├── .github └── workflows │ └── ci.yml ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── README.md ├── README_ja.md ├── docker-compose ├── README.md ├── community │ ├── .env │ ├── alfresco │ │ └── Dockerfile │ ├── docker-compose.yml │ └── solr6 │ │ └── Dockerfile └── enterprise │ ├── .env │ ├── alfresco │ └── Dockerfile │ ├── docker-compose.yml │ ├── solr6 │ └── Dockerfile │ └── zeppelin │ └── Dockerfile ├── scripts └── ci │ ├── convert_testclient_keystore_to_pem.sh │ ├── generate_keystores.sh │ ├── generate_keystores_wrong_hostnames.sh │ ├── test.sh │ ├── test_legacy.sh │ └── test_utils.sh ├── ssl-tool-win ├── openssl.cnf ├── run.cmd ├── run_additional.cmd ├── run_ca.cmd ├── run_encryption.cmd ├── samples │ ├── client_server.cmd │ ├── legacy_client_server.cmd │ ├── legacy_simple.cmd │ └── simple.cmd ├── utils_password_prompt.cmd └── utils_san.cmd └── ssl-tool ├── openssl.cnf ├── run.sh ├── run_additional.sh ├── run_ca.sh ├── run_encryption.sh ├── samples ├── client_server.sh ├── community.sh ├── legacy_client_server.sh ├── legacy_simple.sh └── simple.sh └── utils.sh /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Alfresco SSL Generator CI 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - feature/** 7 | - fix/** 8 | - master 9 | push: 10 | branches: 11 | - feature/** 12 | - fix/** 13 | workflow_call: 14 | workflow_dispatch: 15 | 16 | jobs: 17 | test_new: 18 | name: "Test new approach" 19 | runs-on: ubuntu-latest 20 | if: > 21 | !contains(github.event.head_commit.message, '[skip tests]') && 22 | !contains(github.event.head_commit.message, '[force]') 23 | steps: 24 | - uses: actions/checkout@v4 25 | - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 26 | - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 27 | - name: "Run testing script" 28 | run: bash ./scripts/ci/test.sh 29 | 30 | test_legacy: 31 | name: "Test legacy approach" 32 | runs-on: ubuntu-latest 33 | if: > 34 | !contains(github.event.head_commit.message, '[skip tests]') && 35 | !contains(github.event.head_commit.message, '[force]') 36 | steps: 37 | - uses: actions/checkout@v4 38 | - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 39 | - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 40 | - name: "Run testing script" 41 | run: bash ./scripts/ci/test_legacy.sh 42 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Thanks for your interest in contributing to this project! 4 | 5 | The following is a set of guidelines for contributing to this library. Most of them will make the life of the reviewer easier and therefore decrease the time required for the patch be included in the next version. 6 | 7 | Because this project forms a part of Alfresco Content Services, the guidelines are hosted in the [Alfresco Social Community](http://community.alfresco.com/community/ecm) where they can be referenced from multiple projects. 8 | 9 | Read an [overview on how this project is governed](https://community.alfresco.com/docs/DOC-6385-project-overview-repository). 10 | 11 | You can also perform the following: 12 | 13 | - Raise issues directly against the project (GitHub bug). Please read the [instructions for a good issue report](https://community.alfresco.com/docs/DOC-6263-reporting-an-issue). 14 | 15 | - Supply pull requests. Please read the [instructions for making a contribution](https://community.alfresco.com/docs/DOC-6269-submitting-contributions). 16 | 17 | Please follow the [coding standards](https://community.alfresco.com/docs/DOC-4658-coding-standards). 18 | 19 | Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 20 | available at [http://contributor-covenant.org/version/1/4][version] 21 | 22 | ## Contributing to this project 23 | 24 | We expect you to work on a well known github fork/PR model if you want to contribute to this project. 25 | 26 | Opening you r PR against this repository should trigger the basics community tests and id they go green then we'll proceed with further review and tests. 27 | After these steps all passed your valuable contribution will e merged to the default branch. 28 | 29 | Thank you for your openness! 30 | 31 | [homepage]: http://contributor-covenant.org 32 | [version]: http://contributor-covenant.org/version/1/4/ 33 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alfresco/alfresco-base-java:11 2 | 3 | MAINTAINER "Angel Borroy" 4 | 5 | LABEL org.label-schema.schema-version="1.0" \ 6 | org.label-schema.name="Alfresco Base SSL" \ 7 | org.label-schema.vendor="Alfresco" 8 | 9 | # Install openssl tool 10 | RUN yum -y update && \ 11 | yum -y install openssl openssl-devel && \ 12 | yum clean all 13 | 14 | # Put keytool in the path 15 | RUN ln -s /usr/lib/jvm/jre/bin/keytool /usr/local/bin 16 | 17 | # Copy OpenSSL configuration and generator script 18 | COPY ["ssl-tool/openssl.cnf", "ssl-tool/run.sh", "./"] 19 | 20 | # Allow script to be executed and make keytool program available in PATH 21 | RUN chmod +x ./run.sh && \ 22 | alternatives --install /usr/bin/keytool keytool /usr/java/default/bin/keytool 20000 23 | 24 | # Default values for env variables 25 | ENV ALFRESCO_VERSION=enterprise \ 26 | KEY_SIZE=2048 \ 27 | KEYSTORE_TYPE=JCEKS \ 28 | TRUSTSTORE_TYPE=JCEKS \ 29 | KEYSTORE_PASS=keystore \ 30 | TRUSTSTORE_PASS=truststore \ 31 | ENC_STORE_PASS=encryption \ 32 | ENC_METADATA_PASS=metadata \ 33 | CA_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" \ 34 | REPO_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" \ 35 | SOLR_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" \ 36 | BROWSER_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" \ 37 | CA_SERVER_NAME=localhost \ 38 | ALFRESCO_SERVER_NAME=localhost \ 39 | SOLR_SERVER_NAME=localhost \ 40 | ALFRESCO_FORMAT=current 41 | 42 | # Exposing working folders: 43 | # - keystores folder, where generated keystores, truststores and password files are produced 44 | # - ca is the OpenSSL CA folder, where CA internal files are produced 45 | # - certificates folder, that includes private and public keys generated 46 | VOLUME ["/tmp/keystores", "/tmp/ca", "/tmp/certificates"] 47 | 48 | # Generating keystores, truststores and password files 49 | CMD ["sh", "-c", "[ \"$(ls -A /tmp/keystores)\" ] && echo \"Keystores folder is populated. Skipping generation...\" || \ 50 | ./run.sh \ 51 | -alfrescoversion $ALFRESCO_VERSION \ 52 | -keysize $KEY_SIZE \ 53 | -keystoretype $KEYSTORE_TYPE \ 54 | -truststoretype $TRUSTSTORE_TYPE \ 55 | -keystorepass $KEYSTORE_PASS \ 56 | -truststorepass $TRUSTSTORE_PASS \ 57 | -encstorepass $ENC_STORE_PASS \ 58 | -encmetadatapass $ENC_METADATA_PASS \ 59 | -cacertdname \"$CA_CERT_DNAME\" \ 60 | -repocertdname \"$REPO_CERT_DNAME\" \ 61 | -solrcertdname \"$SOLR_CERT_DNAME\" \ 62 | -browsercertdname \"$BROWSER_CERT_DNAME\" \ 63 | -caservername \"$CA_SERVER_NAME\" \ 64 | -alfrescoservername \"$ALFRESCO_SERVER_NAME\" \ 65 | -solrservername \"$SOLR_SERVER_NAME\" \ 66 | -alfrescoformat \"$ALFRESCO_FORMAT\" \ 67 | && cp -r /keystores /tmp/ \ 68 | && cp -r /ca /tmp/ \ 69 | && cp -r /certificates /tmp/"] 70 | -------------------------------------------------------------------------------- /README_ja.md: -------------------------------------------------------------------------------- 1 | # Alfresco SSL Generator へようこそ 2 | 3 | これはリポジトリと SOLR 間の相互 TLS 認証を使用して、Alfresco の設定に必要な `keystores`、`truststores` およびブラウザ `certificates` を生成するための自動化スクリプトです。これらの同じファイルは、他の暗号化ツールを使用して手動で取得することもできます。 4 | 5 | このプロジェクトは、Alfresco の独自のセキュリティ構成を構築するためのサンプルを提供するだけなので、Alfresco は公式にサポートしていません。ただし、プルリクエストを提供するか、プロジェクトのクローンを作成して特定のニーズに合わせて変更することにより、誰でもこのツールを改善できます。 6 | 7 | 異なる Alfresco のサービス間で HTTP 呼び出しが発生するため、次の関係を満たす必要があります: 8 | 9 | * リポジトリは SOLR のクライアントです 10 | 11 | * リポジトリキーを生成し、*リポジトリのキーストア* に含める必要があります 12 | * リポジトリ公開証明書は *SOLR のトラストストア* に含まれている必要があります 13 | 14 | * SOLR はリポジトリと SOLR のクライアントです 15 | 16 | * SOLR キーを生成し、*SOLR のキーストア* に含める必要があります 17 | * リポジトリおよび *SOLR のトラストストア* に SOLR 公開証明書を含める必要があります 18 | 19 | * Zeppelin はリポジトリのクライアントです (Zeppelin は Insight Engine Enterprise でのみ使用可能な製品です) 20 | 21 | * Zeppelin キーを生成し、*Zeppelin のキーストア* に含める必要があります 22 | * Zeppelin の公開証明書は、*Repository truststore* に含まれている必要があります 23 | * このスクリプトツールは、SOLR と Zeppelin の両方がリポジトリのクライアントであるため、同じキー証明書を使用することに注意してください 24 | 25 | * ブラウザから SOLR にアクセスする場合、ブラウザは SOLR のクライアントです 26 | 27 | * SOLR の Web コンソールにアクセスするには、ブラウザにブラウザキーをインストールする必要があります 28 | 29 | 30 | さらに、Alfresco の *暗号化* 機能をサポートするためにメタデータ暗号化キーが生成され、リポジトリで使用される *keystore* に含まれます。 31 | 32 | 33 | ## 使い方 34 | 35 | 証明書生成スクリプト `run.sh` は `OpenSSL` および Java の `keytool` プログラムに基づいており、さまざまなシナリオで使用できます: 36 | 37 | * Linux OS のローカル bash スクリプトとして、*Bash Shell Script Standalone* を使用できます。シェルスクリプトと OpenSSL 設定ファイルは `ssl-tool` フォルダで利用可能です 38 | * Windows OS のローカルバッチスクリプトとして *Windows Batch Script Standalone* を使用できます。バッチスクリプトと OpenSSL 設定ファイルは `ssl-tool-win` フォルダで利用可能です 39 | * 環境変数の値から `keystores` フォルダを生成するローカルコンテナとして、Docker Standalone で使用できます。Linux、Windows、および Mac OS X から利用できます 40 | * 環境変数の値から `keystores` フォルダを作成する Docker サービスとして、Docker Compose で使用できます。Linux、Windows、および Mac OS X から利用できます 41 | 42 | ## 必要条件 43 | 44 | 生成スクリプトを実行するには、システムパスで `OpenSSL` プログラムと Java `keytool` プログラムをインストールし、使用可能にする必要があります。 45 | 46 | **OpenSSL** 47 | 48 | OpenSSL は、認証局、秘密鍵、および証明書 (使用ポリシーを含む) を生成する暗号化ソフトウェアです。 49 | 50 | 多くの **Linux** のディストリビューションには、パッケージとして `OpenSSL` が含まれているため、他のプログラムとしてインストールできます。 51 | 52 | *Ubuntu* 53 | 54 | ``` 55 | $ sudo apt-get install openssl 56 | ``` 57 | 58 | *CentOS* 59 | 60 | ``` 61 | $ yum -y install openssl openssl-devel 62 | ``` 63 | 64 | **Mac OS X** では、[Homebrew](https://brew.sh) などのパッケージマネージャを使用できます: 65 | 66 | ``` 67 | $ brew install openssl 68 | ``` 69 | 70 | **Windows** を使用する場合、OpenSSL Web ページからバイナリ配布を使用できます: 71 | 72 | https://wiki.openssl.org/index.php/Binaries 73 | 74 | 75 | >> システムパスに `openssl` プログラムを追加することを忘れないでください。 76 | 77 | **Keytool** 78 | 79 | Keytool は、`keystores` と `truststores` を構築するための標準 Java ログラムです。 80 | 81 | keytool ユーティリティは JRE に含まれています。 82 | 83 | Oracle JRE 11 と OpenJDK JRE 11 の両方を使用できます。運用システムのインストール手順に従ってください。 84 | 85 | >> システムパスに `keytool` プログラムを追加することを忘れないでください。 86 | 87 | 88 | ## パラメータ 89 | 90 | コマンドラインスクリプトと Docker Image リソースのいずれも、外部パラメータの値を使用してパラメータ化できます。次の表に、さまざまなオプションを示します。 91 | 92 | | スクリプトパラメータ名 | Docker パラメータ名 | 説明 | 値 | 93 | |-|-|-|-| 94 | | -alfrescoversion | ALFRESCO_VERSION | Alfresco バージョンのタイプ | `enterprise` もしくは `community` | 95 | | -keysize | KEY_SIZE | RSA 鍵の長さ | `2048`, `4096`... | 96 | | -keystoretype | KEYSTORE_TYPE | キーストアのタイプ (秘密鍵を含む) | `PKCS12`, `JKS`, `JCEKS` | 97 | | -truststoretype | TRUSTSTORE_TYPE | トラストストアのタイプ (公開鍵を含む) | `JKS`, `JCEKS` | 98 | | -keystorepass | KEYSTORE_PASS | キーストアのパスワード | 任意の文字列 | 99 | | -truststorepass | TRUSTSTORE_PASS | トラストストアのパスワード | 任意の文字列 | 100 | | -encstorepass | ENC_STORE_PASS | *暗号化* キーストアのパスワード | 任意の文字列 | 101 | | -encmetadatapass | ENC_METADATA_PASS | *暗号化* メタデータのパスワード | 任意の文字列 | 102 | | -cacertdname | CA_CERT_DNAME | スラッシュで始まり、引用符付きの CA 証明書の識別名 | "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" | 103 | | -repocertdname | REPO_CERT_DNAME | スラッシュで始ま理、引用符付きの リポジトリ証明書の識別名 | "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" | 104 | | -solrcertdname | SOLR_CERT_DNAME | スラッシュで始まり、引用符付きの SOLR 証明書の識別名 | "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" | 105 | | -browsercertdname | BROWSER_CERT_DNAME | スラッシュで始まり、引用符付きの BROWSER 証明書の識別名 | "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" | 106 | | -caservername | CA_SERVER_NAME | CA サーバの DNS 名 | 任意の文字列。