Use this information to understand the keystores used by the repository for mutual TLS.
The keys and certificates required for mutual TLS on the repository side are set up in Tomcat.
-
Modify <TOMCAT_HOME>/conf/server.xml and add the following
connector:
- If using Alfresco Content Services 6.x on Tomcat
8:
<Connector port="8999" protocol="HTTP/1.1" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" clientAuth="true" keystoreFile="xxxxxxx" keystorePass="yyyyy" truststoreFile="xxxxxxx" truststorePass="yyyyy" /> - If using Alfresco Content Services 7.x on Tomcat 9 or 23.x on Tomcat
10:
<Connector port="8999" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="localhost"> <SSLHostConfig hostName="localhost" protocols="TLSv1.2" certificateVerification="required" truststoreFile="xxxxxxx" truststorePassword="yyyyy" truststoreType="JCEKS"> <Certificate certificateKeystoreFile="xxxxxxx" certificateKeyAlias="ssl.repo" type="RSA" certificateKeystorePassword="yyyyy" certificateKeystoreType="JCEKS"/> </SSLHostConfig> </Connector>
- If using Alfresco Content Services 6.x on Tomcat
8:
- Copy the keystore and truststore files you created in Generate secure keys for SSL communication to the machine that’s running the repository.
- Set the parameters in the connector, replacing the xxxxxxx and yyyyy values.
- Make sure that the following property is added to the TOMCAT_HOME>/shared/classes/alfresco-global.properties file: solr.secureComms=https