{"id":25353948,"url":"https://github.com/aborroy/alfresco-secure-connection","last_synced_at":"2025-10-08T13:16:04.335Z","repository":{"id":182016023,"uuid":"656661500","full_name":"aborroy/alfresco-secure-connection","owner":"aborroy","description":"Alfresco Secure Connection provides (m)TLS configuration between Alfresco Services","archived":false,"fork":false,"pushed_at":"2023-12-22T08:48:47.000Z","size":78,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-09T01:44:09.861Z","etag":null,"topics":["alfresco","docker-compose","tls"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aborroy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-06-21T11:36:43.000Z","updated_at":"2024-01-16T09:26:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"0654de49-aaaa-4b7e-907f-2b0e8de996b1","html_url":"https://github.com/aborroy/alfresco-secure-connection","commit_stats":null,"previous_names":["aborroy/alfresco-secure-connection"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/aborroy/alfresco-secure-connection","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aborroy%2Falfresco-secure-connection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aborroy%2Falfresco-secure-connection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aborroy%2Falfresco-secure-connection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aborroy%2Falfresco-secure-connection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aborroy","download_url":"https://codeload.github.com/aborroy/alfresco-secure-connection/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aborroy%2Falfresco-secure-connection/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278949157,"owners_count":26073976,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alfresco","docker-compose","tls"],"created_at":"2025-02-14T19:56:09.489Z","updated_at":"2025-10-08T13:16:04.298Z","avatar_url":"https://github.com/aborroy.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# alfresco-secure-connection\n\u003e Alfresco Secure Connection provides (m)TLS configuration between Alfresco Services\n\n[Description](#description)\n\n[CA](#ca)\n\nDB + Alfresco Repository\n\n* [Postgres DB](#postgres-db)\n* [Alfresco Repository (DB connection)](#alfresco-repository-db-connection)\n* [Secure connection between Alfresco Repository and Postgres](#secure-connection-between-alfresco-repository-and-postgres)\n\nTransform + Alfresco Repository\n\n* [Transform Core AIO](#transform-core-aio)\n* [Secure connection between Alfresco Repository and Transform](#secure-connection-between-alfresco-repository-and-transform)\n\nSearch Services + Alfresco Repository\n\n* [Search Services](#search-services)\n* [Secure connection between Alfresco Repository and Search Services](#secure-connection-between-alfresco-repository-and-search-services)\n\nActiveMQ + Alfresco Repository\n\n* [ActiveMQ](#activemq)\n* [Secure connection between Alfresco Repository and ActiveMQ](#secure-connection-between-alfresco-repository-and-activemq)\n\nWeb Proxy\n\n* [WebProxy](#webproxy)\n* [Secure connection to Web Proxy](#secure-connection-to-web-proxy)\n\n## Description\n\nThis project uses [Alfresco SSL Generator](https://github.com/alfresco/alfresco-ssl-generator) to generate certificates and keystores required to set up (m)TLS connections between Alfresco Services.\n\nSample Docker Compose template is provided in [docker](docker) folder.