デフォルトは `localhost` | 107 | | -alfrescoservername | ALFRESCO_SERVER_NAME | Alfresco サーバの DNS 名 | 任意の文字列。デフォルトは `localhost` | 108 | | -solrservername | SOLR_SERVER_NAME | SOLR サーバの DNS 名 | 任意の文字列。デフォルトは `localhost` | 109 | 110 | 内部ネットワークで Alfresco を使用する場合、各サーバには異なる名前を付ける必要があります。この名前は、`*servername` という名前のパラメータで設定できます。ブラウザが証明書について警告を出すのを避けるため、証明書に `Alternative Name` としてサーバの名前を含めることをお勧めします。このアプリケーションは、この構成を使用する場合は `https` でのみ使用できるため、少なくとも SOLR Web コンソールには必要です。Web プロキシの下で作業している場合、`*servername` パラメータにこのプロキシの名前を使用します。 111 | 112 | ## Bash Shell Script Standalone (Linux, Mac OS X) 113 | 114 | *Linux* マシンで作業する場合、シェルスクリプト `ssl-tool/run.sh` をコマンドラインから直接使用できます。環境で `OpenSSL` および `keytool` プログラムを使用できるようにする必要があります。 115 | 116 | 上記のパラメータは、コマンドラインから使用できます。 117 | 118 | たとえば、次のコマンドは、Alfresco Enterprise の 2048 ビットの RSA キー長を使用して、`keystores` という名前のホストフォルダに `keystores` フォルダを作成します。 119 | 120 | ```bash 121 | $ cd ssl-tool 122 | 123 | $ ./run.sh -keysize 2048 -alfrescoversion enterprise 124 | 125 | $ tree keystores/ 126 | keystores/ 127 | ├── alfresco 128 | │   ├── keystore 129 | │   ├── keystore-passwords.properties 130 | │   ├── ssl-keystore-passwords.properties 131 | │   ├── ssl-truststore-passwords.properties 132 | │   ├── ssl.keystore 133 | │   └── ssl.truststore 134 | ├── client 135 | │   └── browser.p12 136 | ├── solr 137 | │   ├── ssl-keystore-passwords.properties 138 | │   ├── ssl-truststore-passwords.properties 139 | │   ├── ssl.repo.client.keystore 140 | │   └── ssl.repo.client.truststore 141 | └── zeppelin 142 | ├── ssl.repo.client.keystore 143 | └── ssl.repo.client.truststore 144 | ``` 145 | 146 | 証明書にカスタム *DNames* を使用する場合、値を引用符で設定する必要があります。 147 | 148 | ```bash 149 | $ ./run.sh -cacertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Linux Alfresco CA" \ 150 | -repocertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Repo" \ 151 | -solrcertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Solr" \ 152 | -browsercertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Browser" 153 | ``` 154 | 155 | `keystores` フォルダが空でない場合、キーストアまたはトラストストアを作成せずプログラムがそのままであることに注意してください。 156 | 157 | 158 | ## Batch Script Standalone (Windows) 159 | 160 | *Windows* マシンで作業する場合、コマンドラインからシェルスクリプト `ssl-tool-win/run.cmd` を直接使用できます。*PATH* で `OpenSSL` と `keytool` プログラムを利用できるようにする必要があります。 161 | 162 | 上記のパラメータは、コマンドラインから使用できます。 163 | 164 | たとえば、次のコマンドは、Alfresco Community の 2048 ビットの RSA キー長を使用して、`keystores` という名前のホストフォルダに `keystores` フォルダを作成します。 165 | 166 | ```bash 167 | C:\> cd ssl-tool-win 168 | 169 | C:\> run.cmd -keysize 2048 -alfrescoversion community 170 | 171 | C:\> tree /F keystores 172 | ├───alfresco 173 | │ keystore 174 | │ keystore-passwords.properties 175 | │ ssl-keystore-passwords.properties 176 | │ ssl-truststore-passwords.properties 177 | │ ssl.keystore 178 | │ ssl.truststore 179 | │ 180 | ├───client 181 | │ browser.p12 182 | │ 183 | └───solr 184 | ssl-keystore-passwords.properties 185 | ssl-truststore-passwords.properties 186 | ssl.repo.client.keystore 187 | ssl.repo.client.truststore 188 | ``` 189 | 190 | 証明書にカスタム *DNames* を使用する場合、値を引用符で設定する必要があります。 191 | 192 | ```bash 193 | C:\> run.cmd -cacertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Windows Alfresco CA" ^ 194 | -repocertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Repo" ^ 195 | -solrcertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Solr" ^ 196 | -browsercertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Browser" 197 | ``` 198 | 199 | `keystores` フォルダが空でない場合、キーストアまたはトラストストアを作成せずプログラムがそのままであることに注意してください。 200 | 201 | 202 | ## ブラウザ証明書のインストール 203 | 204 | デフォルトで [https://localhost:8983/solr](https://localhost:8983/solr) で利用可能な SOLR Web コンソールにアクセスするには、ブラウザ証明書をマシンにインストールする必要があります。 205 | 206 | *Windows* システムの場合、`client\browser.p12` ファイルを新しいプライベート証明書として `Windows Certificates` アプリケーションにインポートする必要があります。 207 | 208 | *Mac OS X* システムの場合、`client/browser.p12` ファイルを `Keychain Access` アプリケーションにインポートする必要があります。 209 | 210 | また、この証明書でこれらのアプリケーションの正しいオプションを *trust* に設定する必要があります。 211 | 212 | 証明書がインストールされると、Solr Web Consoleにアクセスするときにブラウザーに次のメッセージが表示されます。: 213 | 214 | ``` 215 | Your connection is not private 216 | Attackers might be trying to steal your information from localhost (for example, passwords, messages or credit cards). Learn more 217 | NET::ERR_CERT_AUTHORITY_INVALID 218 | ``` 219 | 220 | 証明書は `localhost` 用に生成されているため、この警告が予想されます。`Advanced >> Proceed` をクリックし、ブラウザ証明書を使用して Solr Web コンソールにアクセスするだけです。 221 | 222 | ## Docker Standalone 223 | 224 | **Docker イメージのビルド** 225 | 226 | このイメージは [alfresco-docker-base-java](https://github.com/Alfresco/alfresco-docker-base-java) イメージに依存します。これは [Quay](https://quay.io/repository/alfresco/alfresco-base-java) (プライベート) および [Docker Hub](https://hub.docker.com/r/alfresco/alfresco-base-java/) (パブリック) で利用できます。 227 | 228 | このイメージを構築するには、次のスクリプトを実行します: 229 | 230 | ```bash 231 | docker build -t alfresco/alfresco-base-ssl . 232 | ``` 233 | 234 | これらの結果を取得するためにホストマウントフォルダを使用して、ストアと証明書を作成するために、イメージを `docker run` 経由で使用できます。 235 | 236 | **ボリューム** 237 | 238 | 次のフォルダはボリュームにマウントできます: 239 | 240 | * `/keystores` フォルダには `alfresco`、`solr` 、`zeppelin` サービス用に生成されたキーストアとトラストストアが含まれます 241 | * `/ca` フォルダには、OpenSSL で作成された CA が使用する内部情報 (CRL、CA キー...) が含まれています 242 | * `/certificates` フォルダには、キーストアとトラストストアの構築に使用される未加工の証明書が含まれています 243 | 244 | Alfresco サービスに必要なフォルダを取得するには、`keystores` フォルダをマウントするだけです。CA および証明書フォルダもマウントできますが、これらのファイルは Alfresco 構成には使用されません。 245 | 246 | ```bash 247 | $ docker run -v $PWD/keystores:/keystores alfresco/alfresco-base-ssl 248 | 249 | $ tree keystores 250 | keystores 251 | ├── alfresco 252 | │   ├── keystore 253 | │   ├── keystore-passwords.properties 254 | │   ├── ssl-keystore-passwords.properties 255 | │   ├── ssl-truststore-passwords.properties 256 | │   ├── ssl.keystore 257 | │   └── ssl.truststore 258 | ├── client 259 | │   └── browser.p12 260 | ├── solr 261 | │   ├── ssl-keystore-passwords.properties 262 | │   ├── ssl-truststore-passwords.properties 263 | │   ├── ssl.repo.client.keystore 264 | │   └── ssl.repo.client.truststore 265 | └── zeppelin 266 | ├── ssl.repo.client.keystore 267 | └── ssl.repo.client.truststore 268 | ``` 269 | 270 | **パラメータ** 271 | 272 | Docker コンテナは、上記で定義したパラメータの一部を使用して起動できます。 273 | 274 | たとえば、次のコマンドは、Alfresco Enterpris の 2048 ビットの RSA キー長を使用して、`keystores` という名前のホストフォルダに `keystores` フォルダを作成します。 275 | 276 | ```bash 277 | $ docker run -v $PWD/keystores:/keystores -e KEY_SIZE=2048 -e ALFRESCO_VERSION=enterprise alfresco/alfresco-base-ssl 278 | ``` 279 | 280 | `keystores` フォルダが空でない場合、キーストアまたはトラストストアを作成せずプログラムがそのままであることに注意してください。 281 | 282 | 283 | ### Docker Compose 284 | 285 | この Docker イメージは Docker Compose サービスとして使用でき、前述の環境変数に同じパラメータをとります。 286 | 287 | たとえば、次のコマンドは、Alfresco Enterprise の 2048 ビットの RSA キー長を使用して、`keystores` という名前のホストフォルダに `keystores` フォルダを作成します。 288 | 289 | ``` 290 | ssl: 291 | image: alfresco/ssl-base 292 | environment: 293 | ALFRESCO_VERSION: enterprise 294 | KEY_SIZE: 2048 295 | volumes: 296 | - ./keystores:/keystores 297 | ``` 298 | 299 | *Alfresco Enterprise* および *Alfresco Community* のサンプル設定は、`docker-compose` フォルダで提供されています。 300 | 301 | 302 | ## 既知の問題 303 | 304 | **Firefox で SOLR Web コンソールにアクセスする際の "SEC_ERROR_REUSED_ISSUER_AND_SERIAL" エラー** 305 | 306 | テストまたは開発に Alfresco SSL Generator を使用していて、同じ CA 証明書を複数回発行した場合、Firefox は SOLR Web コンソール (デフォルトでは [https://localhost:8983/solr](https://localhost:8983/solr)) にアクセスしようとすると警告を発します。 307 | 308 | この問題は Bugzilla で説明されています: 309 | 310 | [https://bugzilla.mozilla.org/show_bug.cgi?id=435013](https://bugzilla.mozilla.org/show_bug.cgi?id=435013) 311 | 312 | この問題を修正するには、提供されている回避策 (Firefox プロファイルフォルダから `cert8.db` または `cert9.db` ファイルを削除するなど) を適用します。 313 | -------------------------------------------------------------------------------- /docker-compose/README.md: -------------------------------------------------------------------------------- 1 | # Docker Compose samples for Alfresco SSL/TLS with custom certificates 2 | 3 | Community and Enterprise Docker Compose templates are provided in order to describe the use of Alfresco Base SSL Image in this scenario. 4 | 5 | ## Environment variables 6 | 7 | Shared environment variable values are included in `.env` file in the root folder. 8 | 9 | ``` 10 | $ cat .env 11 | 12 | # SSL Env Variables 13 | ALFRESCO_VERSION=community 14 | KEY_SIZE=2048 15 | KEYSTORE_TYPE=JCEKS 16 | TRUSTSTORE_TYPE=JCEKS 17 | KEYSTORE_PASS=keystore 18 | TRUSTSTORE_PASS=truststore 19 | ``` 20 | 21 | These values are used in Docker Compose service description. 22 | 23 | *Alfresco* service uses truststore and keystore type and password. 24 | 25 | ``` 26 | alfresco: 27 | build: 28 | context: ./alfresco 29 | args: 30 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 31 | TRUSTSTORE_PASS: ${TRUSTSTORE_PASS} 32 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 33 | KEYSTORE_PASS: ${KEYSTORE_PASS} 34 | ``` 35 | 36 | *SOLR* service uses truststore and keystore type and password. And also truststore and keystore files location. 37 | 38 | ``` 39 | solr6: 40 | build: 41 | context: ./solr6 42 | args: 43 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 44 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 45 | environment: 46 | SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" 47 | SOLR_SSL_TRUST_STORE_PASSWORD: "${TRUSTSTORE_PASS}" 48 | SOLR_SSL_TRUST_STORE_TYPE: "${TRUSTSTORE_TYPE}" 49 | SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" 50 | SOLR_SSL_KEY_STORE_PASSWORD: "${KEYSTORE_PASS}" 51 | SOLR_SSL_KEY_STORE_TYPE: "${KEYSTORE_TYPE}" 52 | " 53 | ``` 54 | 55 | *Zeppelin* service uses truststore and keystore type and password. And also truststore and keystore files location. 56 | 57 | ``` 58 | zeppelin: 59 | build: 60 | context: ./zeppelin 61 | args: 62 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 63 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 64 | environment: 65 | JAVA_OPTS: " 66 | -Djavax.net.ssl.keyStore=/zeppelin/keystore/ssl.repo.client.keystore 67 | -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASS} 68 | -Djavax.net.ssl.keyStoreType=${KEYSTORE_TYPE} 69 | -Djavax.net.ssl.trustStore=/zeppelin/keystore/ssl.repo.client.truststore 70 | -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASS} 71 | -Djavax.net.ssl.trustStoreType=${TRUSTSTORE_TYPE} 72 | " 73 | ``` 74 | 75 | These values are also used by *Alfresco Base SSL* Container to produce keystores, truststores and certificates. 76 | 77 | ``` 78 | ssl: 79 | image: alfresco/ssl-base 80 | environment: 81 | ALFRESCO_VERSION: ${ALFRESCO_VERSION} 82 | KEY_SIZE: ${KEY_SIZE} 83 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 84 | TRUSTSTORE_PASS: ${TRUSTSTORE_PASS} 85 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 86 | KEYSTORE_PASS: ${KEYSTORE_PASS} 87 | ``` 88 | 89 | ## Mounted volumes 90 | 91 | *Alfresco Base SSL* service will produce `keystores` folder on a mounted volume, what allows to share every specific configuration with Alfresco, SOLR and Zeppelin services. 