The way you configure keystores in Content Services has changed. Previously the configuration was stored in properties files like keystore-passwords.properties with passwords in plain text. The following properties that were used to configure the keystores have been deprecated.
encryption.keystore.keyMetaData.location encryption.ssl.keystore.keyMetaData.location encryption.ssl.truststore.keyMetaData.location encryption.keystore.backup.keyMetaData.location
The new way of specifying the configuration is to use JVM system properties:
JAVA_TOOL_OPTIONS: " -Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA -Dmetadata-keystore.metadata.algorithm=DESede "
You can configure the main and backup keystores using the alfresco-global.properties file.
To configure the main keystore, set the following properties in the alfresco-global.properties file:
Main keystore and backup:
Property | Description |
---|---|
encryption.keystore.location | Specifies the location of the main keystore.encryption.keystore.location=${dir.keystore}/keystore |
encryption.keystore.provider | Specifies the main keystore provider. |
encryption.keystore.type | Specifies the main keystore type.encryption.keystore.type=JCEKS |
encryption.keystore.backup.location | Specifies the location of the backup keystore.encryption.keystore.backup.location=${dir.keystore}/backup-keystore |
encryption.keystore.backup.provider | Specifies the backup keystore provider. |
encryption.keystore.backup.type | Specifies the backup keystore type. encryption.keystore.backup.type=JCEKS |
Keys for secure communication (HTTPS) between Repository and Solr:
Property | Description |
---|---|
ssl-keystore.password | The keystore password. |
ssl-keystore.aliases=ssl-alfresco-ca,ssl-repo | Key data bytes in base64. |
ssl-keystore.ssl-alfresco-ca.password | Key password. |
ssl-keystore.ssl-repo.password | Key password. |
ssl-truststore.password | The keystore password |
ssl-truststore.aliases=alfresco-ca,ssl-repo-client | A comma separated list of aliases for the keys in the keystore. |
ssl-truststore.alfresco-ca.password= | Key password. |
ssl-truststore.ssl-repo-client.password= | Key password. |
Keys for node property (metadata) encryption keystore:
Property | Description |
---|---|
metadata-keystore.password | The keystore password |
metadata-keystore.aliases=metadata | A comma separated list of aliases for the keys in the keystore. |
metadata-keystore.metadata.password | Key password. |
metadata-keystore.metadata.algorithm | Key algorithm. |
The new keystore properties use the following format:
[keystore-id].password - keystore password [keystore-id].aliases - comma separated list of aliases for the keys in the keystore [keystore-id].[alias].keyData - key data bytes in base64 [keystore-id].[alias].algorithm - key algorithm [keystore-id].[alias].password - key password
The keystore-id can be one of the predefined IDs: metadata-keystore, metadata-backup-keystore, ssl-keystore, ssl-truststore.
The default algorithm used to generate keys does not have acceptable strength (DES). We recommend you use AES which has been reflected in the default configuration. The recommended property values for this will be:
encryption.keystore.type=pkcs12 encryption.cipherAlgorithm=AES/CBC/PKCS5Padding encryption.keyAlgorithm=AES metadata-keystore.password=<password> metadata-keystore.aliases=metadata metadata-keystore.metadata.password=<password> metadata-keystore.metadata.algorithm=AES
And the keys can be generated using
keytool -genseckey -dname "$CERT_DNAME" -validity ${CERT_VALIDITY} -alias metadata -keyalg AES -keysize 256 -keystore ${TOMCAT_DIR}/shared/classes/alfresco/keystore/keystore -storetype pkcs12 -storepass ${KEYSTORE_PASSWORD}
encryption.keystore.type=JCEKS encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding encryption.keyAlgorithm=DESede encryption.keystore.location=<path-to-keystore-file> metadata-keystore.password=mp6yc0UD9e metadata-keystore.aliases=metadata metadata-keystore.metadata.password=oKIWzVdEdA metadata-keystore.metadata.algorithm=DESede
Some other general encryption properties are:
encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=DESede encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
Because of these encryption properties, the keystores and metadata files can be easily located. Also, the metadata file uses a clear text password to access the keystore. For this reason, appropriate operating system permissions should be applied so that the files can’t be accidentally changed nor read by anyone other than an administrator and the username running the repository.
Each keystore must have a corresponding keystore metadata file. This file contains the passwords, its keys, and other metadata relevant to the keystore. The metadata file must contain three entries:
- aliases=<active key aliases in the key store>
- keystore.password=<key store password>
- metadata.password=<metadata key password>
At bootstrap, the repository checks if the metadata key in the main keystore has been changed (unless running in the fallback mode, in which case the backup keystore is checked instead). This prevents accidental changes to the keystore. If it detects that the metadata key has been changed, an exception will occur and the bootstrap will stop.