\n\n**NOTE** You may use your own software or PKI infrastructure to create CA and certificates, but configuration related to keystore type and certificate alias should be followed as described in this project.\n\nThe following points are describing the process to configure secure connections in ACS stack:\n\n* Generate a self-signed CA using [Alfresco SSL Generator](https://github.com/alfresco/alfresco-ssl-generator)\n* Generate certificates, keystores and truststores for Postgres, Repository, Transform, Search and Proxy using [Alfresco SSL Generator](https://github.com/alfresco/alfresco-ssl-generator)\n* Apply configuration settings to Docker Compose template\n* Extend Docker Images to apply additional configuration settings\n\n## CA\n\nBefore moving on with services configuration, a working CA is required. In this project, a self-signed CA is generated.\n\nLet's start by cloning the **Alfresco SSL Generator** project.\n\n```\n$ git clone git@github.com:Alfresco/alfresco-ssl-generator.git\n```\n\nThis project is using *Linux/Mac OS* version of the generator, when using a *Windows* host `ssl-tool-win` folder must be selected.\n\n```\n$ cd alfresco-ssl-generator/ssl-tool\n```\n\nRun the following command to create a new CA certificate with RSA 2048 bits (minimum recommended) and 2 years (730 days) of validity.\n\n```\n$ ./run_ca.sh -keysize 2048 -keystorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA\" \\\n-servername localhost -validityduration 730\n```\n\nCopy CA public certificate `ca.cert.pem` to Docker Compose `keystore` folder.\n\n```\n$ cp ca/certs/ca.cert.pem ../../docker/keystore/ca\n\n$ chmod 0600 ../../docker/keystore/ca/*\n```\n\n## Postgres DB\n\nCreate a certificate for `postgres` service using the CA generated, with RSA 2048 bits and keystore type `PKCS12`. Since `JKS` and `JCEKS` are also supported keystore types, from *Java 9* using the standard `PKCS12` type is recommended.\n\n\u003e\u003e Despite Postgres is not accepting keystore configuration, just only certificates, `PKCS12` keystore is generated using Alfresco SSL Generator. This tool doesn't support the generation of certificates without packaging them on a keystore.\n\n```\n$ ./run_additional.sh -servicename postgres -rootcapass kT9X6oe68t -keysize 2048 \\\n-keystoretype PKCS12 -keystorepass kT9X6oe68t -truststoretype PKCS12 -truststorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Postgres\" \\\n-servername postgres -alfrescoformat current\n```\n\nCopy public certificate `postgres.cer` and private certificate `postgres.key` to Docker Compose `keystore` folder. Note that `kT9X6oe68t` is the password selected to protect the private key.\n\n```\n$ cp certificates/postgres.cer ../../docker/keystore/postgres\n\n$ cp certificates/postgres.key ../../docker/keystore/postgres\n\n$ chmod 0600 ../../docker/keystore/postgres/*\n```\n\n## Alfresco Repository (DB connection)\n\nCreate a certificate for `alfresco` service using the CA generated, with RSA 2048 bits and keystore type `PKCS12`.\n\n```\n$ ./run_additional.sh -servicename alfresco -rootcapass kT9X6oe68t -keysize 2048 \\\n-keystoretype PKCS12 -keystorepass kT9X6oe68t -truststoretype PKCS12 -truststorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco\" \\\n-servername alfresco -alfrescoformat current\n```\n\nCopy public certificate `alfresco.cer` and private certificate `alfresco.key` to Docker Compose `keystore` folder, as `postgres` JDBC client is only supporting TLS configuration using certificates instead of keystores.