92 | 93 | ``` 94 | ssl: 95 | image: alfresco/ssl-base 96 | volumes: 97 | - ./keystores:/keystores 98 | 99 | alfresco: 100 | build: 101 | context: ./alfresco 102 | volumes: 103 | - ./keystores/alfresco:/usr/local/tomcat/alf_data/keystore 104 | 105 | solr6: 106 | build: 107 | context: ./solr6 108 | volumes: 109 | - ./keystores/solr:/opt/alfresco-insight-engine/keystore 110 | 111 | zeppelin: 112 | build: 113 | context: ./zeppelin 114 | volumes: 115 | - ./keystores/zeppelin:/zeppelin/keystore 116 | 117 | ``` 118 | 119 | *Alfresco Base SSL* will produce `keystores` folder only when this folder is empty, so it can be used safely during re-starts. To generate new certificates, `keystores` folder can be removed and a new configuration will be created when starting Docker Compose again. 120 | 121 | 122 | ## Custom Dockerfiles 123 | 124 | Several customisations have been added to default Alfresco Docker images to include specific settings from `keystores`. 125 | 126 | **Alfresco Dockerfile** 127 | 128 | Environment variable values are used in Alfresco Dockerfile to set SSL properties in `alfresco-global.properties` and Tomcat SSL Connector. 129 | 130 | **SOLR Dockerfile** 131 | 132 | Environment variable values are used in SOLR Dockerfile to set SSL properties in `solrcore.properties` from rerank template, what is used as template to generate `alfresco` and `archive` SOLR cores. 133 | 134 | **Zeppelin Dockerfile** 135 | 136 | Environment variable values are used in Zeppelin Dockerfile to set SSL properties in `interpreter.json`, what defines the communication with Alfresco Repository. 137 | -------------------------------------------------------------------------------- /docker-compose/community/.env: -------------------------------------------------------------------------------- 1 | ALFRESCO_TAG=6.1.2-ga 2 | SHARE_TAG=6.1.0 3 | POSTGRES_TAG=10.1 4 | SEARCH_TAG=1.3.0.1 5 | ACTIVE_MQ_TAG=5.15.8 6 | 7 | # SSL Env Variables 8 | ALFRESCO_VERSION=community 9 | KEY_SIZE=2048 10 | KEYSTORE_TYPE=JCEKS 11 | TRUSTSTORE_TYPE=JCEKS 12 | KEYSTORE_PASS=keystore 13 | TRUSTSTORE_PASS=truststore 14 | -------------------------------------------------------------------------------- /docker-compose/community/alfresco/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG ALFRESCO_TAG 2 | FROM alfresco/alfresco-content-repository-community:${ALFRESCO_TAG} 3 | 4 | ARG TRUSTSTORE_TYPE 5 | ARG TRUSTSTORE_PASS 6 | ARG KEYSTORE_TYPE 7 | ARG KEYSTORE_PASS 8 | 9 | ENV TRUSTSTORE_TYPE=$TRUSTSTORE_TYPE \ 10 | TRUSTSTORE_PASS=$TRUSTSTORE_PASS \ 11 | KEYSTORE_TYPE=$KEYSTORE_TYPE \ 12 | KEYSTORE_PASS=$KEYSTORE_PASS 13 | 14 | ARG TOMCAT_DIR=/usr/local/tomcat 15 | ARG ALF_DATA_DIR=${TOMCAT_DIR}/alf_data 16 | 17 | # Expose keystore folder 18 | VOLUME ["${ALF_DATA_DIR}/keystore"] 19 | 20 | # Default value in "repository.properties" is "dir.keystore=classpath:alfresco/keystore" 21 | USER root 22 | RUN echo -e "\n\ 23 | dir.keystore=${ALF_DATA_DIR}/keystore\n\ 24 | alfresco.encryption.ssl.keystore.type=${TRUSTSTORE_TYPE}\n\ 25 | alfresco.encryption.ssl.truststore.type=${KEYSTORE_TYPE}\n\ 26 | " >> ${TOMCAT_DIR}/shared/classes/alfresco-global.properties 27 | 28 | ### Enable SSL by adding the proper Connector to server.xml 29 | RUN sed -i "s/\ 30 | <\/Engine>/\n\ 31 | <\/Engine>\n\ 32 | \n\ 38 | <\/Connector>/g" ${TOMCAT_DIR}/conf/server.xml 39 | -------------------------------------------------------------------------------- /docker-compose/community/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # This docker-compose file will spin up an ACS cluster on a local host or on a server and it requires a minimum of 12GB Memory to distribute among containers. 2 | # Limit container memory and assign X percentage to JVM. There are couple of ways to allocate JVM Memory for ACS Containers 3 | # For example: 'JAVA_OPTS: "$JAVA_OPTS -XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"' 4 | # But, as per Oracle docs (https://docs.oracle.com/javase/9/gctuning/parallel-collector1.htm#JSGCT-GUID-CAB83393-3438-44ED-98F0-D15641B43C7D) 5 | # If container memory is not explicitly set, then the above flags will default max heap to 1/4th of container's memory which may not be ideal. 6 | # Hence, setting up explicit Container memory and then assigning a percentage of it to the JVM for performance tuning. 7 | 8 | # Using version 2 as 3 does not support resource constraint options (cpu_*, mem_* limits) for non swarm mode in Compose 9 | version: "2" 10 | 11 | services: 12 | alfresco: 13 | build: 14 | context: ./alfresco 15 | args: 16 | ALFRESCO_TAG: ${ALFRESCO_TAG} 17 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 18 | TRUSTSTORE_PASS: ${TRUSTSTORE_PASS} 19 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 20 | KEYSTORE_PASS: ${KEYSTORE_PASS} 21 | mem_limit: 1500m 22 | depends_on: 23 | - ssl 24 | environment: 25 | JAVA_OPTS : " 26 | -Ddb.driver=org.postgresql.Driver 27 | -Ddb.username=alfresco 28 | -Ddb.password=alfresco 29 | -Ddb.url=jdbc:postgresql://postgres:5432/alfresco 30 | -Dsolr.host=solr6 31 | -Dsolr.port.ssl=8983 32 | -Dsolr.secureComms=https 33 | -Dsolr.base.url=/solr 34 | -Dindex.subsystem.name=solr6 35 | -Dshare.host=localhost 36 | -Dalfresco.port=8082 37 | -Daos.baseUrlOverwrite=http://localhost:8082/alfresco/aos 38 | -Dmessaging.broker.url=\"failover:(nio://activemq:61616)?timeout=3000&jms.useCompression=true\" 39 | -Ddeployment.method=DOCKER_COMPOSE 40 | -Dcsrf.filter.enabled=false 41 | -Xms1g -Xmx1g 42 | " 43 | ports: 44 | - 8082:8080 #Browser port 45 | - 8443:8443 46 | volumes: 47 | - ./keystores/alfresco:/usr/local/tomcat/alf_data/keystore 48 | 49 | share: 50 | image: alfresco/alfresco-share:${SHARE_TAG} 51 | mem_limit: 1g 52 | environment: 53 | - REPO_HOST=alfresco 54 | - REPO_PORT=8080 55 | - "CATALINA_OPTS= -Xms500m -Xmx500m" 56 | ports: 57 | - 8080:8080 58 | 59 | postgres: 60 | image: postgres:${POSTGRES_TAG} 61 | mem_limit: 1500m 62 | environment: 63 | - POSTGRES_PASSWORD=alfresco 64 | - POSTGRES_USER=alfresco 65 | - POSTGRES_DB=alfresco 66 | command: postgres -c max_connections=300 -c log_min_messages=LOG 67 | ports: 68 | - 5432:5432 69 | 70 | solr6: 71 | build: 72 | context: ./solr6 73 | args: 74 | SEARCH_TAG: ${SEARCH_TAG} 75 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 76 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 77 | mem_limit: 2500m 78 | depends_on: 79 | - ssl 80 | environment: 81 | #Solr needs to know how to register itself with Alfresco 82 | SOLR_ALFRESCO_HOST: "alfresco" 83 | SOLR_ALFRESCO_PORT: "8443" 84 | #Alfresco needs to know how to call solr 85 | SOLR_SOLR_HOST: "solr6" 86 | SOLR_SOLR_PORT: "8983" 87 | SOLR_SSL_TRUST_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.truststore" 88 | SOLR_SSL_TRUST_STORE_PASSWORD: "${TRUSTSTORE_PASS}" 89 | SOLR_SSL_TRUST_STORE_TYPE: "${TRUSTSTORE_TYPE}" 90 | SOLR_SSL_KEY_STORE: "/opt/alfresco-search-services/keystore/ssl.repo.client.keystore" 91 | SOLR_SSL_KEY_STORE_PASSWORD: "${KEYSTORE_PASS}" 92 | SOLR_SSL_KEY_STORE_TYPE: "${KEYSTORE_TYPE}" 93 | SOLR_SSL_NEED_CLIENT_AUTH: "true" 94 | #Create the default alfresco and archive cores 95 | SOLR_CREATE_ALFRESCO_DEFAULTS: "alfresco,archive" 96 | SOLR_JAVA_MEM: "-Xms2g -Xmx2g" 97 | SOLR_OPTS: " 98 | -Dsolr.ssl.checkPeerName=false 99 | -Dsolr.allow.unsafe.resourceloading=true 100 | " 101 | ports: 102 | - 8083:8983 #Browser port 103 | volumes: 104 | - ./keystores/solr:/opt/alfresco-search-services/keystore 105 | 106 | activemq: 107 | image: alfresco/alfresco-activemq:${ACTIVE_MQ_TAG} 108 | mem_limit: 2048m 109 | ports: 110 | - 8161:8161 # Web Console 111 | - 5672:5672 # AMQP 112 | - 61616:61616 # OpenWire 113 | - 61613:61613 # STOMP 114 | 115 | ssl: 116 | image: alfresco/ssl-base 117 | environment: 118 | ALFRESCO_VERSION: ${ALFRESCO_VERSION} 119 | KEY_SIZE: ${KEY_SIZE} 120 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 121 | TRUSTSTORE_PASS: ${TRUSTSTORE_PASS} 122 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 123 | KEYSTORE_PASS: ${KEYSTORE_PASS} 124 | volumes: 125 | - ./keystores:/keystores 126 | -------------------------------------------------------------------------------- /docker-compose/community/solr6/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG SEARCH_TAG 2 | FROM alfresco/alfresco-search-services:${SEARCH_TAG} 3 | 4 | ARG TRUSTSTORE_TYPE 5 | ENV TRUSTSTORE_TYPE $TRUSTSTORE_TYPE 6 | 7 | ARG KEYSTORE_TYPE 8 | ENV KEYSTORE_TYPE $KEYSTORE_TYPE 9 | 10 | # Configure SOLR cores to run in HTTPs mode from template 11 | RUN sed -i '/^bash.*/i sed -i "'"s/alfresco.secureComms=none/alfresco.secureComms=https/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties\n' \ 12 | ${DIST_DIR}/solr/bin/search_config_setup.sh 13 | 14 | # Set SSL properties 15 | RUN sed -i '/^bash.*/i \ 16 | sed -i "'"s/alfresco.encryption.ssl.keystore.location=.*/alfresco.encryption.ssl.keystore.location=\\\/opt\\\/alfresco-search-services\\\/keystore\\\/ssl.repo.client.keystore/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 17 | sed -i "'"s/alfresco.encryption.ssl.keystore.passwordFileLocation=.*/alfresco.encryption.ssl.keystore.passwordFileLocation=\\\/opt\\\/alfresco-search-services\\\/keystore\\\/ssl-keystore-passwords.properties/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 18 | sed -i "'"s/alfresco.encryption.ssl.keystore.type=.*/alfresco.encryption.ssl.keystore.type=${KEYSTORE_TYPE}/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 19 | sed -i "'"s/alfresco.encryption.ssl.truststore.location=.*/alfresco.encryption.ssl.truststore.location=\\\/opt\\\/alfresco-search-services\\\/keystore\\\/ssl.repo.client.truststore/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 20 | sed -i "'"s/alfresco.encryption.ssl.truststore.passwordFileLocation=.*/alfresco.encryption.ssl.truststore.passwordFileLocation=\\\/opt\\\/alfresco-search-services\\\/keystore\\\/ssl-truststore-passwords.properties/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 21 | sed -i "'"s/alfresco.encryption.ssl.truststore.type=.*/alfresco.encryption.ssl.truststore.type=${TRUSTSTORE_TYPE}/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties' \ 22 | ${DIST_DIR}/solr/bin/search_config_setup.sh 23 | 24 | # Remove pre-bundled stores (just to be sure that they are not picked up) 25 | RUN sed -i '/^bash.