alfresco environments. Attendees will gain practical insights into certificate management, trust validation, and common challenges encountered during configuration.
We'll showcase and provide custom tools for troubleshooting during the session. These tools can be used with ZIP, Ansible, Docker and Kubernetes deployments.
Event description available in https://hub.alfresco.com/t5/news-announcements/ttl-157-troubleshooting-made-easy-deciphering-alfresco-s-mtls/ba-p/319735/jump-to/first-unread-message
Yaroslav talks more about Mobile Security and his experience doing it on iOS platforms.
You can see his full lecture here: https://www.youtube.com/watch?v=_f7pmwi0yfs
Yaroslav Vorontsov works as a software architect at DataArt. Over the course of his professional career, he has taken part in many projects from different industrial domains, managed to grow from an intern to a tech lead quickly. He has also won two major prizes at two consecutive THacks in Berlin as a member of DataArt teams, participated in local developers’ communities and taught about 100 students in total for 3 years at the university. When he's not working, Yaroslav enjoys playing and watching football, and exploring new countries with his wife.
IT talk is an open community, where anyone interested in technologies can participate. It is a real opportunity for IT professionals, teachers, students and even novice developers to share knowledge, network & discuss technical solutions and even present them at the next IT Talk seminars!
Website: http://dataart.bg/
Facebook: https://www.facebook.com/dataartbulgaria/
YouTube: https://www.youtube.com/channel/UCFYE6-NmhDFhFtx4gGkHXGQ
The document discusses SSL (Secure Sockets Layer) and TLS (Transport Layer Security). It provides an overview of SSL, including its history and evolution. It describes the SSL handshake protocol and components of SSL certificates such as subjects, issuers, and digital signatures. It also discusses SSL attacks like POODLE and Heartbleed and problems with certificate authorities.
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
This document provides an overview of securing data in transit using TLS in constrained devices. It begins with introducing the presenters from wolfSSL Inc. and the topics that will be covered, which include an introduction to wolfSSL, an overview of SSL/TLS and cryptography, enabling TLS for a simple HTTP client, emerging ciphers and algorithms, and time for Q&A. It then discusses wolfSSL's history and products. The remainder of the document focuses on explaining SSL/TLS protocols, cipher suites, X.509 certificates, implementing TLS on embedded devices using wolfSSL and the FRDM-K64F board as an example, and emerging ciphers like ChaCha20 and Poly1305.
This document provides an overview of the basic function call flow for OpenSSL to establish a secure TCP connection. It discusses initializing the OpenSSL library, creating an SSL_CTX object, generating randomness, creating an SSL object for a connection, performing the TLS/SSL handshake, and reading and writing data over the encrypted connection. It also provides examples of OpenSSL code for a client application.
Using Generative AI and Content Service Platforms togetherAngel Borroy López
Slides for FOSDEM 2024 session: https://fosdem.org/2024/schedule/event/fosdem-2024-1858-using-generative-ai-and-content-service-platforms-together/
Describes a framework that provides GenAI operations for documents using a REST API. LLMs are stored locally, so no data is sent away.
It also includes a sample integration with a Content Service Platform (Alfresco), to enhance documents and pictures context information.
Session recording is available in https://ftp.fau.de/fosdem/2024/h2213/fosdem-2024-1858-using-generative-ai-and-content-service-platforms-together.av1.webm
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
Oractical guide on integrating Alfresco Community with On-Premise Generative AI.
This session outlines the steps to enhance both existing and new content, demonstrating features such as classification, summarization, translation, and prompting. But this framework allows you to include additional features.
Source code is available in https://github.com/aborroy/alfresco-genai
This presentation describes different methods to produce Alfresco Docker Assets for Docker Compose deployment.
From the previous methods (based in Python, Yeoman and Docker) to the Docker Init with Templates approach.
The recent launch of the Docker Init command has significantly simplified the process of generating Dockerfiles and Docker Compose templates for containerized applications. This presentation aims to explore the evolution of Docker deployment resources generation process, comparing its approach prior to the Docker Init command release and discussing the way forward. Before the introduction of the Docker Init command, I've been delivering some projects like the "alfresco-docker-installer"[1], which provides custom scripts and configurations to streamline the process of deploying Alfresco in Docker containers. These kinds of projects use tools like Yeoman or raw Python. There are some differences between a Docker Template for a technology (Go, Python, Node or Rust) and a Docker Template for a product (like Alfresco) that may be covered when generating automatic deployment resources. This presentation will delve into the methodologies employed before the Docker Init command:
Custom Dockerfile Extension
Compose Template for a complete product deployment, including a set of services like the database, content repository, search engine, or web application
Configuration Management, including techniques such as environment variable injection, externalized configuration files, and configuration overrides
Following the release of the Docker Init command, this presentation will provide insights into the possibilities and advantages it brings to complex products Docker deployment process. A PoC of a Docker Plugin, including this product-oriented approach for docker init, will be demoed live. >> Note that the Open Source Alfresco product is used only to explain the concepts of building a Docker Compose generator with a real example.
