Configure SSL for a Test Environment - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

If you’re configuring SSL in a development or test environment, you can edit some configuration files to enable SSL.

Note: These instructions should only be used for configuring a test environment. If you’re configuring a production environment, you should use a proxy server to handle all SSL communication. See Configure SSL for a Test Environment for more information.

Here’s an example of how to configure Tomcat 10 to work with HTTPS for your development or test system. At this point, we assume that:

  • You’ve already set up Content Service with Tomcat 10, running HTTP on port 8080.
  • You may have already setup HTTPS on port 8443 for Content Service to communicate with Alfresco Search Services.
  • In our documentation, such as Secure Sockets Layer (SSL) and the Repository, port 8443 is generally provided as an example when setting up secure HTTPS connections. This is recommended only for use with Alfresco Search Services as it should use real client certificates, where certificateVerification="required". For this development or test setup, we won’t necessarily use client certificates, so we’ll setup a separate HTTPS connector on a different port. You can have multiple connectors in Tomcat that use HTTPS and different ports.
  1. Copy the alf_data/keystore folder from the distribution zip to <CATALINA_BASE>/alf_data/keystore.

    In the alf_data/keystore folder, you'll find sample self-signed generated certificates that you can use to configure an HTTPS connection for development or test purpose.

  2. Open your Tomcat settings file <CATALINA_BASE>/conf/settings.xml and add an entry for a new connector:
    <Connector port="7070"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
    maxThreads="150"
    SSLEnabled="true">
    <SSLHostConfig certificateVerification="none"
    truststoreFile="<CATALINA_BASE>/alf_data/keystore/ssl.truststore"
    truststorePassword="kT9X6oe68t"
    truststoreType="JCEKS" >
    <Certificate certificateKeystoreFile="<CATALINA_BASE>/alf_data/keystore/ssl.keystore"
    certificateKeystorePassword="kT9X6oe68t"
    certificateKeystoreType="JCEKS" />
    </SSLHostConfig>
    </Connector>
  3. Replace <CATALINA_BASE>/alf_data/keystore/ with the actual path to those certificates.
  4. Change the password, if required.

    You can find the password in the .properties files from the sample alf_data/keystore folder.

  5. Replace the port 7070 with the one that you want to use.

    Avoid using port 8443 as that's generally configured for Search Services.

    1. On Linux systems, if you want to use the default HTTPS port 443, you can edit the server iptables configuration to specify the redirection:
    # Redirect external packets
    -A PREROUTING -j NAT-Port-Redirect
    						
    # redirect http traffic
    -A NAT-Port-Redirect -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    # redirect https traffic
    -A NAT-Port-Redirect -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 7070

    However, you also need to add proxyPort="443" to the Connector xml tag (from above) as shown:

    <Connector port="7070"
    proxyPort="443"
    ...

    Note: If you use the 443 redirect, you'll need to override the value for Alfresco Office Services in alfresco-global.properties:

    aos.baseUrlOverwrite=https://localhost/alfresco/aos
    1. On Windows, you can just use port 443 without any proxy.

    Note that we use the certificateVerification="none" setting.

  6. Edit alfresco-global.properties and replace the relevant values for your case:
    dir.keystore=${dir.root}/keystore
    						
    alfresco.context=alfresco
    alfresco.protocol=https
    alfresco.host=localhost
    alfresco.port=7070
    						
    share.host=localhost
    share.port=7070
    share.context=share
    share.protocol=https
    
    aos.baseUrlOverwrite=https://localhost:7070/alfresco/aos
  7. (Optional) Only required if configuring Alfresco Share to use HTTPS.

    Add and set the following properties in the JAVA_OPTS environmental variable referenced by the Share application, as they're required at Share start up:

    -Dhttp.secured.session=true
    -Dcookies.sameSite=none

    When using Share with Chromium-based browsers (such as Google Chrome or the latest releases of Microsoft Edge), the Share communication must be secured using an HTTPS (SSL/TLS) certificate.

  8. (Optional) Only required if configuring Alfresco Share to use HTTPS.

    Add and set the property in the JAVA_OPTS environmental variable corresponding to the JVM of the Tomcat instance when deploying Share:

    -Dhttp.secured.session=true

    This property secures the JESSIONID cookie. It's not enabled by default because it would break HTTP-only (non-secure) environments. See Control JVM system properties for more information on how to set JAVA_OPTS for Tomcat deployments.

  9. Restart your Tomcat server.

    Access Content Service and Alfresco Share using HTTPS:

    • https://localhost:7070/alfresco
    • https://localhost:7070/share

    If you installed the Alfresco Office Services AMP, you'll also be able to edit files from your Microsoft Office applications.