*/i \ 26 | rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl.repo.client.keystore && \ 27 | rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl-keystore-passwords.properties && \ 28 | rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl.repo.client.truststore && \ 29 | rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl-truststore-passwords.properties' \ 30 | ${DIST_DIR}/solr/bin/search_config_setup.sh 31 | 32 | RUN mkdir ${DIST_DIR}/keystore \ 33 | && chown -R solr:solr ${DIST_DIR}/keystore 34 | 35 | VOLUME ["${DIST_DIR}/keystore"] 36 | -------------------------------------------------------------------------------- /docker-compose/enterprise/.env: -------------------------------------------------------------------------------- 1 | ALFRESCO_TAG=6.1.0.3 2 | SHARE_TAG=6.1.0 3 | POSTGRES_TAG=10.1 4 | SEARCH_TAG=latest 5 | ZEPPELIN_TAG=1.1.0.1 6 | TRANSFORM_ROUTER_TAG=1.0.1 7 | PDF_RENDERER_TAG=2.0.10 8 | IMAGE_MAGICK_TAG=2.0.10 9 | LIBREOFFICE_TAG=2.0.10 10 | TIKA_TAG=2.0.10 11 | SHARED_FILE_STORE_TAG=0.5.3 12 | ACTIVE_MQ_TAG=5.15.8 13 | DIGITAL_WORKSPACE_TAG=1.1.0 14 | ACS_NGINX_TAG=3.4.2 15 | 16 | # SSL Env Variables 17 | ALFRESCO_VERSION=enterprise 18 | KEY_SIZE=2048 19 | KEYSTORE_TYPE=JCEKS 20 | TRUSTSTORE_TYPE=JCEKS 21 | KEYSTORE_PASS=keystore 22 | TRUSTSTORE_PASS=truststore 23 | -------------------------------------------------------------------------------- /docker-compose/enterprise/alfresco/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG ALFRESCO_TAG 2 | FROM alfresco/alfresco-content-repository:${ALFRESCO_TAG} 3 | 4 | ARG TRUSTSTORE_TYPE 5 | ARG TRUSTSTORE_PASS 6 | ARG KEYSTORE_TYPE 7 | ARG KEYSTORE_PASS 8 | 9 | ENV TRUSTSTORE_TYPE=$TRUSTSTORE_TYPE \ 10 | TRUSTSTORE_PASS=$TRUSTSTORE_PASS \ 11 | KEYSTORE_TYPE=$KEYSTORE_TYPE \ 12 | KEYSTORE_PASS=$KEYSTORE_PASS 13 | 14 | ARG TOMCAT_DIR=/usr/local/tomcat 15 | ARG ALF_DATA_DIR=${TOMCAT_DIR}/alf_data 16 | 17 | # Expose keystore folder 18 | VOLUME ["${ALF_DATA_DIR}/keystore"] 19 | 20 | # Default value in "repository.properties" is "dir.keystore=classpath:alfresco/keystore" 21 | RUN echo -e "\n\ 22 | dir.keystore=${ALF_DATA_DIR}/keystore\n\ 23 | alfresco.encryption.ssl.keystore.type=${TRUSTSTORE_TYPE}\n\ 24 | alfresco.encryption.ssl.truststore.type=${KEYSTORE_TYPE}\n\ 25 | " >> ${TOMCAT_DIR}/shared/classes/alfresco-global.properties 26 | 27 | ### Enable SSL by adding the proper Connector to server.xml 28 | RUN sed -i "s/\ 29 | <\/Engine>/\n\ 30 | <\/Engine>\n\ 31 | \n\ 37 | <\/Connector>/g" ${TOMCAT_DIR}/conf/server.xml 38 | -------------------------------------------------------------------------------- /docker-compose/enterprise/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # This docker-compose file will spin up an ACS cluster on a local host or on a server and it requires a minimum of 16GB Memory to distribute among containers. 2 | # Limit container memory and assign X percentage to JVM. There are couple of ways to allocate JVM Memory for ACS Containers 3 | # For example: 'JAVA_OPTS: "$JAVA_OPTS -XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"' 4 | # See Oracle docs (https://docs.oracle.com/javase/9/gctuning/parallel-collector1.htm#JSGCT-GUID-CAB83393-3438-44ED-98F0-D15641B43C7D). 5 | # If the container memory is not explicitly set then the flags above will set the max heap default to 1/4 of the container's memory, which may not be ideal. 6 | # For performance tuning, assign the container memory and give a percentage of it to the JVM. 7 | 8 | # Note: The docker-compose file from github.com is a limited trial that goes into read-only mode after 2 days. 9 | # Get the latest docker-compose.yml file with a 30-day trial license by accessing the Alfresco Content Services trial download page at: 10 | # https://www.alfresco.com/platform/content-services-ecm/trial/download 11 | 12 | # Using version 2 as 3 does not support resource constraint options (cpu_*, mem_* limits) for non swarm mode in Compose 13 | version: "2" 14 | 15 | services: 16 | alfresco: 17 | build: 18 | context: ./alfresco 19 | args: 20 | ALFRESCO_TAG: ${ALFRESCO_TAG} 21 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 22 | TRUSTSTORE_PASS: ${TRUSTSTORE_PASS} 23 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 24 | KEYSTORE_PASS: ${KEYSTORE_PASS} 25 | mem_limit: 1700m 26 | depends_on: 27 | - ssl 28 | environment: 29 | JAVA_OPTS: " 30 | -Ddb.driver=org.postgresql.Driver 31 | -Ddb.username=alfresco 32 | -Ddb.password=alfresco 33 | -Ddb.url=jdbc:postgresql://postgres:5432/alfresco 34 | -Dsolr.host=solr6 35 | -Dsolr.port.ssl=8983 36 | -Dsolr.secureComms=https 37 | -Dsolr.base.url=/solr 38 | -Dindex.subsystem.name=solr6 39 | -Dalfresco-pdf-renderer.url=http://alfresco-pdf-renderer:8090/ 40 | -Djodconverter.url=http://libreoffice:8090/ 41 | -Dimg.url=http://imagemagick:8090/ 42 | -Dtika.url=http://tika:8090/ 43 | -Dsfs.url=http://shared-file-store:8099/ 44 | -Dshare.host=127.0.0.1 45 | -Dshare.port=8080 46 | -Dalfresco.host=localhost 47 | -Dalfresco.port=8080 48 | -Daos.baseUrlOverwrite=http://localhost:8080/alfresco/aos 49 | -Dmessaging.broker.url=\"failover:(nio://activemq:61616)?timeout=3000&jms.useCompression=true\" 50 | -Ddeployment.method=DOCKER_COMPOSE 51 | -Dlocal.transform.service.enabled=true 52 | -Dtransform.service.enabled=true 53 | -Dcsrf.filter.enabled=false 54 | -Xms1500m -Xmx1500m 55 | -Dalfresco.restApi.basicAuthScheme=true 56 | " 57 | ports: 58 | - 8443:8443 59 | volumes: 60 | - ./keystores/alfresco:/usr/local/tomcat/alf_data/keystore 61 | 62 | transform-router: 63 | mem_limit: 512m 64 | image: quay.io/alfresco/alfresco-transform-router:${TRANSFORM_ROUTER_TAG} 65 | environment: 66 | JAVA_OPTS: " -Xms256m -Xmx512m" 67 | ACTIVEMQ_URL: "nio://activemq:61616" 68 | IMAGEMAGICK_URL: "http://imagemagick:8090" 69 | PDF_RENDERER_URL : "http://alfresco-pdf-renderer:8090" 70 | LIBREOFFICE_URL : "http://libreoffice:8090" 71 | TIKA_URL : "http://tika:8090" 72 | FILE_STORE_URL: "http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file" 73 | links: 74 | - activemq 75 | 76 | alfresco-pdf-renderer: 77 | image: quay.io/alfresco/alfresco-pdf-renderer:${PDF_RENDERER_TAG} 78 | mem_limit: 1g 79 | environment: 80 | JAVA_OPTS: " -Xms256m -Xmx512m" 81 | ACTIVEMQ_URL: "nio://activemq:61616" 82 | FILE_STORE_URL: "http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file" 83 | ports: 84 | - 8090:8090 85 | links: 86 | - activemq 87 | 88 | imagemagick: 89 | image: quay.io/alfresco/alfresco-imagemagick:${IMAGE_MAGICK_TAG} 90 | mem_limit: 1g 91 | environment: 92 | JAVA_OPTS: " -Xms256m -Xmx512m" 93 | ACTIVEMQ_URL: "nio://activemq:61616" 94 | FILE_STORE_URL: "http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file" 95 | ports: 96 | - 8091:8090 97 | links: 98 | - activemq 99 | 100 | libreoffice: 101 | image: quay.io/alfresco/alfresco-libreoffice:${LIBREOFFICE_TAG} 102 | mem_limit: 1g 103 | environment: 104 | JAVA_OPTS: " -Xms256m -Xmx512m" 105 | ACTIVEMQ_URL: "nio://activemq:61616" 106 | FILE_STORE_URL: "http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file" 107 | ports: 108 | - 8092:8090 109 | links: 110 | - activemq 111 | 112 | tika: 113 | image: quay.io/alfresco/alfresco-tika:${TIKA_TAG} 114 | mem_limit: 1g 115 | environment: 116 | JAVA_OPTS: " -Xms256m -Xmx512m" 117 | ACTIVEMQ_URL: "nio://activemq:61616" 118 | FILE_STORE_URL: "http://shared-file-store:8099/alfresco/api/-default-/private/sfs/versions/1/file" 119 | ports: 120 | - 8093:8090 121 | links: 122 | - activemq 123 | 124 | shared-file-store: 125 | image: alfresco/alfresco-shared-file-store:${SHARED_FILE_STORE_TAG} 126 | mem_limit: 512m 127 | environment: 128 | JAVA_OPTS: " -Xms256m -Xmx512m" 129 | scheduler.content.age.millis: 86400000 130 | scheduler.cleanup.interval: 86400000 131 | ports: 132 | - 8099:8099 133 | volumes: 134 | - shared-file-store-volume:/tmp/Alfresco/sfs 135 | 136 | share: 137 | image: alfresco/alfresco-share:${SHARE_TAG} 138 | mem_limit: 1g 139 | environment: 140 | REPO_HOST: "alfresco" 141 | REPO_PORT: "8080" 142 | JAVA_OPTS: " 143 | -Xms500m 144 | -Xmx500m 145 | -Dalfresco.host=localhost 146 | -Dalfresco.port=8080 147 | -Dalfresco.context=alfresco 148 | -Dalfresco.protocol=http 149 | " 150 | 151 | postgres: 152 | image: postgres:${POSTGRES_TAG} 153 | mem_limit: 512m 154 | environment: 155 | - POSTGRES_PASSWORD=alfresco 156 | - POSTGRES_USER=alfresco 157 | - POSTGRES_DB=alfresco 158 | command: postgres -c max_connections=300 -c log_min_messages=LOG 159 | ports: 160 | - 5432:5432 161 | 162 | solr6: 163 | build: 164 | context: ./solr6 165 | args: 166 | SEARCH_TAG: ${SEARCH_TAG} 167 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 168 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 169 | mem_limit: 2g 170 | depends_on: 171 | - ssl 172 | environment: 173 | #Solr needs to know how to register itself with Alfresco 174 | SOLR_ALFRESCO_HOST: "alfresco" 175 | SOLR_ALFRESCO_PORT: "8443" 176 | #Alfresco needs to know how to call solr 177 | SOLR_SOLR_HOST: "solr6" 178 | SOLR_SOLR_PORT: "8983" 179 | SOLR_SSL_TRUST_STORE: "/opt/alfresco-insight-engine/keystore/ssl.repo.client.truststore" 180 | SOLR_SSL_TRUST_STORE_PASSWORD: "${TRUSTSTORE_PASS}" 181 | SOLR_SSL_TRUST_STORE_TYPE: "${TRUSTSTORE_TYPE}" 182 | SOLR_SSL_KEY_STORE: "/opt/alfresco-insight-engine/keystore/ssl.repo.client.keystore" 183 | SOLR_SSL_KEY_STORE_PASSWORD: "${KEYSTORE_PASS}" 184 | SOLR_SSL_KEY_STORE_TYPE: "${KEYSTORE_TYPE}" 185 | SOLR_SSL_NEED_CLIENT_AUTH: "true" 186 | #Create the default alfresco and archive cores 187 | SOLR_CREATE_ALFRESCO_DEFAULTS: "alfresco,archive" 188 | SOLR_JAVA_MEM: "-Xms2g -Xmx2g" 189 | SOLR_OPTS: " 190 | -Dsolr.ssl.checkPeerName=false 191 | -Dsolr.allow.unsafe.resourceloading=true 192 | " 193 | ports: 194 | - 8083:8983 #Browser port 195 | volumes: 196 | - ./keystores/solr:/opt/alfresco-insight-engine/keystore 197 | 198 | zeppelin: 199 | build: 200 | context: ./zeppelin 201 | args: 202 | ZEPPELIN_TAG: ${ZEPPELIN_TAG} 203 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 204 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 205 | depends_on: 206 | - ssl 207 | environment: 208 | REPO_PROTOCOL: "https" 209 | REPO_HOST: "alfresco" 210 | REPO_PORT: "8443" 211 | JAVA_OPTS: " 212 | -Dalfresco.enable.ssl=true 213 | -Dsolr.ssl.checkPeerName=false 214 | -Djavax.net.ssl.keyStore=/zeppelin/keystore/ssl.repo.client.keystore 215 | -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASS} 216 | -Djavax.net.ssl.keyStoreType=${KEYSTORE_TYPE} 217 | -Djavax.net.ssl.trustStore=/zeppelin/keystore/ssl.repo.client.truststore 218 | -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASS} 219 | -Djavax.net.ssl.trustStoreType=${TRUSTSTORE_TYPE} 220 | " 221 | ports: 222 | - 9090:9090 223 | volumes: 224 | - ./keystores/zeppelin:/zeppelin/keystore 225 | 226 | activemq: 227 | image: alfresco/alfresco-activemq:${ACTIVE_MQ_TAG} 228 | mem_limit: 1g 229 | ports: 230 | - 8161:8161 # Web Console 231 | - 5672:5672 # AMQP 232 | - 61616:61616 # OpenWire 233 | - 61613:61613 # STOMP 234 | 235 | digital-workspace: 236 | image: quay.io/alfresco/alfresco-digital-workspace:${DIGITAL_WORKSPACE_TAG} 237 | mem_limit: 128m 238 | environment: 239 | BASEPATH: ./ 240 | 241 | proxy: 242 | image: alfresco/alfresco-acs-nginx:${ACS_NGINX_TAG} 243 | mem_limit: 128m 244 | environment: 245 | DISABLE_CONTROL_CENTER: "true" 246 | DISABLE_SYNCSERVICE: "true" 247 | DISABLE_PROMETHEUS: "true" 248 | depends_on: 249 | - alfresco 250 | - digital-workspace 251 | ports: 252 | - 8080:8080 253 | links: 254 | - digital-workspace 255 | - alfresco 256 | - share 257 | 258 | ssl: 259 | image: alfresco/ssl-base 260 | environment: 261 | ALFRESCO_VERSION: ${ALFRESCO_VERSION} 262 | KEY_SIZE: ${KEY_SIZE} 263 | TRUSTSTORE_TYPE: ${TRUSTSTORE_TYPE} 264 | TRUSTSTORE_PASS: ${TRUSTSTORE_PASS} 265 | KEYSTORE_TYPE: ${KEYSTORE_TYPE} 266 | KEYSTORE_PASS: ${KEYSTORE_PASS} 267 | volumes: 268 | - ./keystores:/keystores 269 | 270 | volumes: 271 | shared-file-store-volume: 272 | driver_opts: 273 | type: tmpfs 274 | device: tmpfs 275 | -------------------------------------------------------------------------------- /docker-compose/enterprise/solr6/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG SEARCH_TAG 2 | FROM quay.io/alfresco/insight-engine:${SEARCH_TAG} 3 | 4 | ARG TRUSTSTORE_TYPE 5 | ENV TRUSTSTORE_TYPE $TRUSTSTORE_TYPE 6 | 7 | ARG KEYSTORE_TYPE 8 | ENV KEYSTORE_TYPE $KEYSTORE_TYPE 9 | 10 | # Configure SOLR cores to run in HTTPs mode from template 11 | RUN sed -i '/^bash.