\n\n```\n$ cp certificates/alfresco.cer ../../docker/keystore/alfresco\n\n$ cp certificates/alfresco.key ../../docker/keystore/alfresco\n\n$ chmod 0600 ../../docker/keystore/alfresco/*\n```\n\nSince `postgres` JDBC client is accepting only a PKCS8 certificate, convert the private key to this format. Encryption password is `kT9X6oe68t`, as specified in the previous command.\n\n```\n$ openssl pkcs8 -topk8 -inform PEM -in ../../docker/keystore/alfresco/alfresco.key -outform DER \\\n-out ../../docker/keystore/alfresco/alfresco.pk8 -v1 PBE-MD5-DES\n```\n\n## Secure connection between Alfresco Repository and Postgres\n\nOnce certificates are available, secure connection configuration can be applied to both services.\n\nTLS configuration for Postgres is available in [docker/config/postgres/ssl_pg_hba.conf](docker/config/postgres/ssl_pg_hba.conf) file.\n\n```\nlocal       all             all               trust\nlocal       replication     all               trust\n\nhostnossl   all             all   0.0.0.0/0   reject\nhostnossl   all             all   ::/0        reject\nhostssl     all             all   0.0.0.0/0   scram-sha-256 clientcert=verify-ca\nhostssl     all             all   ::/0        scram-sha-256 clientcert=verify-ca\n```\n\nThis postgres configuration accepts only TLS connections using SHA-256 for the credentials and verifying client certificate is issued by a given CA. In addition to the `hba_file`, enabling SSL and configuring CA public certificate and public + private postgres certificate can be done in `docker-compose.yml`.\n\n```\n  postgres:\n    image: postgres:14.4\n    environment:\n      POSTGRES_PASSWORD: \"alfresco\"\n      POSTGRES_USER: \"alfresco\"\n      POSTGRES_DB: \"alfresco\"\n    command: \u003e-\n      postgres \n      -c hba_file=/var/lib/postgresql/ssl_pg_hba.conf\n      -c ssl=on\n      -c ssl_cert_file=/var/lib/postgresql/postgres.cer\n      -c ssl_key_file=/var/lib/postgresql/postgres.key\n      -c ssl_ca_file=/var/lib/postgresql/ca.cert.pem\n    volumes:\n      - ./config/postgres/ssl_pg_hba.conf:/var/lib/postgresql/ssl_pg_hba.conf\n      - ./keystore/postgres/postgres.cer:/var/lib/postgresql/postgres.cer\n      - ./keystore/postgres/postgres.key:/var/lib/postgresql/postgres.key\n      - ./keystore/ca/ca.cert.pem:/var/lib/postgresql/ca.cert.pem\n```\n\n\u003e\u003e Securing JDBC connection may be different according to the DB Engine used. Even when using postgres, some other configuration options are available for TLS. Check additional parameters in https://www.postgresql.org/docs/current/libpq-ssl.html\n\nConfiguring the JDBC connector in Alfresco Repository can be done mounting CA and alfresco certificates plus modifying JDBC Url connection string.\n\n```\n  alfresco:\n    environment:\n      JAVA_OPTS: \u003e-\n        -Ddb.driver=org.postgresql.Driver\n        -Ddb.username=alfresco\n        -Ddb.password=alfresco\n        -Ddb.url=\"jdbc:postgresql://postgres:5432/alfresco?\n            ssl=true\u0026sslmode=verify-ca\u0026\n            sslrootcert=/usr/local/tomcat/ca.cert.pem\u0026\n            sslcert=/usr/local/tomcat/alfresco.cer\u0026s\n            slkey=/usr/local/tomcat/alfresco.pk8\u0026\n            sslpassword=kT9X6oe68t\"\n    volumes:\n      - ./keystore/alfresco/alfresco.cer:/usr/local/tomcat/alfresco.cer\n      - ./keystore/alfresco/alfresco.pk8:/usr/local/tomcat/alfresco.pk8\n      - ./keystore/ca/ca.cert.pem:/usr/local/tomcat/ca.cert.pem\n```\n\nFrom this point, communication between Alfresco Repository and Database is happening using TLS protocol.