SlideShare ist ein Scribd-Unternehmen logo

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

Angel Borroy López
Angel Borroy López

n this session, we'll simplify the complexities of configuring and troubleshooting mutual TLS (mTLS) within Alfresco environments. Attendees will gain practical insights into certificate management, trust validation, and common challenges encountered during configuration. We'll showcase and provide custom tools for troubleshooting during the session. These tools can be used with ZIP, Ansible, Docker and Kubernetes deployments. Event description available in https://hub.alfresco.com/t5/news-announcements/ttl-157-troubleshooting-made-easy-deciphering-alfresco-s-mtls/ba-p/319735/jump-to/first-unread-message

Software
1 von 34
Downloaden Sie, um offline zu lesen
April 17, 2024 ©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries. TTL #157 Troubleshooting Made Easy: Deciphering Alfresco’s mTLS Configuration Angel Borroy Developer Evangelist
• Alfresco mTLS • Cryptographic Best Practices • Communication Repository <> Search • Troubleshooting Tools • Hands on, using EC certificates Agenda
Alfresco mTLS
Alfresco mTLS Transform COMMUNITY UI DB Web Proxy CA keystore Search Repository
Alfresco mTLS Messaging Transform ENTERPRISE UI DB Web Proxy CA keystore Search* Repository * When using Search Enterprise with Elasticsearch or OpenSearch
A Closer Look Alfresco Service TLS Protocol client server TLS Protocol CA keystore KEY keystore TRUST … … Self-Signed Public Authority
Cryptographic Best Practices
General Guidelines SSL TLSv1.0 TLSv1.1 TLSv1.2* TLSv1.3 JCEKS JKS PKCS12 RSA 2048 bits ECDSA 224 bits • Server Authentication • Client Authentication OpenSSL alfresco-ssl-generator Let’s Encrypt
TLS Protocol TLS Protocol client server TLS Protocol Use TLSv1.3 • Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig • Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols • Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS Alternatively use TLS 1.2 with ECDHE and AES-GCM hardcoded • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 When multiple TLS versions are available in the server, the client will select one • The default for security handshakes in JDK 17 is TLS 1.3
Keystore Type and Certificates Use Keystore Type PKCS12 • Avoid using non-standard formats like JKS or JCEKS Certificates • Algorithm • RSA, widely supported across different platforms and libraries • ECDSA, equivalent security with shorter key length, more performant and efficient for mTLS • Minimum key length • 2048 bits for RSA • 224 bits for EC • Usage • Server Authentication – OID 1.3.6.1.5.5.7.3.1 • Client Authentication – OID 1.3.6.1.5.5.7.3.2 keystore KEY keystore TRUST … …
Certificate Authority Self-Signed • Use Alfresco SSL Generator project, which depends on OpenSSL for certificate generation • Use alternative software able to issue certificates according with the previous recommendations • Later in this session, smallstep will be used Public Authority • Use OpenSSL with Let’s Encrypt, set up a cron job to re-fetch certificates regularly • Requires active Internet connection to Alfresco containers • Use a web hosting provider, like AWS CA Self-Signed Public Authority
Comm Repository <> Search
mTLS between Repository and Search CA Search Repository
Use community.sh script from Alfresco SSL Generator $ ./community.sh $ tree keystores keystores ├── alfresco │ ├── ssl.keystore │ └── ssl.truststore ├── solr │ ├── ssl.repo.client.keystore │ └── ssl.repo.client.truststore └── client └── browser.p12 Creating Certificates and Keystores Solr Admin Web Console
Repository Keystores $ keytool -v -list -keystore keystores/alfresco/ssl.truststore Alias name: alfresco.ca Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/alfresco/ssl.keystore Alias name: ssl.repo Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
Repository Configuration (server) Add following Connector to ${TOMCAT_DIR}/conf/server.xml file <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.3" certificateVerification="required" truststoreFile="ssl.truststore" truststorePassword="truststore" truststoreType="PKCS12"> <Certificate certificateKeystoreFile="ssl.keystore" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="keystore" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
Repository Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set Alfresco Repository Java Properties solr.host=localhost solr.port.ssl=8983 solr.secureComms=https encryption.ssl.keystore.type=PKCS12 encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore encryption.ssl.truststore.type=PKCS12 encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore When using the same password for keystore and keys, no aliases setting is required