*/i sed -i "'"s/alfresco.secureComms=none/alfresco.secureComms=https/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties\n' \ 12 | ${DIST_DIR}/solr/bin/search_config_setup.sh 13 | 14 | # Set SSL properties 15 | RUN sed -i '/^bash.*/i \ 16 | sed -i "'"s/alfresco.encryption.ssl.keystore.location=.*/alfresco.encryption.ssl.keystore.location=\\\/opt\\\/alfresco-insight-engine\\\/keystore\\\/ssl.repo.client.keystore/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 17 | sed -i "'"s/alfresco.encryption.ssl.keystore.passwordFileLocation=.*/alfresco.encryption.ssl.keystore.passwordFileLocation=\\\/opt\\\/alfresco-insight-engine\\\/keystore\\\/ssl-keystore-passwords.properties/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 18 | sed -i "'"s/alfresco.encryption.ssl.keystore.type=.*/alfresco.encryption.ssl.keystore.type=${KEYSTORE_TYPE}/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 19 | sed -i "'"s/alfresco.encryption.ssl.truststore.location=.*/alfresco.encryption.ssl.truststore.location=\\\/opt\\\/alfresco-insight-engine\\\/keystore\\\/ssl.repo.client.truststore/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 20 | sed -i "'"s/alfresco.encryption.ssl.truststore.passwordFileLocation=.*/alfresco.encryption.ssl.truststore.passwordFileLocation=\\\/opt\\\/alfresco-insight-engine\\\/keystore\\\/ssl-truststore-passwords.properties/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties && \ 21 | sed -i "'"s/alfresco.encryption.ssl.truststore.type=.*/alfresco.encryption.ssl.truststore.type=${TRUSTSTORE_TYPE}/g"'" ${DIST_DIR}/solrhome/templates/rerank/conf/solrcore.properties' \ 22 | ${DIST_DIR}/solr/bin/search_config_setup.sh 23 | 24 | # Remove pre-bundled stores (just to be sure that they are not picked up) 25 | RUN sed -i '/^bash.*/i rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl.repo.client.keystore'\ 26 | ${DIST_DIR}/solr/bin/search_config_setup.sh 27 | RUN sed -i '/^bash.*/i rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl-keystore-passwords.properties'\ 28 | ${DIST_DIR}/solr/bin/search_config_setup.sh 29 | RUN sed -i '/^bash.*/i rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl.repo.client.truststore'\ 30 | ${DIST_DIR}/solr/bin/search_config_setup.sh 31 | RUN sed -i '/^bash.*/i rm ${DIST_DIR}/solrhome/templates/rerank/conf/ssl-truststore-passwords.properties'\ 32 | ${DIST_DIR}/solr/bin/search_config_setup.sh 33 | 34 | RUN mkdir ${DIST_DIR}/keystore \ 35 | && chown -R solr:solr ${DIST_DIR}/keystore 36 | 37 | VOLUME ["${DIST_DIR}/keystore"] 38 | -------------------------------------------------------------------------------- /docker-compose/enterprise/zeppelin/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG ZEPPELIN_TAG 2 | FROM quay.io/alfresco/insight-zeppelin:${ZEPPELIN_TAG} 3 | 4 | ARG TRUSTSTORE_TYPE 5 | ARG TRUSTSTORE_PASS 6 | ARG KEYSTORE_TYPE 7 | ARG KEYSTORE_PASS 8 | 9 | ENV TRUSTSTORE_TYPE=$TRUSTSTORE_TYPE \ 10 | TRUSTSTORE_PASS=$TRUSTSTORE_PASS \ 11 | KEYSTORE_TYPE=$KEYSTORE_TYPE \ 12 | KEYSTORE_PASS=$KEYSTORE_PASS 13 | 14 | RUN mkdir ${ZEPPELIN_HOME}/keystore \ 15 | && chown -R zeppelin:zeppelin ${ZEPPELIN_HOME}/keystore 16 | 17 | ### Add SSL Configuration to Zeppelin Interpreter 18 | RUN sed -i '/"zeppelin.jdbc.principal":/i \ 19 | "alfresco.enable.ssl": { \n\ 20 | "value": "true", \n\ 21 | "type": "string" \n\ 22 | },\n\ 23 | "solr.ssl.checkPeerName": {\n\ 24 | "value": "false",\n\ 25 | "type": "string"\n\ 26 | },\n\ 27 | "javax.net.ssl.keyStore": {\n\ 28 | "value": "/zeppelin/keystore/ssl.repo.client.keystore",\n\ 29 | "type": "string"\n\ 30 | },\n\ 31 | "javax.net.ssl.keyStorePassword": {\n\ 32 | "value": "${KEYSTORE_PASS}",\n\ 33 | "type": "string"\n\ 34 | },\n\ 35 | "javax.net.ssl.keyStoreType": {\n\ 36 | "value": "${KEYSTORE_TYPE}",\n\ 37 | "type": "string"\n\ 38 | },\n\ 39 | "javax.net.ssl.trustStore": {\n\ 40 | "value": "/zeppelin/keystore/ssl.repo.client.truststore",\n\ 41 | "type": "string"\n\ 42 | },\n\ 43 | "javax.net.ssl.trustStorePassword": {\n\ 44 | "value": "${TRUSTSTORE_PASS}",\n\ 45 | "type": "string"\n\ 46 | },\n\ 47 | "javax.net.ssl.trustStoreType": {\n\ 48 | "value": "${TRUSTSTORE_TYPE}",\n\ 49 | "type": "string"\n\ 50 | \n},\ 51 | ' ${ZEPPELIN_HOME}/conf/interpreter.json 52 | -------------------------------------------------------------------------------- /scripts/ci/convert_testclient_keystore_to_pem.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | CI_WORKSPACE=$1 4 | 5 | #Convert keystore and truststore format to PEM (only PEM is accepted by curl) 6 | TEST_CLIENT_PATH="${CI_WORKSPACE}/keystores/testClient" 7 | TEST_CLIENT_CURL_KEYSTORE="testClient_keystore" 8 | TEST_CLIENT_CURL_TRUSTSTORE="testClient_truststore" 9 | 10 | keytool -noprompt -importkeystore -srckeystore ${TEST_CLIENT_PATH}/testClient.keystore -destkeystore ${TEST_CLIENT_PATH}/${TEST_CLIENT_CURL_KEYSTORE}.p12 -srcstoretype JCEKS -deststoretype PKCS12 -deststorepass password -srcstorepass password 11 | openssl pkcs12 -in ${TEST_CLIENT_PATH}/${TEST_CLIENT_CURL_KEYSTORE}.p12 -nokeys -out ${TEST_CLIENT_PATH}/client-cert.pem -password pass:password 12 | openssl pkcs12 -in ${TEST_CLIENT_PATH}/${TEST_CLIENT_CURL_KEYSTORE}.p12 -password pass:password -nocerts -out ${TEST_CLIENT_PATH}/client-key.pem -passout pass:password 13 | 14 | keytool -noprompt -importkeystore -srckeystore ${TEST_CLIENT_PATH}/testClient.truststore -destkeystore ${TEST_CLIENT_PATH}/${TEST_CLIENT_CURL_TRUSTSTORE}.p12 -srcstoretype JCEKS -deststoretype PKCS12 -deststorepass password -srcstorepass password 15 | openssl pkcs12 -in ${TEST_CLIENT_PATH}/${TEST_CLIENT_CURL_TRUSTSTORE}.p12 -out ${TEST_CLIENT_PATH}/${TEST_CLIENT_CURL_TRUSTSTORE}.pem -password pass:password -passout pass:password -------------------------------------------------------------------------------- /scripts/ci/generate_keystores.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | #This script is used by MTLS tests in many repositories (acs-packaging, community-repo, transform-service, transform-aspose, ai-renditions). 4 | #Be cautious #when manipulating it 5 | 6 | # SETTINGS 7 | # Alfresco Format: "classic" / "current" is supported only from 7.0 8 | ALFRESCO_FORMAT=current 9 | 10 | #Contains directory settings 11 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 12 | source ${SCRIPT_DIR}/../../ssl-tool/utils.sh 13 | 14 | # Cleanup previous output of script 15 | rm -rd $CA_DIR 16 | rm -rd $KEYSTORES_DIR 17 | rm -rd $CERTIFICATES_DIR 18 | 19 | #CA 20 | bash ${SCRIPT_DIR}/../../ssl-tool/run_ca.sh -keysize 2048 -keystorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername localhost -validityduration 1 21 | #Alfresco 22 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename alfresco -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername localhost,alfresco -alfrescoformat $ALFRESCO_FORMAT 23 | #Alfresco Metadata encryption 24 | bash ${SCRIPT_DIR}/../../ssl-tool/run_encryption.sh -subfoldername alfresco -servicename encryption -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT 25 | #Search Engine 26 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename searchEngine -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Search Engine" -servername localhost,search,solr,solr4,solr6,elasticsearch,live-indexing,reindexing -alfrescoformat $ALFRESCO_FORMAT 27 | #T-Engine AIO 28 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineAIO -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO" -servername localhost,transform-core-aio -alfrescoformat $ALFRESCO_FORMAT 29 | #Shared file store 30 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename sharedFileStore -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost,shared-file-store -alfrescoformat $ALFRESCO_FORMAT 31 | #Transform Router 32 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename transformRouter -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router" -servername localhost,transform-router,router -alfrescoformat $ALFRESCO_FORMAT 33 | #T-Engine Imagemagick 34 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineImageMagick -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick" -servername localhost,imagemagick -alfrescoformat $ALFRESCO_FORMAT 35 | #T-Engine Libreoffice 36 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineLibreOffice -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice" -servername localhost,libreoffice -alfrescoformat $ALFRESCO_FORMAT 37 | #T-Engine Pdfrenderer 38 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tenginePdfRenderer -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer" -servername localhost,alfresco-pdf-renderer -alfrescoformat $ALFRESCO_FORMAT 39 | #T-Engine Tika 40 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineTika -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika" -servername localhost,tika -alfrescoformat $ALFRESCO_FORMAT 41 | #T-Engine Misc 42 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineMisc -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc" -servername localhost,misc -alfrescoformat $ALFRESCO_FORMAT 43 | #Transform Aspose 44 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tAspose -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Aspose" -servername localhost,transform-aspose -alfrescoformat $ALFRESCO_FORMAT 45 | 46 | #AWS AI 47 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename awsAi -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=AWS AI" -servername localhost,aws-ai -alfrescoformat $ALFRESCO_FORMAT 48 | 49 | #HttpClient used in tests 50 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename testClient -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Test Client" -servername localhost,test-client -alfrescoformat $ALFRESCO_FORMAT 51 | -------------------------------------------------------------------------------- /scripts/ci/generate_keystores_wrong_hostnames.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | #This script is used by MTLS tests in many repositories (acs-packaging, community-repo, transform-service, transform-aspose, ai-renditions). 