\n\n## Transform Core AIO\n\nCreate a certificate for `transform-core-aio` service using the CA generated, with RSA 2048 bits and keystore type `PKCS12`.\n\n```\n$ ./run_additional.sh -servicename transform-core-aio -rootcapass kT9X6oe68t -keysize 2048 \\\n-keystoretype PKCS12 -keystorepass kT9X6oe68t -truststoretype PKCS12 -truststorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Core AIO\" \\\n-servername transform-core-aio -alfrescoformat current\n```\n\nCopy `transform-core-aio` generated keystore and truststore to Docker Compose `keystore` folder.\n\n```\n$ cp keystores/transform-core-aio/* ../../docker/keystore/tengineAIO\n```\n\nCopy also `alfresco` previously generated keystore and truststore to Docker Compose `keystore` folder.\n\n```\n$ cp keystores/alfresco/* ../../docker/keystore/alfresco\n```\n\n## Secure connection between Alfresco Repository and Transform\n\nApply mTLS configuration to Transform Service in `docker-compose.yml` mounting keystore and truststore as external volumes.\n\n```\n  transform-core-aio:\n    image: alfresco/alfresco-transform-core-aio:3.1.0\n    environment:\n      SERVER_SSL_ENABLED: \"true\"\n      SERVER_SSL_CLIENT_AUTH: \"need\"\n      SERVER_SSL_ENABLED_PROTOCOLS: \"TLSv1.2\"\n      SERVER_SSL_KEY_PASSWORD: \"kT9X6oe68t\"\n      SERVER_SSL_KEY_STORE: \"file:/transform-core-aio.keystore\"\n      SERVER_SSL_KEY_STORE_PASSWORD: \"kT9X6oe68t\"\n      SERVER_SSL_KEY_STORE_TYPE: \"PKCS12\"\n      SERVER_SSL_TRUST_STORE: \"file:/transform-core-aio.truststore\"\n      SERVER_SSL_TRUST_STORE_PASSWORD: \"kT9X6oe68t\"\n      SERVER_SSL_TRUST_STORE_TYPE: \"PKCS12\"\n    volumes:\n      - ./keystore/tengineAIO/transform-core-aio.keystore:/transform-core-aio.keystore\n      - ./keystore/tengineAIO/transform-core-aio.truststore:/transform-core-aio.truststore\n\n```\n\nOn the Alfresco Repository part, mount keystore and trustore and set connection values to Transform Service.\n\n```\n  alfresco:\n    environment:\n      JAVA_TOOL_OPTIONS: \u003e-\n        -Dencryption.ssl.keystore.type=PKCS12\n        -Dencryption.ssl.keystore.location=/usr/local/tomcat/alfresco.keystore\n        -Dencryption.ssl.truststore.type=PKCS12\n        -Dencryption.ssl.truststore.location=/usr/local/tomcat/alfresco.truststore\n        -Dssl-keystore.password=kT9X6oe68t\n        -Dssl-truststore.password=kT9X6oe68t        \n      JAVA_OPTS: \u003e-\n        -DlocalTransform.core-aio.url=https://transform-core-aio:8090/\n        -Dhttpclient.config.transform.mTLSEnabled=true\n        -Dhttpclient.config.transform.hostnameVerificationDisabled=true\n    volumes:\n      - ./keystore/alfresco/alfresco.keystore:/usr/local/tomcat/alfresco.keystore\n      - ./keystore/alfresco/alfresco.truststore:/usr/local/tomcat/alfresco.truststore\n```\n\nFrom this point, communication between Alfresco Repository and Transform is happening using mTLS protocol.\n\n## Search Services\n\nCreate a certificate for `solr6` service using the CA generated, with RSA 2048 bits and keystore type `PKCS12`.