Search Keystores $ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore Alias name: ssl.repo Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: alfresco.ca Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
Search Configuration (server) Java Environment Variables -Dsolr.jetty.truststore.password=truststore -Dsolr.jetty.keystore.password=keystore -Djdk.tls.client.protocols=TLSv1.3 OS Environment Variables (or modify solr.in.[sh|cmd] file) SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" SOLR_SSL_KEY_STORE_PASSWORD: "keystore" SOLR_SSL_KEY_STORE_TYPE: "PKCS12" SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" SOLR_SSL_TRUST_STORE_TYPE: "PKCS12" SOLR_SSL_NEED_CLIENT_AUTH: "true"
Search Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set solrcore.properties Java Properties (in each core or in template) alfresco.host=localhost alfresco.port=8443 alfresco.secureComms=https alfresco.encryption.ssl.keystore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=PKCS12 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=PKCS12 When using the same password for keystore and keys, no aliases setting is required
Sample deployment with Docker Compose https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
Troubleshooting tools
Available tools Transform UI DB Web Proxy Search Repository alfresco-http-java-client solr-http-java-client mtls-conf-app https://github.com/aborroy/alfresco-mtls-debugging-kit
Alfresco Repository Admin Web Console Deploy as addon alfresco-http-java-client.jar crypto-utils.jar Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/alfresco-http-java-client App URL http://localhost:8080/alfresco/s/admin/admin-search-client Credentials ADMINISTRATOR, default admin/admin
Alfresco Search Services Solr REST API Action Deploy as plugin alfresco-http-java-client.jar solr-http-java-client.jar config/solr.xml Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/solr-http-java-client App URL https://localhost:8983/solr/admin/cores?action=HTTP- CLIENT&coreName=alfresco Credentials Client certificate, like browser.p12
Command line Spring Boot command line application Run as program $ java -jar target/mtls-conf-app.jar ERRORS for ENDPOINT: Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint. ERRORS DETAIL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Source code https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
Hands on, using EC certificates
Lab Use ECC 256 bits certificates for ECDSA with step-ca • Around 10% faster than RSA 2048 bits for Alfresco mTLS • Less bandwidth consumption • Higher security (as RSA 2048 is equivalent to ECC 224) Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca # Start step-ca container, default CA will be created in “step” folder $ docker compose up # Install step CLI $ brew install step # Get CA password $ cat step/secrets/password ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
Lab # Create a certificate for alfresco, use “keystore” password to protect the key $ step certificate create alfresco alfresco.crt alfresco.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key # Create a certificate for solr, use “keystore” password to protect the key $ step certificate create solr solr.crt solr.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key
Lab # Build Keystore and Truststore for alfresco $ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key -out alfresco.pkcs12 -name alfresco -noiter -nomaciter $ keytool -import -alias solr -file solr.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore # Build Keystore and Truststore for solr $ openssl pkcs12 -export -in solr.crt -inkey solr.key -out solr.pkcs12 -name solr -noiter -nomaciter $ keytool -import -alias alfresco -file alfresco.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
Lab # Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12) $ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt # Modify compose.yaml to use the new keystores Alfresco • keystore=alfresco.pkcs12 • truststore=alfresco-truststore.pkcs12 • cert-alias=alfresco • cert-type=EC Solr • keystore=solr.pkcs12 • truststore=solr-truststore.pkcs12
Lab # Bonus verification $ nmap --script ssl-enum-ciphers -p 8983 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) $ nmap --script ssl-enum-ciphers -p 8443 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Cryptographic Best Practices
Thanks!