4 | #Be cautious #when manipulating it 5 | 6 | # SETTINGS 7 | # Alfresco Format: "classic" / "current" is supported only from 7.0 8 | ALFRESCO_FORMAT=current 9 | 10 | #Contains directory settings 11 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 12 | source ${SCRIPT_DIR}/../../ssl-tool/utils.sh 13 | 14 | # Cleanup previous output of script 15 | rm -rd $CA_DIR 16 | rm -rd $KEYSTORES_DIR 17 | rm -rd $CERTIFICATES_DIR 18 | 19 | #CA 20 | bash ${SCRIPT_DIR}/../../ssl-tool/run_ca.sh -keysize 2048 -keystorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername test -validityduration 1 21 | #Alfresco 22 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename alfresco -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername test -alfrescoformat $ALFRESCO_FORMAT 23 | #Alfresco Metadata encryption 24 | bash ${SCRIPT_DIR}/../../ssl-tool/run_encryption.sh -subfoldername alfresco -servicename encryption -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT 25 | #Search Engine 26 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename searchEngine -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Search Engine" -servername test -alfrescoformat $ALFRESCO_FORMAT 27 | #T-Engine AIO 28 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineAIO -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO" -servername test -alfrescoformat $ALFRESCO_FORMAT 29 | #Shared file store 30 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename sharedFileStore -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername test -alfrescoformat $ALFRESCO_FORMAT 31 | #Transform Router 32 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename transformRouter -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router" -servername test -alfrescoformat $ALFRESCO_FORMAT 33 | #T-Engine Imagemagick 34 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineImageMagick -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick" -servername test -alfrescoformat $ALFRESCO_FORMAT 35 | #T-Engine Libreoffice 36 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineLibreOffice -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice" -servername test -alfrescoformat $ALFRESCO_FORMAT 37 | #T-Engine Pdfrenderer 38 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tenginePdfRenderer -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer" -servername test -alfrescoformat $ALFRESCO_FORMAT 39 | #T-Engine Tika 40 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineTika -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika" -servername test -alfrescoformat $ALFRESCO_FORMAT 41 | #T-Engine Misc 42 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tengineMisc -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc" -servername test -alfrescoformat $ALFRESCO_FORMAT 43 | #Transform Aspose 44 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename tAspose -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Aspose" -servername test -alfrescoformat $ALFRESCO_FORMAT 45 | 46 | #AWS AI 47 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename awsAi -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=AWS AI" -servername test -alfrescoformat $ALFRESCO_FORMAT 48 | 49 | #HttpClient used in tests 50 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename testClient -rootcapass password -keysize 2048 -keystoretype JCEKS -keystorepass password -truststoretype JCEKS -truststorepass password -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Test Client" -servername test -alfrescoformat $ALFRESCO_FORMAT 51 | -------------------------------------------------------------------------------- /scripts/ci/test.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 8 | source ${SCRIPT_DIR}/../../ssl-tool/utils.sh 9 | 10 | # SETTINGS 11 | ALFRESCO_FORMAT=current 12 | 13 | echo "Generate: CA, Repository, Solr, Zeppelin" 14 | #CA 15 | bash ${SCRIPT_DIR}/../../ssl-tool/run_ca.sh -keysize 2048 -keystorepass capass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername localhost -validityduration 1 16 | #Alfresco Repository 17 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename alfresco -alias repository -rootcapass capass -keysize 2048 -keystoretype JCEKS -keystorepass alfrescokeystorepass -truststoretype PKCS12 -truststorepass alfrescotruststorepass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 18 | #Alfresco Metadata encryption 19 | bash ${SCRIPT_DIR}/../../ssl-tool/run_encryption.sh -subfoldername alfresco -servicename encryption -encstorepass encryptionpass -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT 20 | #Solr 21 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename solr -rootcapass capass -keysize 2048 -keystoretype JCEKS -keystorepass solrkeystorepass -truststoretype JCEKS -truststorepass solrtruststorepass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 22 | #Zeppelin (copy of Solr) 23 | ZEPPELIN_DIR=$KEYSTORES_DIR/zeppelin 24 | if [ -d $ZEPPELIN_DIR ]; then 25 | rm -rf $ZEPPELIN_DIR/* 26 | else 27 | mkdir $ZEPPELIN_DIR 28 | fi 29 | cp $KEYSTORES_DIR/solr/solr.keystore $ZEPPELIN_DIR/zeppelin.keystore 30 | cp $KEYSTORES_DIR/solr/solr.truststore $ZEPPELIN_DIR/zeppelin.truststore 31 | #Solr browser 32 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -subfoldername client -servicename browser -role client -rootcapass capass -keysize 2048 -keystoretype PKCS12 -keystorepass browserkeystorepass -notruststore -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" -alfrescoformat $ALFRESCO_FORMAT 33 | 34 | 35 | echo "Generate sharedFileStore" 36 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename sharedFileStore -rootcapass capass -keysize 2048 -keystoretype PKCS12 -keystorepass sharedfilestorekeystorepass -truststoretype JKS -truststorepass sharedfilestoretruststorepass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost,test -alfrescoformat $ALFRESCO_FORMAT 37 | 38 | #Transform Router 39 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename transformRouter -alias transformRouter_client -role client -rootcapass capass -keysize 2048 -keystoretype JCEKS -keystorepass transformrouterclientpass -truststoretype JCEKS -truststorepass transformrouterclientpass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Client" -alfrescoformat $ALFRESCO_FORMAT 40 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename transformRouter -alias transformRouter_server -role server -rootcapass capass -keysize 2048 -keystoretype JCEKS -keystorepass transformrouterserverpass -truststoretype JCEKS -truststorepass transformrouterserverpass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 41 | 42 | echo 43 | echo "-------------Verifying results-------------" 44 | echo 45 | 46 | source ${SCRIPT_DIR}/test_utils.sh 47 | 48 | echo "Checking repository" 49 | validateKeystore keystores/alfresco/alfresco.keystore alfrescokeystorepass JCEKS "repository" "ssl.alfresco.ca" 50 | validateTruststore keystores/alfresco/alfresco.truststore alfrescotruststorepass PKCS12 "alfresco.ca" 51 | validateCertificate keystores/alfresco/alfresco.keystore alfrescokeystorepass "Owner: CN=Custom Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 52 | validateCertificate keystores/alfresco/alfresco.keystore alfrescokeystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 53 | echo "Checking encryption" 54 | validateEncryption keystores/alfresco/encryption.keystore encryptionpass PKCS12 "metadata" 55 | echo "Checking solr" 56 | validateKeystore keystores/solr/solr.keystore solrkeystorepass JCEKS "solr" "ssl.alfresco.ca" 57 | validateTruststore keystores/solr/solr.truststore solrtruststorepass JCEKS "alfresco.ca" 58 | validateCertificate keystores/solr/solr.keystore solrkeystorepass "Owner: CN=Custom Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 59 | validateCertificate keystores/solr/solr.keystore solrkeystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 60 | validateSubjectAlternativeNames keystores/solr/solr.keystore solrkeystorepass localhost 61 | validateSubjectAlternativeNamesNotFound keystores/solr/solr.keystore solrkeystorepass test 62 | echo "Checking solr browser" 63 | validateKeystore keystores/client/browser_client.keystore browserkeystorepass PKCS12 "browser" 64 | validateCertificate keystores/client/browser_client.keystore browserkeystorepass "Owner: CN=Custom Browser Client, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 65 | validateCertificate keystores/client/browser_client.keystore browserkeystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 66 | 67 | echo "Checking sharedFileStore" 68 | validateKeystore keystores/sharedFileStore/sharedFileStore.keystore sharedfilestorekeystorepass PKCS12 "sharedfilestore" "ssl.alfresco.ca" 69 | validateTruststore keystores/sharedFileStore/sharedFileStore.truststore sharedfilestoretruststorepass JKS "alfresco.ca" 70 | validateCertificate keystores/sharedFileStore/sharedFileStore.keystore sharedfilestorekeystorepass "Owner: CN=Shared File Store, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 71 | validateCertificate keystores/sharedFileStore/sharedFileStore.keystore sharedfilestorekeystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 72 | validateSubjectAlternativeNames keystores/sharedFileStore/sharedFileStore.keystore sharedfilestorekeystorepass localhost test 73 | 74 | echo "Checking transformRouter client" 75 | validateKeystore keystores/transformRouter/transformRouter_client.keystore transformrouterclientpass JCEKS "transformrouter_client" "ssl.alfresco.ca" 76 | validateTruststore keystores/transformRouter/transformRouter_client.truststore transformrouterclientpass JCEKS "alfresco.ca" 77 | validateCertificate keystores/transformRouter/transformRouter_client.keystore transformrouterclientpass "Owner: CN=Transform Router Client, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 78 | validateCertificate keystores/transformRouter/transformRouter_client.keystore transformrouterclientpass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 79 | 80 | echo "Checking transformRouter server" 81 | validateKeystore keystores/transformRouter/transformRouter_server.keystore transformrouterserverpass JCEKS "transformrouter_server" "ssl.alfresco.ca" 82 | validateTruststore keystores/transformRouter/transformRouter_server.truststore transformrouterserverpass JCEKS "alfresco.ca" 83 | validateCertificate keystores/transformRouter/transformRouter_server.keystore transformrouterserverpass "Owner: CN=Transform Router Server, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 84 | validateCertificate keystores/transformRouter/transformRouter_server.keystore transformrouterserverpass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 85 | validateSubjectAlternativeNames keystores/transformRouter/transformRouter_server.keystore transformrouterserverpass localhost 86 | validateSubjectAlternativeNamesNotFound keystores/transformRouter/transformRouter_server.keystore transformrouterserverpass test 87 | 88 | echo "Success" -------------------------------------------------------------------------------- /scripts/ci/test_legacy.