Configure Alfresco Share - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

The Java login files need to be updated with details of the Kerberos configuration and the share-config-custom.xml file edited to enable SSO using Kerberos.

  1. Configure or create the Java configuration file java.login.config located in /java/conf/security. The following is an example of a java.login.config file. The important properties to set are keyTab and principal.
    • keyTab is the location of the keytab file copied to the ACS server
    • principal is in the format HTTP/<host>.<domain>
     Alfresco {
       com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
     ShareHTTP
     {
       com.sun.security.auth.module.Krb5LoginModule required
         storeKey=true
         useKeyTab=true
         doNotPrompt=true
         keyTab="/etc/kerberos.keytab"
         principal="HTTP/alfresco.example.com";
     };
    
       com.sun.net.ssl.client {
         com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
     other {
       com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
    Note: If Alfresco Share is hosted on the same server as Alfresco Content Services then the contents of the java.login.config can be merged into a single file.
  2. Edit the following line in the Java security configuration file java.security by default located in java/conf/security/to point to the java.login.config file using the full file path:
     login.config.url.1=file:<installLocation>/java/conf/security/java.login.config
    
  3. Open the share-config-custom.xml file:
    1. Update the <realm>property with the realm name, for example <realm>EXAMPLE.COM</realm>.
    2. Update the <endpoint-spn> property with the SPN value, for example <endpoint-spn>HTTP/alfresco@EXAMPLE.COM</endpoint-spn>
    3. Uncomment the two sections that begin with: <config evaluator="string-compare" condition="Remote">
    4. Navigate to the <!--- Kerberos settings ---> section and replace condition="KerberosDisabled" with condition="Kerberos"
    Note: For Kerberos to work with user names that contain non-ASCII characters, add the following option to JAVA_OPTS for the Share JVM: -Dsun.security.krb5.msinterop.kstring=true