Alfresco Keystore configuration - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

The way you configure keystores in Content Services has changed. Previously the configuration was stored in properties files like keystore-passwords.properties with passwords in plain text. The following properties that were used to configure the keystores have been deprecated.

encryption.keystore.keyMetaData.location
encryption.ssl.keystore.keyMetaData.location
encryption.ssl.truststore.keyMetaData.location
encryption.keystore.backup.keyMetaData.location

The new way of specifying the configuration is to use JVM system properties:

JAVA_TOOL_OPTIONS: "
    -Dencryption.keystore.type=JCEKS
    -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
    -Dencryption.keyAlgorithm=DESede
    -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore
    -Dmetadata-keystore.password=mp6yc0UD9e
    -Dmetadata-keystore.aliases=metadata
    -Dmetadata-keystore.metadata.password=oKIWzVdEdA
    -Dmetadata-keystore.metadata.algorithm=DESede
    "
Note: The old way of configuring keystores will still work for backwards compatibility but it’s not recommended for security reasons. If the old approach is used you’ll see a warning in the logs.

You can configure the main and backup keystores using the alfresco-global.properties file.

To configure the main keystore, set the following properties in the alfresco-global.properties file:

Note: The “metadata-keystore” properties need to be specified in the JAVA_TOOL_OPTIONS property in <TOMCAT_HOME>/bin/catalina.sh for Linux based users and <TOMCAT_HOME>/bin/catalina.bat for Microsoft Windows users. The old keystore file can be found in the distribution zip keystore/metadata-keystore.

Main keystore and backup:

Property Description
encryption.keystore.location Specifies the location of the main keystore.encryption.keystore.location=${dir.keystore}/keystore
encryption.keystore.provider Specifies the main keystore provider.
encryption.keystore.type Specifies the main keystore type.encryption.keystore.type=JCEKS
encryption.keystore.backup.location Specifies the location of the backup keystore.encryption.keystore.backup.location=${dir.keystore}/backup-keystore
encryption.keystore.backup.provider Specifies the backup keystore provider.
encryption.keystore.backup.type Specifies the backup keystore type. encryption.keystore.backup.type=JCEKS

Keys for secure communication (HTTPS) between Repository and Solr:

Property Description
ssl-keystore.password The keystore password.
ssl-keystore.aliases=ssl-alfresco-ca,ssl-repo Key data bytes in base64.
ssl-keystore.ssl-alfresco-ca.password Key password.
ssl-keystore.ssl-repo.password Key password.
ssl-truststore.password The keystore password
ssl-truststore.aliases=alfresco-ca,ssl-repo-client A comma separated list of aliases for the keys in the keystore.
ssl-truststore.alfresco-ca.password= Key password.
ssl-truststore.ssl-repo-client.password= Key password.

Keys for node property (metadata) encryption keystore:

Property Description
metadata-keystore.password The keystore password
metadata-keystore.aliases=metadata A comma separated list of aliases for the keys in the keystore.
metadata-keystore.metadata.password Key password.
metadata-keystore.metadata.algorithm Key algorithm.

The new keystore properties use the following format:

[keystore-id].password - keystore password
[keystore-id].aliases - comma separated list of aliases for the keys in the keystore
[keystore-id].[alias].keyData - key data bytes in base64
[keystore-id].[alias].algorithm - key algorithm
[keystore-id].[alias].password - key password

The keystore-id can be one of the predefined IDs: metadata-keystore, metadata-backup-keystore, ssl-keystore, ssl-truststore.

Note: The default configuration of Content Services contained a “metadata” keystore, but it was insecure if you did not regenerate it with your own password. This default keystore has been removed. To ensure your installation is secure you need to regenerate the keystore and configure the new one with the properties above.

The default algorithm used to generate keys does not have acceptable strength (DES). We recommend you use AES which has been reflected in the default configuration. The recommended property values for this will be:

encryption.keystore.type=pkcs12
encryption.cipherAlgorithm=AES/CBC/PKCS5Padding
encryption.keyAlgorithm=AES
metadata-keystore.password=<password>
metadata-keystore.aliases=metadata
metadata-keystore.metadata.password=<password>
metadata-keystore.metadata.algorithm=AES

And the keys can be generated using

keytool -genseckey -dname "$CERT_DNAME" -validity ${CERT_VALIDITY} -alias metadata -keyalg AES -keysize 256 -keystore ${TOMCAT_DIR}/shared/classes/alfresco/keystore/keystore -storetype pkcs12 -storepass ${KEYSTORE_PASSWORD}
Note: Currently it’s not possible to upgrade the key in keystore to a new one which means during the upgrade process you’ll need to specify your configuration in a more secure way and use the old keystore file. The configuration for this upgrade scenario will be:
encryption.keystore.type=JCEKS
encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
encryption.keyAlgorithm=DESede
encryption.keystore.location=<path-to-keystore-file>
metadata-keystore.password=mp6yc0UD9e
metadata-keystore.aliases=metadata
metadata-keystore.metadata.password=oKIWzVdEdA
metadata-keystore.metadata.algorithm=DESede

Some other general encryption properties are:

encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator
encryption.keyAlgorithm=DESede
encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding

Because of these encryption properties, the keystores and metadata files can be easily located. Also, the metadata file uses a clear text password to access the keystore. For this reason, appropriate operating system permissions should be applied so that the files can’t be accidentally changed nor read by anyone other than an administrator and the username running the repository.

Each keystore must have a corresponding keystore metadata file. This file contains the passwords, its keys, and other metadata relevant to the keystore. The metadata file must contain three entries:

  • aliases=<active key aliases in the key store>
  • keystore.password=<key store password>
  • metadata.password=<metadata key password>

At bootstrap, the repository checks if the metadata key in the main keystore has been changed (unless running in the fallback mode, in which case the backup keystore is checked instead). This prevents accidental changes to the keystore. If it detects that the metadata key has been changed, an exception will occur and the bootstrap will stop.