This deck includes a description of the Transform Service available for Alfresco 7.4.0.
Secure configuration sample, relying on mTLS, is also discussed.
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
Presentation on how to move from the Alfresco Search Services product based in Apache Solr to the new Alfresco Search Enterprise integrated with Elasticsearch and Amazon Opensearch.
This presentation describes how to use Podman to replace Docker in the Alfresco 7.4.0 development process.
Alfresco platform is built using containerization technology. Alfresco can utilize containerization platforms like Podman, which provide the necessary tools and infrastructure to create, manage, and run containers.
Podman is presented as an alternative to Docker. Both Docker and Podman can be used effectively for Alfresco development. So consider your familiarity with the tools, preferred workflow, ecosystem support, security requirements, and any specific performance considerations to make the best choice for your Alfresco development needs.
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeAngel Borroy López
Presentación realizada en Openexpo Europe 2023:
https://openexpoeurope.com/es/session/cuando-hyland-encontro-a-alfresco-evolucion-de-servicios-de-codigo-abierto-en-un-mundo-cloud-native/
Presenta una visión evolutiva de las plataformas de gestión documental: ECM, CSP y Cloud Native.
Incluye información relevante de los productos Alfresco, Nuxeo y Hyland Experience.
This presentation describes how to use the BPM Engine included with Alfresco ACS repository.
All the different APIs are covered: Workflow Console UI, REST API and Java API.
Support material for the blog post available in https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-7-3-upgrading-to-transform-core-3-0-0/ba-p/315364
This presentation describes the differences between Alfresco Transform Engine and Alfresco Transform Core 3.0.0.
Deployment, configuration and extension topics for Transform Core are covered.
Este documento proporciona recursos para aprender Docker, incluyendo documentación, libros, videos de YouTube y la comunidad Docker. Explica cómo instalar Docker en Windows, Mac y Linux, y cubre herramientas como Docker Desktop y Docker Hub. También describe los planes de suscripción disponibles para Docker.
Features of Alfresco Search Services.
Features of Alfresco Search & Insight Engine.
Future plans for the product
---
DEMO GUIDE
[1] Queries: Share > Node Browser
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
[2] Queries: Share > JS Console
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_FTS_ALFRESCO,
"ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'");
logger.log(ResultSet.getNodeRefs());
---
var ctxt = Packages.org.springframework.web.context.ContextLoader.getCurrentWebApplicationContext();
var searchService = ctxt.getBean('SearchService', org.alfresco.service.cmr.search.SearchService);
var StoreRef = Packages.org.alfresco.service.cmr.repository.StoreRef;
var SearchService = Packages.org.alfresco.service.cmr.search.SearchService;
var ResultSet = Packages.org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
ResultSet =
searchService.query(
StoreRef.STORE_REF_WORKSPACE_SPACESSTORE,
SearchService.LANGUAGE_CMIS_ALFRESCO,
"SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')");
logger.log(ResultSet.getNodeRefs());
---
var def =
{
query: "ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'",
language: "fts-alfresco"
};
var results = search.query(def);
logger.log(results);
[3] Queries: api-explorer
{
"query": {
"language": "afts",
"query": "ASPECT:\"cm:titled\" AND cm:title:\"*Sample\" AND TEXT:\"code\""
}
}
---
{
"query": {
"language": "cmis",
"query": "SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')"
}
}
[4] Queries: CMIS Workbench > Groovy Console
rs = session.query("SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')", false)
for (res in rs) {
println(res.getPropertyValueById('cmis:objectId'))
}
[5] Queries: SOLR Web Console > (alfresco) > Query
/afts
ASPECT:'cm:titled' AND cm:title:'*Sample*' AND TEXT:'code'
---
/cmis
SELECT * FROM cm:titled WHERE cm:title like '%Sample%' AND CONTAINS('code')
---
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaAngel Borroy López
This document provides an introduction to Docker presented at a Docker Zaragoza Meetup. It discusses Docker Engine, images and containers, Docker architecture, creating images with Dockerfiles, sharing images with Docker registries like Docker Hub, and hands-on exercises using Docker Classroom and Play with Docker. The presentation introduces key Docker concepts and components to help attendees discover Docker and get started using it.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
2. 22
Cryptographic Stores in Alfresco
In Theory
• Electronic Certificates
• Chain of Trust
• Public and Private CAs
• Cryptographic Stores
• mTLS Protocol
In Practice
• When to use mTLS Communication
• Cryptographic Tools
• Alfresco KeyStores
• Alfresco mTLS Configuration
• Using Custom Certificates
In Panic
• Troubleshooting
Java KeyStores
4. 4
$openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout
Certificate:
Data:
Version:3(0x2)
SerialNumber:4097(0x1001)
SignatureAlgorithm:sha256WithRSAEncryption
Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA
Validity
NotBefore:Jun3009:24:082020GMT
NotAfter: Jun2809:24:082030GMT
Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient
SubjectPublicKeyInfo:
PublicKeyAlgorithm:rsaEncryption
Public-Key:(1024bit)
Modulus:
00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6:
d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e:
5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47:
5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e:
97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64:
73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b:
e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc:
89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96:
b9:e6:a0:e9:e3:d4:08:3a:87
Exponent:65537(0x10001)
X509v3extensions:
X509v3BasicConstraints:
CA:FALSE
NetscapeCertType:
SSL Server
NetscapeComment:
OpenSSL GeneratedServerCertificate
X509v3SubjectKeyIdentifier:
84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72
X509v3AuthorityKeyIdentifier:
keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC
DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA
serial:94:78:32:24:4E:A5:07:2B
X509v3KeyUsage:critical
Digital Signature,KeyEncipherment
X509v3ExtendedKeyUsage:
TLSWebServerAuthentication
X509v3SubjectAlternativeName:
DNS:localhost
SignatureAlgorithm:sha256WithRSAEncryption
12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45:
34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15:
87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6:
6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67:
2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79:
cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5:
30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11
Electronic Certificates X509 Certificate
Issuer Name
DN
Common Name
CN
Distinguished Name
DN
Dates valid
Private Key Public Key
Key Usage
Policies
Issuer Signature
This should match with
Server DNS Name
RSA 1024 bits
with SHA 256
Keystore Truststore
5. 5
Electronic Certificates: File Format
.pem – Base64 encoded DER certificate, password
.cer, .crt, .der – Binary DER form, password
.p7b, .p7c – Base 64 Ascii file with PKCS#7, just for
public certificate(s) or CRL(s)
.p12 – PKCS#12, may contain certificate(s) (public)
and private keys, binary format (ASN.1), password
.pfx – PFX, predecessor of PKCS#12 (usually
contains data in PKCS#12 format, e.g., with PFX files
generated in IIS)
-----BEGINCERTIFICATE-----
MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE
...
HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDCERTIFICATE-----
-----BEGINRSAPRIVATE KEY-----
MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
...
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDRSAPRIVATE KEY-----
-----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE
...
HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDPKCS7-----
6. 6
Public and Private CAs
CA (Certificate Authority) is an entity that issues electronic
certificates.
Public CA
• Trusted Third-Party for general public, mainly oriented to final users
• Issued certificates are trusted by default in Operating Systems and Browsers
• The information and services we provide on these servers is open in Internet
Private CA
• Trusted Third-Party for internal users and services
• Issued certificates aren’t trusted by default, so you need to configure computers and
servers in order to trust them
• The information and services we provide on these servers is restricted to Intranet
PUBLICPRIVATE
7. 7
Chain of Trust
A certificate must be traceable back to the trust root it was signed
with.
All public certificates in the chain [server, intermediate(s), and
root] need to be present in the truststore.
• Root Certificate: A root certificate is a digital certificate that
belongs to the issuing Certificate Authority.
• Intermediate Certificate(s): Intermediate certificates branch
of root certificates like branches of trees. They act as middle-
men between the protected root certificates and the server
certificates issued.
• Server Certificate – The server certificate is the one issued to
the specific server
-----BEGINRSAPRIVATE KEY-----
MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z
...
nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q=
-----ENDRSA PRIVATEKEY-----
-----BEGINCERTIFICATE-----
MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix
...
nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ==
-----ENDCERTIFICATE-----
-----BEGINCERTIFICATE-----
MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
...
19vwF3KrjH0SGi8dEgF8iQ==
-----ENDCERTIFICATE-----
8. 8
Cryptographic Stores
Java KeyStores are used to store key material and associated certificates.
• Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords
for each secret- or private-key entry.
• Java Key Store (JKS)
• The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and
associated X.509 certificates.
• JCE Key Store (JCEKS)
• Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also
introduced a new proprietary key store format: JCEKS.
