Configure Alfresco Content Services (ACS) - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

The Java login files need to be updated with details of the Kerberos configuration and the alfresco-global.properties updated to enable SSO using Kerberos.

  1. Configure or create the Java configuration file java.login.config located in /java/conf/security. The following is an example of a java.login.config file. The important properties to set are keyTab and principal.
    • keyTab is the location of the keytab file (see Configure Kerberos files) copied to the ACS server
    • principal is in the format HTTP/<host>.<domain>
     Alfresco {
       com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
     AlfrescoHTTP
     {
       com.sun.security.auth.module.Krb5LoginModule required
         storeKey=true
         useKeyTab=true
         doNotPrompt=true
         keyTab="/etc/kerberos.keytab"
         principal="HTTP/alfresco.example.com";
     };
    
       com.sun.net.ssl.client {
         com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
     other {
       com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
  2. Edit the following line in the Java security configuration file java.security by default located in java/conf/security/to point to the java.login.config file using the full file path:
     login.config.url.1=file:<installLocation>/java/conf/security/java.login.config
    
  3. Use the following configuration parameters in an alfresco-global.properties file:
    Property Description
    authentication.chain The authentication chain needs to be set for Kerberos, for example kerberos,alfrescoNtlm1:alfrescoNtlm.
    kerberos.authentication.realm The Kerberos realm to authenticate against. The realm name is the domain name in uppercase, for example EXAMPLE.COM.
    kerberos.authentication.sso.enabled Sets whether authentication using Kerberos is enabled or not.
    kerberos.authentication.sso.fallback.enabled Sets whether a fallback authentication mechanism such as database credentials is used.
    kerberos.authentication.user.configEntryName The name of the entry in the Java Authentication and Authorization Service (JAAS) file used for password-based authentication. The default value of Alfresco is recommended.