Empfohlen

OCI Oracle Functions Deployment
OCI Oracle Functions Deployment OCI Oracle Functions Deployment
OCI Oracle Functions Deployment Toni Epple
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for DevelopersJeff Potts
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingAngel Borroy López
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIBuilding Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIJeff Potts
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT AgentsFernando Lopez Aguilar
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisTiago Simões
 

Empfohlen

OCI Oracle Functions Deployment
OCI Oracle Functions Deployment OCI Oracle Functions Deployment
OCI Oracle Functions Deployment Toni Epple
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for DevelopersJeff Potts
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingAngel Borroy López
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSJan Löffler
 
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIBuilding Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIJeff Potts
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT AgentsFernando Lopez Aguilar
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisTiago Simões
 
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...Microsoft Technet France
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for SalesforceJared Ottley
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates Angel Borroy López
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...Jan Löffler
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherKarim Vaes
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...Amazon Web Services
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1Jeff Potts
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTAnatoliy Odukha
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanAlex Ellis
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the CloudFabio Ferrari
 
Rhel5
Rhel5Rhel5
Rhel5Yash Gulati
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registryVipin Mandale
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 
Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchAngel Borroy López
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAngel Borroy López
 

Weitere ähnliche Inhalte

Ähnlich wie Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...Microsoft Technet France
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for SalesforceJared Ottley
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...Jan Löffler
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherKarim Vaes
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...Amazon Web Services
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1Jeff Potts
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTAnatoliy Odukha
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanAlex Ellis
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the CloudFabio Ferrari
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registryVipin Mandale
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 

Ähnlich wie Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration (20)

[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
[AzureCamp 24 Juin 2014] Des services en frontal par Benjamin Guinebertière e...
 
Alfresco for Salesforce
Alfresco for SalesforceAlfresco for Salesforce
Alfresco for Salesforce
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
GOTO Copenhagen - Radical Agility with Autonomous Teams and Microservices in ...
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with RancherAzure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1
 
Usint Charles Proxy to understand REST
Usint Charles Proxy to understand RESTUsint Charles Proxy to understand REST
Usint Charles Proxy to understand REST
 
OpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - MilanOpenFaaS JeffConf 2017 - Milan
OpenFaaS JeffConf 2017 - Milan
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 
Better Operations into the Cloud
Better Operations into the CloudBetter Operations into the Cloud
Better Operations into the Cloud
 
Rhel5
Rhel5Rhel5
Rhel5
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 

Mehr von Angel Borroy López

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchAngel Borroy López
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAngel Borroy López
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherAngel Borroy López
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1Angel Borroy López
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoAngel Borroy López
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Angel Borroy López
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeAngel Borroy López
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAngel Borroy López
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoAngel Borroy López
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para DockerAngel Borroy López
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfAngel Borroy López
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsAngel Borroy López
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Angel Borroy López
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrAngel Borroy López
 

Mehr von Angel Borroy López (20)

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearch
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for Alfresco
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
 

Kürzlich hochgeladen

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerWave PLM
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionWave PLM
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfsteffenkarlsson2
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfDeskTrack
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMok TH
 

Kürzlich hochgeladen (20)

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
What is an API Development- Definition, Types, Specifications, Documentation.pdf
What is an API Development- Definition, Types, Specifications, Documentation.pdfWhat is an API Development- Definition, Types, Specifications, Documentation.pdf
What is an API Development- Definition, Types, Specifications, Documentation.pdf
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing Manufacturer
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptx
 