\n\n```\n$ ./run_additional.sh -servicename solr6 -rootcapass kT9X6oe68t -keysize 2048 \\\n-keystoretype PKCS12 -keystorepass kT9X6oe68t -truststoretype PKCS12 -truststorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Search Service\" \\\n-servername solr6 -alfrescoformat current\n```\n\nCopy `solr6` generated keystore and truststore to Docker Compose `keystore` folder.\n\n```\n$ cp keystores/solr6/solr6.* ../../docker/keystore/search\n```\n\n## Secure connection between Alfresco Repository and Search Services\n\nApply mTLS configuration to Search Service in `docker-compose.yml` mounting keystore and truststore as external volumes.\n\n```\n  solr6:\n    build:\n      context: ./search\n      args:\n        SEARCH_TAG: \"2.0.7\"\n        TRUSTSTORE_TYPE: PKCS12\n        KEYSTORE_TYPE: PKCS12\n    environment:\n      SOLR_ALFRESCO_HOST: \"alfresco\"\n      SOLR_ALFRESCO_PORT: \"8443\"\n      ALFRESCO_SECURE_COMMS: \"https\"\n      SOLR_SOLR_HOST: \"solr6\"\n      SOLR_SOLR_PORT: \"8983\"\n      SOLR_CREATE_ALFRESCO_DEFAULTS: \"alfresco,archive\"\n      SOLR_JAVA_MEM: \"-Xms1g -Xmx1g\"\n      SOLR_SSL_TRUST_STORE: \"/opt/alfresco-search-services/keystore/ssl-repo-client.truststore\"\n      SOLR_SSL_TRUST_STORE_TYPE: \"PKCS12\"\n      SOLR_SSL_KEY_STORE: \"/opt/alfresco-search-services/keystore/ssl-repo-client.keystore\"\n      SOLR_SSL_KEY_STORE_TYPE: \"PKCS12\"\n      SOLR_SSL_NEED_CLIENT_AUTH: \"true\"\n      JAVA_TOOL_OPTIONS: \"\n          -Dsolr.jetty.truststore.password=kT9X6oe68t\n          -Dsolr.jetty.keystore.password=kT9X6oe68t\n          -Dssl-keystore.password=kT9X6oe68t\n          -Dssl-keystore.aliases=ssl-alfresco-ca,ssl-repo-client\n          -Dssl-keystore.ssl-alfresco-ca.password=kT9X6oe68t\n          -Dssl-keystore.ssl-repo-client.password=kT9X6oe68t\n          -Dssl-truststore.password=kT9X6oe68t\n          -Dssl-truststore.aliases=ssl-alfresco-ca,ssl-repo,ssl-repo-client\n          -Dssl-truststore.ssl-alfresco-ca.password=kT9X6oe68t\n          -Dssl-truststore.ssl-repo.password=kT9X6oe68t\n          -Dssl-truststore.ssl-repo-client.password=kT9X6oe68t\n      \"\n      SOLR_OPTS: \"\n          -Dsolr.ssl.checkPeerName=false\n          -Dsolr.allow.unsafe.resourceloading=true\n      \"\n    volumes:\n      - ./keystore/search/solr6.keystore:/opt/alfresco-search-services/keystore/ssl-repo-client.keystore\n      - ./keystore/search/solr6.truststore:/opt/alfresco-search-services/keystore/ssl-repo-client.truststore\n```\n\nIn addition, default Search Services needs to be extended to apply mTLS values to `alfresco` and `archive` SOLR cores. This extension is described in [search/Dockerfile](search/Dockerfile).\n\n```\nARG SEARCH_TAG\nFROM docker.io/alfresco/alfresco-search-services:${SEARCH_TAG}\n\nARG TRUSTSTORE_TYPE\nENV TRUSTSTORE_TYPE $TRUSTSTORE_TYPE\nARG KEYSTORE_TYPE\nENV KEYSTORE_TYPE $KEYSTORE_TYPE\n\nRUN sed -i '/^bash.*/i \\\n      sed -i \"'\"s/alfresco.encryption.ssl.keystore.location=.*/alfresco.encryption.ssl.keystore.location=\\\\\\/opt\\\\\\/alfresco-search-services\\\\\\/keystore\\\\\\/ssl-repo-client.keystore/g\"'\" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties \u0026\u0026 \\\n      sed -i \"'\"s/alfresco.encryption.ssl.keystore.passwordFileLocation=.*/alfresco.encryption.ssl.keystore.passwordFileLocation=/g\"'\" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties \u0026\u0026 \\\n      sed -i \"'\"s/alfresco.encryption.ssl.keystore.type=.*/alfresco.encryption.ssl.keystore.type=${KEYSTORE_TYPE}/g\"'\" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties \u0026\u0026 \\\n      sed -i \"'\"s/alfresco.encryption.ssl.truststore.location=.