Introduction to Alfresco keystores and truststores - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

When there is secure communication (i.e. HTTPS) between different Alfresco services, the following relationships must be satisfied:

  • The Repository is a client of Solr:
    • A Repository key must be generated and must be included in the Repository keystore (ssl.keystore)
    • A Repository public certificate must be included in the Solr truststore (ssl.repo.client.truststore)
  • Solr is a client of the Repository and Solr:
    • A Solr key must be generated and must be included in the Solr keystore (ssl.repo.client.truststore)
    • A Solr public certificate must be included in the Repository truststore (ssl.truststore) and Solr truststore (ssl.repo.client.truststore)
  • Zeppelin is client of Repository (Zeppelin is a product only available for Insight Engine Enterprise):
    • A Zeppelin key must be generated and must be included in the Zeppelin keystore (ssl.repo.client.keystore)
    • A Zeppelin public certificate must be included in the Repository truststore (ssl.truststore)
    • Note. the same key certificates is used for both Solr and Zeppelin, as both are clients of the Repository
  • When accessing Solr from a browser, the browser is client of Solr:
    • A Browser key must be installed in the web browser in order to access Solr Web Console

The following picture illustrates:

Required relationships between Alfresco services diagram

Additionally, to support Alfresco encryption feature, a metadata cyphering key is generated and included on a keystore to be used by the Repository when encrypting node properties.

These keystore and truststore files can be generated manually but it’s easier to use the https://github.com/Alfresco/alfresco-ssl-generator GitHub project. Follow the Search Services security documentation for information on how to set this up on Windows or Linux.