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 8 | source ${SCRIPT_DIR}/../../ssl-tool/utils.sh 9 | 10 | # SETTINGS 11 | # Alfresco Format: "classic" / "current" is supported only from 7.0 12 | ALFRESCO_FORMAT=current 13 | 14 | echo "Generate: CA, Repository, Solr, Zeppelin" 15 | bash ${SCRIPT_DIR}/../../ssl-tool/run.sh -alfrescoversion community -keysize 2048 -keystoretype JCEKS -truststoretype JCEKS -keystorepass keystorepass -truststorepass truststorepass -encstorepass encryption -encmetadatapass encryption -alfrescoservername localhost,test -alfrescoformat $ALFRESCO_FORMAT -cavalidityduration 1 16 | 17 | echo "Generate sharedFileStore" 18 | bash ${SCRIPT_DIR}/../../ssl-tool/run_additional.sh -servicename sharedFileStore -rootcapass keystorepass -keysize 2048 -keystoretype PKCS12 -keystorepass additionalkeystorepass -truststoretype JKS -truststorepass additionaltruststorepass -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost,test -alfrescoformat $ALFRESCO_FORMAT 19 | 20 | echo 21 | echo "-------------Verifying results-------------" 22 | echo 23 | 24 | source ${SCRIPT_DIR}/test_utils.sh 25 | 26 | echo "Checking repository" 27 | validateKeystore keystores/alfresco/ssl.keystore keystorepass JCEKS "ssl.repo" "ssl.alfresco.ca" 28 | validateTruststore keystores/alfresco/ssl.truststore truststorepass JCEKS "alfresco.ca" 29 | validateCertificate keystores/alfresco/ssl.keystore keystorepass "Owner: CN=Custom Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 30 | validateCertificate keystores/alfresco/ssl.keystore keystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 31 | validateSubjectAlternativeNames keystores/alfresco/ssl.keystore keystorepass localhost test 32 | echo "Checking encryption" 33 | validateEncryption keystores/alfresco/keystore encryption PKCS12 "metadata" 34 | echo "Checking solr" 35 | validateKeystore keystores/solr/ssl-repo-client.keystore keystorepass JCEKS "ssl.repo.client" "ssl.alfresco.ca" 36 | validateTruststore keystores/solr/ssl-repo-client.truststore truststorepass JCEKS "alfresco.ca" 37 | validateCertificate keystores/solr/ssl-repo-client.keystore keystorepass "Owner: CN=Custom Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 38 | validateCertificate keystores/solr/ssl-repo-client.keystore keystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 39 | validateSubjectAlternativeNames keystores/solr/ssl-repo-client.keystore keystorepass localhost 40 | validateSubjectAlternativeNamesNotFound keystores/solr/ssl-repo-client.keystore keystorepass test 41 | echo "Checking solr browser" 42 | validateKeystore keystores/client/browser.p12 keystorepass PKCS12 "1" 43 | validateCertificate keystores/client/browser.p12 keystorepass "Owner: CN=Custom Browser Client, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 44 | validateCertificate keystores/client/browser.p12 keystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 45 | 46 | echo "Checking sharedFileStore" 47 | validateKeystore keystores/sharedFileStore/sharedFileStore.keystore additionalkeystorepass PKCS12 "sharedfilestore" "ssl.alfresco.ca" 48 | validateTruststore keystores/sharedFileStore/sharedFileStore.truststore additionaltruststorepass JKS "alfresco.ca" 49 | validateCertificate keystores/sharedFileStore/sharedFileStore.keystore additionalkeystorepass "Owner: CN=Shared File Store, OU=Unknown, O=Alfresco Software Ltd., ST=UK, C=GB" 50 | validateCertificate keystores/sharedFileStore/sharedFileStore.keystore additionalkeystorepass "Issuer: CN=Custom Alfresco CA, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" 51 | validateSubjectAlternativeNames keystores/sharedFileStore/sharedFileStore.keystore additionalkeystorepass localhost test 52 | echo "Success" -------------------------------------------------------------------------------- /scripts/ci/test_utils.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | function checkIfRecordExists { 4 | result=$(sed -n "/^$2.*$3/p" <<< "$1") 5 | } 6 | 7 | function validateKeystore { 8 | content=$(keytool -list -keystore $1 -storepass $2) 9 | 10 | checkIfRecordExists "$content" "Keystore type:" "$3" 11 | if [ -z "$result" ]; then 12 | echo "Invalid/Missing Keystore type $3" 13 | exit 1 14 | fi 15 | 16 | checkIfRecordExists "$content" "$4" "PrivateKeyEntry" 17 | if [ -z "$result" ]; then 18 | echo "Invalid/Missing Keystore private key $4" 19 | exit 1 20 | fi 21 | 22 | if [ -n "${5-}" ]; then 23 | checkIfRecordExists "$content" "$5" "trustedCertEntry" 24 | if [ -z "$result" ]; then 25 | echo "Invalid/Missing Keystore certificate $5" 26 | exit 1 27 | fi 28 | fi 29 | } 30 | 31 | function validateTruststore { 32 | content=$(keytool -list -keystore $1 -storepass $2) 33 | 34 | checkIfRecordExists "$content" "Keystore type:" "$3" 35 | if [ -z "$result" ]; then 36 | echo "Invalid/Missing Truststore type $3" 37 | exit 1 38 | fi 39 | 40 | checkIfRecordExists "$content" "$4" "trustedCertEntry" 41 | if [ -z "$result" ]; then 42 | echo "Invalid/Missing Keystore certificate $4" 43 | exit 1 44 | fi 45 | } 46 | 47 | function validateEncryption { 48 | content=$(keytool -list -keystore $1 -storepass $2) 49 | 50 | checkIfRecordExists "$content" "Keystore type:" "$3" 51 | if [ -z "$result" ]; then 52 | echo "Invalid/Missing Keystore type $3" 53 | exit 1 54 | fi 55 | 56 | checkIfRecordExists "$content" "$4" "SecretKeyEntry" 57 | if [ -z "$result" ]; then 58 | echo "Invalid/Missing Keystore private key $4" 59 | exit 1 60 | fi 61 | } 62 | 63 | function validateCertificate { 64 | content=$(keytool -list -v -keystore $1 -storepass $2) 65 | result=$(sed -n "/^$3/p" <<< "$content") 66 | if [ -z "$result" ]; then 67 | echo "Invalid/Missing certificate $3" 68 | exit 1 69 | fi 70 | } 71 | 72 | function checkSingleSANExists { 73 | dns_line=" DNSName: $2" 74 | result=$(sed -n "/^$dns_line/p" <<< "$1") 75 | if [ -z "$result" ]; then 76 | echo "Expected SAN not found $2" 77 | exit 1 78 | fi 79 | } 80 | 81 | function checkSingleSANDoesntExist { 82 | dns_line=" DNSName: $2" 83 | result=$(sed -n "/^$dns_line/p" <<< "$1") 84 | if [ -n "$result" ]; then 85 | echo "Not expected SAN found $2" 86 | exit 1 87 | fi 88 | } 89 | 90 | function validateSubjectAlternativeNames { 91 | content=$(keytool -list -v -keystore $1 -storepass $2) 92 | 93 | checkSingleSANExists "$content" $3 94 | if [ -n "${4-}" ]; then 95 | checkSingleSANExists "$content" $4 96 | fi 97 | if [ -n "${5-}" ]; then 98 | checkSingleSANExists "$content" $5 99 | fi 100 | } 101 | 102 | function validateSubjectAlternativeNamesNotFound { 103 | content=$(keytool -list -v -keystore $1 -storepass $2) 104 | 105 | checkSingleSANDoesntExist "$content" $3 106 | if [ -n "${4-}" ]; then 107 | checkSingleSANDoesntExist "$content" $4 108 | fi 109 | if [ -n "${5-}" ]; then 110 | checkSingleSANDoesntExist "$content" $5 111 | fi 112 | } -------------------------------------------------------------------------------- /ssl-tool-win/openssl.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | # Directory and file locations 6 | dir = .\\ca 7 | certs = $dir\\certs 8 | crl_dir = $dir\\crl 9 | new_certs_dir = $dir\\newcerts 10 | database = $dir\\index.txt 11 | serial = $dir\\serial 12 | RANDFILE = $dir\\private\\.rand 13 | 14 | # The root key and root certificate. 15 | certificate = $dir\\certs\\ca.cert.pem 16 | private_key = $dir\\private\\ca.key.pem 17 | 18 | # For certificate revocation lists. 19 | crlnumber = $dir\\crlnumber 20 | crl = $dir\\crl\\ca.crl.pem 21 | crl_extensions = crl_ext 22 | default_crl_days = 30 23 | 24 | # SHA-1 is deprecated, so use SHA-2 instead. 25 | default_md = sha256 26 | 27 | name_opt = ca_default 28 | cert_opt = ca_default 29 | default_days = 375 30 | preserve = no 31 | policy = policy_strict 32 | 33 | default_days = 3650 34 | 35 | [ policy_strict ] 36 | # The root CA should only sign intermediate certificates that match. 37 | # See the POLICY FORMAT section of `man ca`. 38 | countryName = match 39 | stateOrProvinceName = match 40 | organizationName = match 41 | organizationalUnitName = optional 42 | commonName = supplied 43 | emailAddress = optional 44 | 45 | [ req ] 46 | # Options for the `req` tool (`man req`). 47 | default_bits = 2048 48 | distinguished_name = req_distinguished_name 49 | string_mask = utf8only 50 | 51 | # SHA-1 is deprecated, so use SHA-2 instead. 52 | default_md = sha256 53 | 54 | # Extension to add when the -x509 option is used. 55 | x509_extensions = v3_ca 56 | 57 | [ req_distinguished_name ] 58 | # See . 59 | countryName = Country Name (2 letter code) 60 | stateOrProvinceName = State or Province Name 61 | localityName = Locality Name 62 | 0.organizationName = Organization Name 63 | organizationalUnitName = Organizational Unit Name 64 | commonName = Common Name 65 | emailAddress = Email Address 66 | 67 | # Optionally, specify some defaults. 68 | countryName_default = GB 69 | stateOrProvinceName_default = England 70 | localityName_default = 71 | 0.organizationName_default = Alice Ltd 72 | #organizationalUnitName_default = 73 | #emailAddress_default = 74 | 75 | [ v3_ca ] 76 | # Extensions for a typical CA (`man x509v3_config`). 77 | subjectKeyIdentifier = hash 78 | authorityKeyIdentifier = keyid:always,issuer 79 | basicConstraints = CA:true 80 | keyUsage = critical, digitalSignature, cRLSign, keyCertSign 81 | 82 | [ clientServer_cert ] 83 | # Extensions for client/server certificates (`man x509v3_config`). 84 | basicConstraints = CA:FALSE 85 | nsCertType = server, client 86 | nsComment = "OpenSSL Generated Client/Server Certificate" 87 | subjectKeyIdentifier = hash 88 | authorityKeyIdentifier = keyid,issuer:always 89 | keyUsage = critical, digitalSignature, keyEncipherment 90 | extendedKeyUsage = serverAuth, clientAuth 91 | subjectAltName = @alt_names 92 | 93 | [ server_cert ] 94 | # Extensions for server certificates (`man x509v3_config`). 95 | basicConstraints = CA:FALSE 96 | nsCertType = server 97 | nsComment = "OpenSSL Generated Server Certificate" 98 | subjectKeyIdentifier = hash 99 | authorityKeyIdentifier = keyid,issuer:always 100 | keyUsage = critical, digitalSignature, keyEncipherment 101 | extendedKeyUsage = serverAuth 102 | subjectAltName = @alt_names 103 | 104 | [ client_cert ] 105 | basicConstraints = CA:FALSE 106 | nsCertType = client 107 | nsComment = "OpenSSL Generated Client Certificate" 108 | subjectKeyIdentifier = hash 109 | authorityKeyIdentifier = keyid,issuer:always 110 | keyUsage = critical, digitalSignature, keyEncipherment 111 | extendedKeyUsage = clientAuth 112 | 113 | [ crl_ext ] 114 | # Extension for CRLs (`man x509v3_config`). 115 | authorityKeyIdentifier=keyid:always 116 | 117 | [alt_names] 118 | DNS.1 = localhost 119 | -------------------------------------------------------------------------------- /ssl-tool-win/run.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM This script generates certificates for Repository and SOLR TLS/SSL Mutual Auth Communication: 4 | REM 5 | REM * CA Entity to issue all required certificates (alias alfresco.ca) 6 | REM * Server Certificate for Alfresco (alias ssl.repo) 7 | REM * Server Certificate for SOLR (alias ssl.repo.client) 8 | REM 9 | REM "openssl.cnf" file is provided for CA Configuration. 10 | REM 11 | REM Once this script has been executed successfully, following resources are generated in %KEYSTORES_DIR% folder: 12 | REM 13 | REM . 14 | REM ├── alfresco 15 | REM │   ├── keystore 16 | REM │   ├── keystore-passwords.properties 17 | REM │   ├── ssl-keystore-passwords.properties 18 | REM │   ├── ssl-truststore-passwords.properties 19 | REM │   ├── ssl.keystore 20 | REM │   └── ssl.truststore 21 | REM ├── client 22 | REM │   └── browser.p12 23 | REM ├── solr 24 | REM │   ├── ssl-keystore-passwords.properties 25 | REM │   ├── ssl-truststore-passwords.properties 26 | REM │   ├── ssl.repo.client.keystore 27 | REM │   └── ssl.repo.client.truststore 28 | REM └── zeppelin 29 | REM ├── ssl.repo.client.keystore 30 | REM └── ssl.repo.client.truststore 31 | REM 32 | REM When using "current" Alfresco format (available from ACS 7.0), following resources are generated in %KEYSTORES_DIR% 33 | REM 34 | REM . 