• PKCS#12
• Apart from these proprietary key stores, Java also supports standard PKCS#12 format
>> In Alfresco both “keystore” and “truststore” file types are Java Keystores
stored in one of the formats described above (JKS, JCEKS, PKCS12)
9. 9
mTLS Protocol
TLS Client
Keystore
Truststore
Public Key
Public Key
Private Key
TLS Server
Keystore
Truststore
Public Key
Public Key
Private Key
Hello message
Server Public Key
Client Public Key
Key Validation
Encrypted Data
11. 11
When to use mTLS Communication
HTTPdefaultINSECUREHTTPprotectedwithpass
HTTPS protected with mTLS
https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
12. 12
Cryptographic Tools
Issuing certificates
• keytool only supports self-signed certificates and a limited set of policies
• openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies
Managing Certificates and Java KeyStores
• Command line
• keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates
• Window based programs (keytool wrappers)
• Portecle
• KeyStore Explorer
https://docs.oracle.com/en/java/javase/11/tools/keytool.html
https://www.openssl.org/docs/
http://portecle.sourceforge.net
https://keystore-explorer.org/index.html
13. 13
Alfresco KeyStores: Repository
https://github.com/Alfresco/alfresco-ssl-generator
By default all the KeyStores are stored in JCEKS format
KeyStore and private certificates are protected by password
The alias (ssl.repoand so on) are not relevant, different ones can be used
keystore
• Not related with mTLS configuration, but with encrypting secrets*
ssl.keystore
• ssl.repo is the private key used to sign HTTP requests
• ssl.alfresco.ca is the public key of the CA issuing the certificates
ssl.truststore
• alfresco.ca is the public key of the CA issuing the certificates
• ssl.repo.client is the public key of the certificate used by SOLR as client
* https://docs.alfresco.com/6.2/concepts/alf-keystores.html
14. 14
Alfresco KeyStores: SOLR
https://github.com/Alfresco/alfresco-ssl-generator
By default all the KeyStores are stored in JCEKS format
KeyStore and private certificates are protected by password
The alias (ssl.repo and so on) are not relevant, different ones can be used
ssl-repo-client.keystore
• ssl.repo.client is the private key used to sign HTTP requests
• alfresco.ca is the public key of the CA issuing the certificates
ssl-repo-client.truststore
• ssl.alfresco.ca is the public key of the CA issuing the certificates
• ssl.repo is the public key of the certificate used by Repository as client
• ssl.repo.client is the public key of the certificate used by SOLR as client
>> Zeppelin is connecting with the Alfresco Repository, so the KeyStores
are the same from SOLR
18. 18
Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR
Alfresco mTLS: Repository Properties
https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719
#default keystoreslocation
dir.keystore=classpath:alfresco/keystore
# general encryption parameters(keystore)
encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator
encryption.keyAlgorithm=AES
encryption.cipherAlgorithm=AES/CBC/PKCS5Padding
# secretkey keystore configuration
encryption.keystore.location=${dir.keystore}/keystore
encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties
encryption.keystore.provider=
encryption.keystore.type=pkcs12
# ssl.keystore
encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
encryption.ssl.keystore.provider=
encryption.ssl.keystore.type=JCEKS
encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties
# ssl.truststore
encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
encryption.ssl.truststore.provider=
encryption.ssl.truststore.type=JCEKS
encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
# SOLRConfiguration
solr.port.ssl=8984
solr.secureComms=https
ENCRYPTION PROPERTIES
Not related with mTLS Configuration
Required even when not using mTLS
KEYSTORE
Includes Repository private key
TRUSTSTORE
Includes CA public key and
SOLR client public key
alfresco-global.properties
docker-compose.ymlCLASSIC
19. 19
Tomcat Server configuration to receive HTTPs queries from SOLR
Alfresco mTLS: Tomcat Repository Connector
$ cat /usr/local/tomcat/conf/server.xml
...