*/alfresco.encryption.ssl.truststore.location=\\\\\\/opt\\\\\\/alfresco-search-services\\\\\\/keystore\\\\\\/ssl-repo-client.truststore/g\"'\" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties \u0026\u0026 \\\n      sed -i \"'\"s/alfresco.encryption.ssl.truststore.passwordFileLocation=.*/alfresco.encryption.ssl.truststore.passwordFileLocation=/g\"'\" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties \u0026\u0026 \\\n      sed -i \"'\"s/alfresco.encryption.ssl.truststore.type=.*/alfresco.encryption.ssl.truststore.type=${TRUSTSTORE_TYPE}/g\"'\" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties' \\\n    ${DIST_DIR}/solr/bin/search_config_setup.sh;\n```\n\nOn the Alfresco Repository part, we have mounted keystore and trustore in previous steps. Add also values for mTLS connection to Search Services using Java environment variables.\n\n```\n  alfresco:\n    build:\n      context: ./alfresco\n      args:\n        ALFRESCO_TAG: \"7.4.0.1\"\n        TRUSTSTORE_TYPE: PKCS12\n        TRUSTSTORE_PASS: kT9X6oe68t\n        KEYSTORE_TYPE: PKCS12\n        KEYSTORE_PASS: kT9X6oe68t\n    environment:\n      JAVA_TOOL_OPTIONS: \u003e-\n        -Dencryption.ssl.keystore.type=PKCS12\n        -Dencryption.ssl.keystore.location=/usr/local/tomcat/alfresco.keystore\n        -Dencryption.ssl.truststore.type=PKCS12\n        -Dencryption.ssl.truststore.location=/usr/local/tomcat/alfresco.truststore\n        -Dssl-keystore.password=kT9X6oe68t\n        -Dssl-truststore.password=kT9X6oe68t        \n      JAVA_OPTS: \u003e-\n        -Dsolr.host=solr6\n        -Dsolr.port=8983\n        -Dsolr.http.connection.timeout=1000\n        -Dsolr.secureComms=https\n        -Dsolr.port.ssl=8983\n        -Dsolr.base.url=/solr\n        -Dindex.subsystem.name=solr6\n    volumes:\n      - ./keystore/alfresco/alfresco.keystore:/usr/local/tomcat/alfresco.keystore\n      - ./keystore/alfresco/alfresco.truststore:/usr/local/tomcat/alfresco.truststore\n```\n\nAdditionally, Alfresco Repository Docker Image should be extended to expose mTLS 8443 port in Apache Tomcat. This extension is defined in [alfresco/Dockerfile](alfresco/Dockerfile)\n\n\n```\nARG ALFRESCO_TAG\nFROM docker.io/alfresco/alfresco-content-repository-community:${ALFRESCO_TAG}\n\nARG TOMCAT_DIR=/usr/local/tomcat\n\nUSER root\n\nARG TRUSTSTORE_TYPE\nARG TRUSTSTORE_PASS\nARG KEYSTORE_TYPE\nARG KEYSTORE_PASS\n\nENV TRUSTSTORE_TYPE=$TRUSTSTORE_TYPE \\\n    TRUSTSTORE_PASS=$TRUSTSTORE_PASS \\\n    KEYSTORE_TYPE=$KEYSTORE_TYPE \\\n    KEYSTORE_PASS=$KEYSTORE_PASS\n\nRUN sed -i \"s/\\\n[[:space:]]\\+\u003c\\/Engine\u003e/\\n\\\n        \u003c\\/Engine\u003e\\n\\\n        \u003cConnector port=\\\"8443\\\" protocol=\\\"HTTP\\/1.1\\\"\\n\\\n            connectionTimeout=\\\"20000\\\"\\n\\\n            SSLEnabled=\\\"true\\\" maxThreads=\\\"150\\\" scheme=\\\"https\\\" clientAuth=\\\"want\\\" sslProtocol=\\\"TLS\\\" sslEnabledProtocols=\\\"TLSv1.2\\\"\\n\\\n            keystoreFile=\\\"\\/usr\\/local\\/tomcat\\/alfresco.keystore\\\"\\n\\\n            keystorePass=\\\"${KEYSTORE_PASS}\\\" keystoreType=\\\"${KEYSTORE_TYPE}\\\" secure=\\\"true\\\"\\n\\\n            truststoreFile=\\\"\\/usr\\/local\\/tomcat\\/alfresco.truststore\\\"\\n\\\n            truststorePass=\\\"${TRUSTSTORE_PASS}\\\" truststoreType=\\\"${TRUSTSTORE_TYPE}\\\"\u003e\\n\\\n        \u003c\\/Connector\u003e/g\" ${TOMCAT_DIR}/conf/server.xml;\n\nUSER alfresco\n```   \n\nFrom this point, communication between Alfresco Repository and Search Services is happening using mTLS protocol.