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Configuration

  • 1.
  • 2. April 17, 2024 ©2024 Hyland Software, Inc. and its affiliates. All rights reserved. All Hyland product names are registered or unregistered trademarks of Hyland Software, Inc. or its affiliates in the United States and other countries. TTL #157 Troubleshooting Made Easy: Deciphering Alfresco’s mTLS Configuration Angel Borroy Developer Evangelist
  • 3. • Alfresco mTLS • Cryptographic Best Practices • Communication Repository <> Search • Troubleshooting Tools • Hands on, using EC certificates Agenda
  • 6. Alfresco mTLS Messaging Transform ENTERPRISE UI DB Web Proxy CA keystore Search* Repository * When using Search Enterprise with Elasticsearch or OpenSearch
  • 7. A Closer Look Alfresco Service TLS Protocol client server TLS Protocol CA keystore KEY keystore TRUST … … Self-Signed Public Authority
  • 9. General Guidelines SSL TLSv1.0 TLSv1.1 TLSv1.2* TLSv1.3 JCEKS JKS PKCS12 RSA 2048 bits ECDSA 224 bits • Server Authentication • Client Authentication OpenSSL alfresco-ssl-generator Let’s Encrypt
  • 10. TLS Protocol TLS Protocol client server TLS Protocol Use TLSv1.3 • Apache Tomcat, set protocols to TLSv1.3 in Connector.SSLHostConfig • Jetty, set TLSv1.3 in Java property jdk.tls.client.protocols • Spring Boot, set TLSv1.3 in SERVER_SSL_ENABLED_PROTOCOLS Alternatively use TLS 1.2 with ECDHE and AES-GCM hardcoded • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 When multiple TLS versions are available in the server, the client will select one • The default for security handshakes in JDK 17 is TLS 1.3
  • 11. Keystore Type and Certificates Use Keystore Type PKCS12 • Avoid using non-standard formats like JKS or JCEKS Certificates • Algorithm • RSA, widely supported across different platforms and libraries • ECDSA, equivalent security with shorter key length, more performant and efficient for mTLS • Minimum key length • 2048 bits for RSA • 224 bits for EC • Usage • Server Authentication – OID 1.3.6.1.5.5.7.3.1 • Client Authentication – OID 1.3.6.1.5.5.7.3.2 keystore KEY keystore TRUST … …
  • 12. Certificate Authority Self-Signed • Use Alfresco SSL Generator project, which depends on OpenSSL for certificate generation • Use alternative software able to issue certificates according with the previous recommendations • Later in this session, smallstep will be used Public Authority • Use OpenSSL with Let’s Encrypt, set up a cron job to re-fetch certificates regularly • Requires active Internet connection to Alfresco containers • Use a web hosting provider, like AWS CA Self-Signed Public Authority
  • 14. mTLS between Repository and Search CA Search Repository
  • 15. Use community.sh script from Alfresco SSL Generator $ ./community.sh $ tree keystores keystores ├── alfresco │ ├── ssl.keystore │ └── ssl.truststore ├── solr │ ├── ssl.repo.client.keystore │ └── ssl.repo.client.truststore └── client └── browser.p12 Creating Certificates and Keystores Solr Admin Web Console
  • 16. Repository Keystores $ keytool -v -list -keystore keystores/alfresco/ssl.truststore Alias name: alfresco.ca Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/alfresco/ssl.keystore Alias name: ssl.repo Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
  • 17. Repository Configuration (server) Add following Connector to ${TOMCAT_DIR}/conf/server.xml file <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.3" certificateVerification="required" truststoreFile="ssl.truststore" truststorePassword="truststore" truststoreType="PKCS12"> <Certificate certificateKeystoreFile="ssl.keystore" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="keystore" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
  • 18. Repository Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set Alfresco Repository Java Properties solr.host=localhost solr.port.ssl=8983 solr.secureComms=https encryption.ssl.keystore.type=PKCS12 encryption.ssl.keystore.location=/usr/local/tomcat/keystore/ssl.keystore encryption.ssl.truststore.type=PKCS12 encryption.ssl.truststore.location=/usr/local/tomcat/keystore/ssl.truststore When using the same password for keystore and keys, no aliases setting is required
  • 19. Search Keystores $ keytool -v -list -keystore keystores/solr/ssl.repo.client.truststore Alias name: ssl.repo Owner: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US Alias name: alfresco.ca Owner: CN=Repository, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US $ keytool -v -list -keystore keystores/solr/ssl.repo.client.keystore Alias name: ssl.repo.client Owner: CN=Search, OU=Alfresco, O=Hyland, ST=OH, C=US Issuer: CN=Alfresco CA, OU=Alfresco, O=Hyland, L=Cleveland, ST=OH, C=US RSA 2048 bits • Server Authentication • Client Authentication
