
Below is described a secure configuration for Alfresco Community 5 by using an SSL certificate generated by the new CA Let’s Encrypt under following assumptions:
- Server with access from and to Internet
- CentOS 6.7 minimal
- Default Alfresco Community 5 installation at
/opt/alfresco
1. Installing Apache HTTPd
Default installation from default repository.
# yum install httpd # chkconfig httpd on
2. Installing APR native connector for Apache Tomcat
Some analysis are showing that native APR connector is the most efficient one in order to use SSL. As source code is provided in Apache Tomcat default distribution, previous compiling is required before configuration.
# yum install openssl-devel # yum groupinstall "Development Tools" # cd /opt/alfresco/tomcat/bin # tar -zxvf tomcat-native.tar.gz # cd tomcat-native-1.1.32-src/jni/native # ./configure --with-apr=/usr/local/apr --with-java-home=/opt/jdk1.8.0_66 # make # make install
Once this connector is available (default path is /usr/local/apr/lib
), JNI configuration must be performed in Apache Tomcat.
# vi /opt/alfresco/tomcat/bin/catalina.sh ++ CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/apr/lib"
The process can be verified by examining Tomcat log file (usually named catalina.out
) to find following line.
# cat /opt/alfresco/tomcat/logs/catalina.out INFO: Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.5.2.
3. Generating SSL certificates with Let’s Encrypt
Let’s Encrypt provides high quality SSL certificates for free. Once configured, users access the web site with a green locker, no additional operation is required. However, this procedure can’t be use for Intranets, because Let’s Encrypt requires Internet connections in both directions for validating purposes.
Let’s Encrypt software depends on Python 2.7, which is not available in public repositories for CentOS 6. Hence, manual installation is required and even Let’s Encrypt script has to be modified.
# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm # rpm -Uvh epel-release-latest-6.noarch.rpm # wget https://centos6.iuscommunity.org/ius-release.rpm # rpm -Uvh ius-release.rpm # yum -y install python27 python27-devel python27-pip python27-setuptools python27-tools python27-virtualenv --enablerepo=ius # yum install git # git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt # sed -i "s|--python python2|--python python2.7|" letsencrypt-auto
Once the software is installed, user account activation and SSL certificates generation must be performed. Let’s Encrypt will provide SSL certificates at default path /etc/letsencrypt/live/hostname.
# ./letsencrypt-auto --verbose # ./letsencrypt-auto certonly --standalone -d alfresco.keensoft.es # ls /etc/letsencrypt/live/alfresco.keensoft.es/cert.pem # ls /etc/letsencrypt/live/alfresco.keensoft.es/privkey.pem # ls /etc/letsencrypt/live/alfresco.keensoft.es/fullchain.pem
4. mod_jk installation for Apache HTTPd
Web request redirections from Apache HTTPd to Apache Tomcat can be performed by using AJP protocol (usually in port 8009), which requires configuring mod_jk for Apache HTTPd. From our experience, this module is better in terms of efficiency for Alfresco than other common alternatives like mod_proxy.
This connector is distributed also as source code, so compiling is a previous task.
# yum install httpd-devel # wget http://ftp.cixug.es/apache/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.41-src.tar.gz # tar -xvzf tomcat-connectors-1.2.41-src.tar.gz # cd tomcat-connectors-1.2.41-src/native # ./configure --with-apxs=/usr/sbin/apxs # make # make install
Once compiled and installed, workers must be declared. Below a simple configuration with one worker named as app1Worker is described.
# vi /etc/httpd/conf.d/mod_jk.conf LoadModule jk_module "/etc/httpd/modules/mod_jk.so" JkWorkersFile /etc/httpd/conf/workers.properties JkShmFile /var/run/httpd/mod_jk.shm JkLogFile /var/log/httpd/mod_jk.log JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # vi /etc/httpd/conf/workers.properties workers.apache_log=/var/log/httpd worker.list=app1Worker worker.stat1.type=status worker.app1Worker.type=ajp13 worker.app1Worker.host=alfresco.keensoft.es worker.app1Worker.port=8009
Finally, redirections are configured in order to serve every request by SSL 443 port using Let’s Encrypt certificates.
# vi /etc/httpd/conf.d/alfresco.conf <VirtualHost *:80> ServerName alfresco.keensoft.es RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://alfresco.keensoft.es/$1 [R=301,L] </VirtualHost> Listen 443 <VirtualHost *:443> ServerName alfresco.keensoft.es JkMount /* app1Worker SSLEngine on SSLVerifyClient none SSLCertificateFile /etc/letsencrypt/live/alfresco.keensoft.es/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/alfresco.keensoft.es/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/alfresco.keensoft.es/fullchain.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
5. Alfresco configuration
SSL ports for alfresco and share web apps are declared in alfresco configuration file.
# vi /opt/alfresco/tomcat/shared/classes/alfresco-global.properties alfresco.context=alfresco alfresco.host=alfresco.keensoft.es alfresco.port=443 alfresco.protocol=https share.context=share share.host=alfresco.keensoft.es share.port=443 share.protocol=https
6. Automated SSL certificate renewal script
Let’s Encrypt SSL certificates are issued with a expiration of 90 days, so an automated renewal policy is required. By using --renew-by-default
option, no human intervention is required in order to get a new set of certificates on the same path. Writing a new monthly task for cron should be enough, because it’s not necessary to wait till expiration date to request a certificate renewal.
# vi /etc/cron.monthly/letsencrypt-renew.cron service httpd stop /root/letsencrypt/letsencrypt-auto --renew-by-default certonly --standalone -d alfresco.keensoft.es service httpd start # chmod +x /etc/cron.monthly/letsencrypt-renew.cron
For every renewal request, a new set of SSL certificates is issued in archive Let’s Encrypt folder.
# ls -l /etc/letsencrypt/live/alfresco.keensoft.es/ lrwxrwxrwx 1 root root 44 ene 7 12:04 cert.pem -> ../../archive/alfresco.keensoft.es/cert3.pem lrwxrwxrwx 1 root root 45 ene 7 12:04 chain.pem -> ../../archive/alfresco.keensoft.es/chain3.pem lrwxrwxrwx 1 root root 49 ene 7 12:04 fullchain.pem -> ../../archive/alfresco.keensoft.es/fullchain3.pem lrwxrwxrwx 1 root root 47 ene 7 12:04 privkey.pem -> ../../archive/alfresco.keensoft.es/privkey3.pem
Using this configuration, Alfresco will provide SSL channel for every protocol and operation. Never was so easy to secure your web servers!