\n\n## ActiveMQ\n\nCreate a certificate for `activemq` service using the CA generated, with RSA 2048 bits and keystore type `JKS`. In this case `PKCS12` keystore type is not an option, since it's not supported by ActiveMQ TLS configuration.\n\n```\n$ ./run_additional.sh -servicename activemq -rootcapass kT9X6oe68t -keysize 2048 \\\n-keystoretype JKS -keystorepass kT9X6oe68t -truststoretype JKS -truststorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=ActiveMQ\" \\\n-servername activemq -alfrescoformat current\n```\n\nCopy `activemq` generated keystore and truststore to Docker Compose `keystore` folder.\n\n```\n$ cp keystores/activemq/activemq.* ../../docker/keystore/activemq\n```\n\n## Secure connection between Alfresco Repository and ActiveMQ\n\nApply mTLS configuration to ActiveMQ in `docker-compose.yml` mounting keystore and truststore as external volumes.\n\n```\n  activemq:\n    build:\n      context: ./activemq\n      args:\n        ACTIVEMQ_TAG: \"5.17.1-jre11-rockylinux8\"\n        TRUSTSTORE_PASS: \"kT9X6oe68t\"\n        KEYSTORE_PASS: \"kT9X6oe68t\"\n    volumes:\n      - ./keystore/activemq/activemq.keystore:/opt/activemq/broker.ks\n      - ./keystore/activemq/activemq.truststore:/opt/activemq/client-truststore.jks\n```      \n\nIn addition, default ActiveMQ needs to be extended to apply mTLS values. This extension is described in [activemq/Dockerfile](activemq/Dockerfile).\n\n```\nARG ACTIVEMQ_TAG\nFROM alfresco/alfresco-activemq:${ACTIVEMQ_TAG}\n\nARG TRUSTSTORE_PASS\nARG KEYSTORE_PASS\n\nENV TRUSTSTORE_PASS=$TRUSTSTORE_PASS \\\n    KEYSTORE_PASS=$KEYSTORE_PASS\n\nUSER root\n\nRUN sed -i \"s/tcp/ssl/g\" ${ACTIVEMQ_HOME}/conf/activemq.xml\n\nRUN sed -i \"s/\\\n[[:space:]]\\+\u003c\\/broker\u003e/\\n\\\n        \u003csslContext\u003e\\n\\\n          \u003csslContext keyStore=\\\"file:\\/opt\\/activemq\\/broker.ks\\\"\\n\\\n            keyStorePassword=\\\"${KEYSTORE_PASS}\\\" \\n\\\n            trustStore=\\\"file:\\/opt\\/activemq\\/client-truststore.jks\\\"\\n\\\n            trustStorePassword=\\\"${TRUSTSTORE_PASS}\\\"\\/\u003e\\n\\\n        \u003c\\/sslContext\u003e\\n\\\n        \u003c\\/broker\u003e/g\" ${ACTIVEMQ_HOME}/conf/activemq.xml\n\nUSER ${USERNAME}\n```\n\nOn the Alfresco Repository part, we have mounted keystore and trustore in previous steps. Add also values for mTLS connection to ActiveMQ using Java environment variables.\n\n```\nalfresco:\n    environment:\n      JAVA_OPTS: \u003e-\n        -Dmessaging.broker.url=\"failover:(ssl://activemq:61616)?timeout=3000\u0026jms.useCompression=true\"\n        -Djavax.net.ssl.keyStore=/usr/local/tomcat/alfresco.keystore\n        -Djavax.net.ssl.keyStorePassword=kT9X6oe68t\n        -Djavax.net.ssl.keyStoreType=PKCS12\n        -Djavax.net.ssl.trustStore=/usr/local/tomcat/alfresco.truststore\n        -Djavax.net.ssl.trustStorePassword=kT9X6oe68t\n        -Djavax.net.ssl.trustStoreType=PKCS12\n        -Djdk.tls.client.protocols=TLSv1.2\n    volumes:\n      - ./keystore/alfresco/alfresco.keystore:/usr/local/tomcat/alfresco.keystore\n      - ./keystore/alfresco/alfresco.truststore:/usr/local/tomcat/alfresco.truststore\n```\n\nFrom this point, communication between Alfresco Repository and ActiveMQ is happening using mTLS protocol.