  • 20. Search Configuration (server) Java Environment Variables -Dsolr.jetty.truststore.password=truststore -Dsolr.jetty.keystore.password=keystore -Djdk.tls.client.protocols=TLSv1.3 OS Environment Variables (or modify solr.in.[sh|cmd] file) SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" SOLR_SSL_KEY_STORE_PASSWORD: "keystore" SOLR_SSL_KEY_STORE_TYPE: "PKCS12" SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" SOLR_SSL_TRUST_STORE_PASSWORD: "truststore" SOLR_SSL_TRUST_STORE_TYPE: "PKCS12" SOLR_SSL_NEED_CLIENT_AUTH: "true"
  • 21. Search Configuration (client) Add environment variables containing passwords -Dssl-keystore.password=keystore -Dssl-truststore.password=truststore Set solrcore.properties Java Properties (in each core or in template) alfresco.host=localhost alfresco.port=8443 alfresco.secureComms=https alfresco.encryption.ssl.keystore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=PKCS12 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search- services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=PKCS12 When using the same password for keystore and keys, no aliases setting is required
  • 22. Sample deployment with Docker Compose https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/docker
  • 25. Alfresco Repository Admin Web Console Deploy as addon alfresco-http-java-client.jar crypto-utils.jar Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/alfresco-http-java-client App URL http://localhost:8080/alfresco/s/admin/admin-search-client Credentials ADMINISTRATOR, default admin/admin
  • 26. Alfresco Search Services Solr REST API Action Deploy as plugin alfresco-http-java-client.jar solr-http-java-client.jar config/solr.xml Source code https://github.com/aborroy/alfresco-mtls-debugging- kit/tree/main/addons/solr-http-java-client App URL https://localhost:8983/solr/admin/cores?action=HTTP- CLIENT&coreName=alfresco Credentials Client certificate, like browser.p12
  • 27. Command line Spring Boot command line application Run as program $ java -jar target/mtls-conf-app.jar ERRORS for ENDPOINT: Current truststore seems to be wrong. It does not include TRUST certificates provided by the endpoint. ERRORS DETAIL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Source code https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/apps/mtls-conf-app
  • 28. Hands on, using EC certificates
  • 29. Lab Use ECC 256 bits certificates for ECDSA with step-ca • Around 10% faster than RSA 2048 bits for Alfresco mTLS • Less bandwidth consumption • Higher security (as RSA 2048 is equivalent to ECC 224) Source code: https://github.com/aborroy/alfresco-mtls-debugging-kit/tree/main/step-ca # Start step-ca container, default CA will be created in “step” folder $ docker compose up # Install step CLI $ brew install step # Get CA password $ cat step/secrets/password ZuSJLBo6uRtlvzGe0z1i5ReqU2tpncl19RBUIf5V
  • 30. Lab # Create a certificate for alfresco, use “keystore” password to protect the key $ step certificate create alfresco alfresco.crt alfresco.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key # Create a certificate for solr, use “keystore” password to protect the key $ step certificate create solr solr.crt solr.key --profile leaf --not-after=8760h --bundle --ca step/certs/root_ca.crt --ca-key step/secrets/root_ca_key
  • 31. Lab # Build Keystore and Truststore for alfresco $ openssl pkcs12 -export -in alfresco.crt -inkey alfresco.key -out alfresco.pkcs12 -name alfresco -noiter -nomaciter $ keytool -import -alias solr -file solr.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore alfresco-truststore.pkcs12 -storetype PKCS12 -storepass truststore # Build Keystore and Truststore for solr $ openssl pkcs12 -export -in solr.crt -inkey solr.key -out solr.pkcs12 -name solr -noiter -nomaciter $ keytool -import -alias alfresco -file alfresco.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore $ keytool -import -alias ca -file step/certs/root_ca.crt -keystore solr-truststore.pkcs12 -storetype PKCS12 -storepass truststore
  • 32. Lab # Get alfresco client certificate to access Solr (or re-use alfresco.pkcs12) $ openssl pkcs12 -export -out browser.p12 -inkey alfresco.key -in alfresco.crt # Modify compose.yaml to use the new keystores Alfresco • keystore=alfresco.pkcs12 • truststore=alfresco-truststore.pkcs12 • cert-alias=alfresco • cert-type=EC Solr • keystore=solr.pkcs12 • truststore=solr-truststore.pkcs12
  • 33. Lab # Bonus verification $ nmap --script ssl-enum-ciphers -p 8983 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) $ nmap --script ssl-enum-ciphers -p 8443 localhost | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) Cryptographic Best Practices