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS"
keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore"
keystorePass="kT9X6oe68t" keystoreType="JCEKS"
truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore"
truststorePass="kT9X6oe68t" truststoreType="JCEKS">
</Connector>
</Service>
</Server>
KEYSTORE
Includes Repository private key
TRUSTSTORE
Includes CA public key and
SOLR client public key
server.xml
Dockerfile
TOMCAT CONNECTOR
TLS Configuration
CLASSIC
20. 20
Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco
Alfresco mTLS: SOLR Properties
https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44
# ssl.repo.client.keystore
alfresco.encryption.ssl.keystore.type=JCEKS
alfresco.encryption.ssl.keystore.provider=
alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore
alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties
# ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.type=JCEKS
alfresco.encryption.ssl.truststore.provider=
alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore
alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties
# AlfrescoRepositoryconfiguration
alfresco.port.ssl=8443
alfresco.secureComms=https
KEYSTORE
Includes SOLR private key
TRUSTSTORE
Includes CA public key,
Repository client public key and
SOLR client public key
solrcore.properties
CLASSIC
21. 21
Jetty Server configuration to receive HTTPs queries from Alfresco
Alfresco mTLS: Jetty SOLR Server
$ cat /opt/alfresco-search-services/solr.in.sh
# ssl.repo.client.keystore
SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore
SOLR_SSL_KEY_STORE_TYPE=JCEKS
SOLR_SSL_KEY_STORE_PASSWORD=password
# ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore
SOLR_SSL_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Jetty mTLS configuration
SOLR_SSL_NEED_CLIENT_AUTH=true
KEYSTORE
Includes SOLR private key
TRUSTSTORE
Includes CA public key,
Repository client public key and
SOLR client public key
solr.in.sh
solr.in.cmdCLASSIC
22. 22
Alfresco mTLS: SOLR Endpoints
Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server
Search Queries
https://127.0.0.1:8983/solr/alfresco/afts
https://127.0.0.1:8983/solr/alfresco/browse
https://127.0.0.1:8983/solr/alfresco/cmis
https://127.0.0.1:8983/solr/alfresco/query
https://127.0.0.1:8983/solr/alfresco/select
SQL Queries
https://127.0.0.1:8983/solr/alfresco/sql
Admin Actions
https://127.0.0.1:8983/solr/admin
23. 23
Alfresco mTLS: Repository Endpoints
Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server
Indexing requests
https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets
https://127.0.0.1:8443/alfresco/service/api/solr/acls
https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders
https://127.0.0.1:8443/alfresco/service/api/solr/metadata
https://127.0.0.1:8443/alfresco/service/api/solr/model
https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff
https://127.0.0.1:8443/alfresco/service/api/solr/nodes
https://127.0.0.1:8443/alfresco/service/api/solr/textContent
https://127.0.0.1:8443/alfresco/service/api/solr/transactions
24. 24
Alfresco mTLS: Sharding
mTLS Configuration can be applied to SOLR Shards in the same way.
• The same KeyStores can be used for every Shard
• A new certificate ssl.client.repocan be generated for each Shard
• You need to add these new certificates to Alfresco Repository truststore (ssl.truststore)
Sample configuration using DB_ID for two shards is available in:
https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
25. 25
DEMO TIME: Using Custom Certificates
1 - Starting with a working mTLS configuration
• Docker Compose for Alfresco Repository
• ZIP Distribution file for Alfresco Search SOLR
2 - Create new KeyStores with different values
3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties
4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty
• Use pkcs12 as KeyStore Type
• Use password as password for the KeyStores
CLASSIC
$ ./run.sh
-alfrescoversioncommunity
-keysize 4096
-keystoretype PKCS12 -keystorepass password
-truststoretypePKCS12 -truststorepasspassword
-alfrescoformatclassic
https://github.com/Alfresco/alfresco-ssl-generator
27. 27
Common mistakes: Searching
If you are experimenting problems when searching
from Alfresco, Share or from the REST API:
• Review Alfresco Repository configuration > alfresco-global.properties
• Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd
https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422
solr.port.ssl=8983
solr.secureComms=https
dir.keystore=/usr/local/tomcat/alf_data/keystore
# ssl.keystore
encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
encryption.ssl.keystore.type=JCEKS
encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties
# ssl.truststore
encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
encryption.ssl.truststore.type=JCEKS
encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore
SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t
SOLR_SSL_TRUST_STORE_TYPE=JCEKS
SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore
SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t
SOLR_SSL_KEY_STORE_TYPE=JCEKS
SOLR_SSL_NEED_CLIENT_AUTH=true
28. 28
Common mistakes: Indexing
If you are experimenting problems when indexing from SOLR:
• Review Alfresco Tomcat configuration > server.xml
• Review SOLR properties configuration > solrcore.properties
https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
SSLEnabled="true" maxThreads="150" scheme="https"
keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore"
keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true"
truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore"
truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS">
</Connector>
alfresco.secureComms=https
alfresco.port.ssl=8443
alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore
alfresco.encryption.ssl.keystore.provider=JCEKS
alfresco.encryption.ssl.truststore.type=
alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore
alfresco.encryption.ssl.truststore.provider=JCEKS
alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties
alfresco.encryption.ssl.keystore.type=
alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
29. 29
Troubleshooting: cURL
Testing the configuration with CURL
Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format:
$ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v
"https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000"
In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format
$ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v
"https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"