\n\n## WebProxy\n\nCreate a certificate for `proxy` service using the CA generated, with RSA 2048 bits and keystore type `PKCS12`.\n\n```\n$ ./run_additional.sh -servicename localhost -rootcapass kT9X6oe68t -keysize 2048 \\\n-keystoretype PKCS12 -keystorepass kT9X6oe68t -truststoretype PKCS12 -truststorepass kT9X6oe68t \\\n-certdname \"/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Web Proxy\" \\\n-servername localhost -alfrescoformat current\n```\n\nCopy public certificate `localhost.cer` and private certificate `localhost.key` to Docker Compose `keystore` folder.\n\n```\n$ cp certificates/localhost.cer ../../docker/keystore/webproxy\n$ cp certificates/localhost.key ../../docker/keystore/webproxy\n```\n\n## Secure connection to Web Proxy\n\nApply TLS configuration to Web Proxy in `docker-compose.yml` mounting certificates as external volumes and exposing default HTTPs port.\n\n```  \n  proxy:\n      image: nginx:stable-alpine\n      volumes:\n          - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf\n          - ./keystore/webproxy/localhost.cer:/etc/nginx/localhost.cer\n          - ./keystore/webproxy/localhost.key:/etc/nginx/localhost.key\n      ports:\n          - \"443:443\"\n```\n\nNginx configuration file in [config/nginx/nginx.conf](config/nginx/nginx.conf) should include also SSL settings.\n\n```\nhttp {\n    server {\n\n        listen *:443 ssl;\n\n        \n        ssl_certificate             /etc/nginx/localhost.cer;\n        ssl_certificate_key         /etc/nginx/localhost.key;\n        ssl_prefer_server_ciphers   on;\n        ssl_protocols               TLSv1.2 TLSv1.3;\n\n        ...\n        \n    }\n}\n```\nAdditionally, Alfresco Share Docker Image should be extended to use HTTPs protocol in Apache Tomcat when invoked from a proxy. This extension is defined in [share/Dockerfile](share/Dockerfile)\n\n```\nARG SHARE_TAG\nFROM docker.io/alfresco/alfresco-share:${SHARE_TAG}\n\nRUN sed -i '/Connector port=\"8080\"/a scheme=\"https\" secure=\"true\"' /usr/local/tomcat/conf/server.xml \u0026\u0026 \\\n    sed -i \"/Connector port=\\\"8080\\\"/a proxyName=\\\"localhost\\\" proxyPort=\\\"443\\\"\" /usr/local/tomcat/conf/server.xml\n```\n\nAlfresco Repository and Alfresco Share environment variables in Docker Compose need to be modified to use TLS.\n\n```\n  alfresco:\n    environment:\n      JAVA_OPTS: \u003e-\n        -Dalfresco.host=localhost\n        -Dalfresco.port=443\n        -Dapi-explorer.url=https://localhost:443/api-explorer\n        -Dalfresco.protocol=https \n        -Dshare.host=localhost\n        -Dshare.port=443\n        -Dshare.protocol=https \n        -Daos.baseUrlOverwrite=https://localhost/alfresco/aos \n\n  share:\n    build:\n      context: ./share\n      args:\n        SHARE_TAG: \"7.4.0.1\"    \n    environment:\n      CSRF_FILTER_REFERER: \"https://localhost:443/.*\"\n      CSRF_FILTER_ORIGIN: \"https://localhost:443\"\n      JAVA_OPTS: \u003e-\n        -Dalfresco.context=alfresco\n        -Dalfresco.protocol=https\n```\n\nFrom this point, communication to Alfresco external services is happening using TLS protocol.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faborroy%2Falfresco-secure-connection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faborroy%2Falfresco-secure-connection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faborroy%2Falfresco-secure-connection/lists"}