35 | REM ├── alfresco 36 | REM │   ├── keystore 37 | REM │   ├── ssl.keystore 38 | REM │   └── ssl.truststore 39 | REM ├── client 40 | REM │   └── browser.p12 41 | REM ├── solr 42 | REM │   ├── ssl-repo-client.keystore 43 | REM │   └── ssl-repo-client.truststore 44 | REM └── zeppelin 45 | REM ├── ssl-repo-client.keystore 46 | REM └── ssl-repo-client.truststore 47 | REM 48 | REM "alfresco" files must be copied to "alfresco/keystore" folder 49 | REM "solr" files must be copied to "solr6/keystore" 50 | REM "zeppelin" files must be copied to "zeppelin/keystore" 51 | REM "client" files can be used from a browser to access the server using HTTPS in port 8443 52 | 53 | REM ---------- 54 | REM PARAMETERS 55 | REM ---------- 56 | 57 | REM Version of Alfresco: enterprise, community 58 | SET ALFRESCO_VERSION=enterprise 59 | 60 | REM Using "current" format by default (only available from ACS 7.0+) 61 | SET ALFRESCO_FORMAT=current 62 | 63 | REM Distinguished name of the CA 64 | SET CA_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA 65 | REM Distinguished name of the Server Certificate for Alfresco 66 | SET REPO_CERT_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository 67 | REM Distinguished name of the Server Certificate for SOLR 68 | SET SOLR_CLIENT_CERT_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client 69 | REM Distinguished name of the Browser Certificate for SOLR 70 | SET BROWSER_CLIENT_CERT_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client 71 | 72 | REM Alfresco and SOLR server names, to be used as Alternative Name in the certificates 73 | SET CA_SERVER_NAME=localhost 74 | SET ALFRESCO_SERVER_NAME=localhost 75 | SET SOLR_SERVER_NAME=localhost 76 | 77 | REM RSA key length (2048, 4096) 78 | SET KEY_SIZE=2048 79 | 80 | REM Keystore format (PKCS12, JKS, JCEKS) 81 | SET KEYSTORE_TYPE=JCEKS 82 | REM Truststore format (JKS, JCEKS) 83 | SET TRUSTSTORE_TYPE=JCEKS 84 | 85 | REM Default password for every keystore and private key 86 | SET KEYSTORE_PASS=keystore 87 | REM Default password for every truststore 88 | SET TRUSTSTORE_PASS=truststore 89 | 90 | REM Encryption secret key passwords 91 | SET ENC_STORE_PASS=password 92 | SET ENC_METADATA_PASS=password 93 | 94 | SET CA_VALIDITY_DURATION=7300 95 | 96 | REM Parse params from command line 97 | :loop 98 | IF NOT "%1"=="" ( 99 | IF "%1"=="-alfrescoversion" ( 100 | SHIFT 101 | SET ALFRESCO_VERSION=%2 102 | SHIFT 103 | GOTO loop 104 | ) 105 | IF "%1"=="-keysize" ( 106 | SHIFT 107 | SET KEY_SIZE=%2 108 | SHIFT 109 | GOTO loop 110 | ) 111 | IF "%1"=="-keystoretype" ( 112 | SHIFT 113 | SET KEYSTORE_TYPE=%2 114 | SHIFT 115 | GOTO loop 116 | ) 117 | IF "%1"=="-truststoretype" ( 118 | SHIFT 119 | SET TRUSTSTORE_TYPE=%2 120 | SHIFT 121 | GOTO loop 122 | ) 123 | IF "%1"=="-keystorepass" ( 124 | SHIFT 125 | SET KEYSTORE_PASS=%2 126 | SHIFT 127 | GOTO loop 128 | ) 129 | IF "%1"=="-truststorepass" ( 130 | SHIFT 131 | SET TRUSTSTORE_PASS=%2 132 | SHIFT 133 | GOTO loop 134 | ) 135 | IF "%1"=="-encstorepass" ( 136 | SHIFT 137 | SET ENC_STORE_PASS=%2 138 | SHIFT 139 | GOTO loop 140 | ) 141 | IF "%1"=="-encmetadatapass" ( 142 | SHIFT 143 | SET ENC_METADATA_PASS=%2 144 | SHIFT 145 | GOTO loop 146 | ) 147 | IF "%1"=="-cacertdname" ( 148 | SHIFT 149 | SET CA_DNAME=%~2 150 | SHIFT 151 | GOTO loop 152 | ) 153 | IF "%1"=="-repocertdname" ( 154 | SHIFT 155 | SET REPO_CERT_DNAME=%~2 156 | SHIFT 157 | GOTO loop 158 | ) 159 | IF "%1"=="-solrcertdname" ( 160 | SHIFT 161 | SET SOLR_CLIENT_CERT_DNAME=%~2 162 | SHIFT 163 | GOTO loop 164 | ) 165 | IF "%1"=="-browsercertdname" ( 166 | SHIFT 167 | SET BROWSER_CLIENT_CERT_DNAME=%~2 168 | SHIFT 169 | GOTO loop 170 | ) 171 | IF "%1"=="-caservername" ( 172 | SHIFT 173 | SET CA_SERVER_NAME=%~2 174 | SHIFT 175 | GOTO loop 176 | ) 177 | IF "%1"=="-alfrescoservername" ( 178 | SHIFT 179 | SET ALFRESCO_SERVER_NAME=%~2 180 | SHIFT 181 | GOTO loop 182 | ) 183 | IF "%1"=="-solrservername" ( 184 | SHIFT 185 | SET SOLR_SERVER_NAME=%~2 186 | SHIFT 187 | GOTO loop 188 | ) 189 | IF "%1"=="-alfrescoformat" ( 190 | SHIFT 191 | SET ALFRESCO_FORMAT=%~2 192 | SHIFT 193 | GOTO loop 194 | ) 195 | IF "%1"=="-cavalidityduration" ( 196 | SHIFT 197 | SET CA_VALIDITY_DURATION=%~2 198 | SHIFT 199 | GOTO loop 200 | ) 201 | ECHO "An invalid parameter was received: %1" 202 | EXIT /b 203 | ) 204 | 205 | REM Folder where keystores, truststores and cerfiticates are generated 206 | SET KEYSTORES_DIR=keystores 207 | SET ALFRESCO_KEYSTORES_DIR=keystores\alfresco 208 | SET SOLR_KEYSTORES_DIR=keystores\solr 209 | SET ZEPPELIN_KEYSTORES_DIR=keystores\zeppelin 210 | SET CLIENT_KEYSTORES_DIR=keystores\client 211 | SET CERTIFICATES_DIR=certificates 212 | 213 | REM Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic") 214 | IF "%ALFRESCO_FORMAT%" == "current" ( 215 | SET ENC_STORE_TYPE=PKCS12 216 | ) ELSE ( 217 | SET ENC_STORE_TYPE=JCEKS 218 | ) 219 | 220 | REM Key algorithm: AES (default for "current"), DESede (default for "classic") 221 | IF "%ALFRESCO_FORMAT%" == "current" ( 222 | SET ENC_KEY_ALG=-keyalg AES -keysize 256 223 | ) ELSE ( 224 | SET ENC_KEY_ALG=-keyalg DESede 225 | ) 226 | 227 | REM If target folder for Keystores is not empty, skip generation 228 | IF EXIST "%KEYSTORES_DIR%" ( 229 | ECHO "Keystores folder is not empty, skipping generation process..." 230 | EXIT /b 231 | ) 232 | 233 | REM Remove previous working directories and certificates 234 | IF EXIST "ca" ( 235 | del /q ca\* 236 | ) 237 | 238 | IF NOT EXIST "%KEYSTORES_DIR%" ( 239 | mkdir %KEYSTORES_DIR% 240 | ) ELSE ( 241 | del /q %KEYSTORES_DIR%/* 242 | ) 243 | 244 | REM Create folders for truststores, keystores and certificates 245 | IF NOT EXIST "%ALFRESCO_KEYSTORES_DIR%" ( 246 | mkdir %ALFRESCO_KEYSTORES_DIR% 247 | ) ELSE ( 248 | del /q %ALFRESCO_KEYSTORES_DIR%/* 249 | ) 250 | 251 | IF NOT EXIST "%SOLR_KEYSTORES_DIR%" ( 252 | mkdir %SOLR_KEYSTORES_DIR% 253 | ) ELSE ( 254 | del /q %SOLR_KEYSTORES_DIR%/* 255 | ) 256 | 257 | IF "%ALFRESCO_VERSION%" == "enterprise" ( 258 | IF NOT EXIST "%ZEPPELIN_KEYSTORES_DIR%" ( 259 | mkdir %ZEPPELIN_KEYSTORES_DIR% 260 | ) ELSE ( 261 | del /q %ZEPPELIN_KEYSTORES_DIR%/* 262 | ) 263 | ) 264 | 265 | IF NOT EXIST "%CLIENT_KEYSTORES_DIR%" ( 266 | mkdir %CLIENT_KEYSTORES_DIR% 267 | ) ELSE ( 268 | del /q %CLIENT_KEYSTORES_DIR%/* 269 | ) 270 | 271 | IF NOT EXIST "%CERTIFICATES_DIR%" ( 272 | mkdir %CERTIFICATES_DIR% 273 | ) ELSE ( 274 | del /q %CERTIFICATES_DIR%/* 275 | ) 276 | 277 | REM ------------ 278 | REM CA 279 | REM ------------ 280 | 281 | REM Generate a new CA Entity 282 | IF NOT EXIST "ca" ( 283 | mkdir ca 284 | ) 285 | 286 | mkdir ca\certs ca\crl ca\newcerts ca\private 287 | TYPE nul > ca\index.txt 288 | ECHO 1000 > ca\serial 289 | 290 | openssl genrsa -aes256 -passout pass:%KEYSTORE_PASS% -out ca\private\ca.key.pem %KEY_SIZE% 291 | 292 | CALL :subjectAlternativeNames %CA_SERVER_NAME% 293 | openssl req -config openssl.cnf ^ 294 | -key ca\private\ca.key.pem ^ 295 | -new -x509 -days %CA_VALIDITY_DURATION% -sha256 -extensions v3_ca ^ 296 | -out ca\certs\ca.cert.pem ^ 297 | -subj "%CA_DNAME%" ^ 298 | -passin pass:%KEYSTORE_PASS% 299 | 300 | REM Generate Server Certificate for Alfresco (issued by just generated CA) 301 | CALL :subjectAlternativeNames %ALFRESCO_SERVER_NAME% 302 | openssl req -newkey rsa:%KEY_SIZE% -nodes -out %CERTIFICATES_DIR%\repository.csr ^ 303 | -keyout %CERTIFICATES_DIR%\repository.key -subj "%REPO_CERT_DNAME%" 304 | 305 | openssl ca -config openssl.cnf -extensions clientServer_cert -passin pass:%KEYSTORE_PASS% -batch -notext ^ 306 | -in %CERTIFICATES_DIR%\repository.csr -out %CERTIFICATES_DIR%\repository.cer 307 | 308 | openssl pkcs12 -export -out %CERTIFICATES_DIR%/repository.p12 -inkey %CERTIFICATES_DIR%\repository.key ^ 309 | -in %CERTIFICATES_DIR%\repository.cer -password pass:%KEYSTORE_PASS% -certfile ca\certs\ca.cert.pem 310 | 311 | REM Server Certificate for SOLR (issued by just generated CA) 312 | CALL :subjectAlternativeNames %SOLR_SERVER_NAME% 313 | openssl req -newkey rsa:%KEY_SIZE% -nodes -out %CERTIFICATES_DIR%\solr.csr ^ 314 | -keyout %CERTIFICATES_DIR%\solr.key -subj "%SOLR_CLIENT_CERT_DNAME%" 315 | 316 | openssl ca -config openssl.cnf -extensions clientServer_cert -passin pass:%KEYSTORE_PASS% -batch -notext ^ 317 | -in %CERTIFICATES_DIR%\solr.csr -out %CERTIFICATES_DIR%\solr.cer 318 | 319 | openssl pkcs12 -export -out %CERTIFICATES_DIR%\solr.p12 -inkey %CERTIFICATES_DIR%\solr.key ^ 320 | -in %CERTIFICATES_DIR%\solr.cer -password pass:%KEYSTORE_PASS% -certfile ca\certs\ca.cert.pem 321 | 322 | REM Client Certificate for SOLR (issued by just generated CA) 323 | openssl req -newkey rsa:%KEY_SIZE% -nodes -out %CERTIFICATES_DIR%/browser.csr -keyout %CERTIFICATES_DIR%/browser.key ^ 324 | -subj "%BROWSER_CLIENT_CERT_DNAME%" 325 | 326 | openssl ca -config openssl.cnf -extensions client_cert -passin pass:%KEYSTORE_PASS% -batch -notext ^ 327 | -in %CERTIFICATES_DIR%/browser.csr -out %CERTIFICATES_DIR%/browser.cer 328 | 329 | openssl pkcs12 -export -out %CERTIFICATES_DIR%/browser.p12 -inkey %CERTIFICATES_DIR%/browser.key ^ 330 | -in %CERTIFICATES_DIR%/browser.cer -password pass:%KEYSTORE_PASS% -certfile ca/certs/ca.cert.pem 331 | 332 | 333 | REM ------------ 334 | REM SOLR 335 | REM ------------ 336 | 337 | REM Include CA and Alfresco certificates in SOLR Truststore 338 | keytool -import -trustcacerts -noprompt -alias ssl.alfresco.ca -file ca\certs\ca.cert.pem ^ 339 | -keystore %SOLR_KEYSTORES_DIR%\ssl.repo.client.truststore -storetype %TRUSTSTORE_TYPE% -storepass %TRUSTSTORE_PASS% 340 | 341 | keytool -importcert -noprompt -alias ssl.repo -file %CERTIFICATES_DIR%\repository.cer ^ 342 | -keystore %SOLR_KEYSTORES_DIR%\ssl.repo.client.truststore -storetype %TRUSTSTORE_TYPE% -storepass %TRUSTSTORE_PASS% 343 | 344 | keytool -importcert -noprompt -alias ssl.repo.client -file %CERTIFICATES_DIR%\solr.cer ^ 345 | -keystore %SOLR_KEYSTORES_DIR%\ssl.repo.client.truststore -storetype %TRUSTSTORE_TYPE% -storepass %TRUSTSTORE_PASS% 346 | 347 | REM Create SOLR TrustStore password file 348 | ECHO aliases=alfresco.ca,ssl.repo,ssl.repo.client>> %SOLR_KEYSTORES_DIR%\ssl-truststore-passwords.properties 349 | ECHO keystore.password=%TRUSTSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-truststore-passwords.properties 350 | ECHO alfresco.ca.password=%TRUSTSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-truststore-passwords.properties 351 | ECHO ssl.repo.password=%TRUSTSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-truststore-passwords.properties 352 | ECHO ssl.repo.client.password=%TRUSTSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-truststore-passwords.properties 353 | 354 | REM Include SOLR Certificate in SOLR Keystore 355 | keytool -importkeystore ^ 356 | -srckeystore %CERTIFICATES_DIR%\solr.p12 -destkeystore %SOLR_KEYSTORES_DIR%\ssl.repo.client.keystore ^ 357 | -srcstoretype PKCS12 -deststoretype %KEYSTORE_TYPE% ^ 358 | -srcstorepass %KEYSTORE_PASS% -deststorepass %KEYSTORE_PASS% ^ 359 | -srcalias 1 -destalias ssl.repo.client ^ 360 | -srckeypass %KEYSTORE_PASS% -destkeypass %KEYSTORE_PASS% ^ 361 | -noprompt 362 | 363 | keytool -importcert -noprompt -alias alfresco.ca -file ca\certs\ca.cert.pem ^ 364 | -keystore %SOLR_KEYSTORES_DIR%\ssl.repo.client.keystore -storetype %KEYSTORE_TYPE% -storepass %KEYSTORE_PASS% 365 | 366 | REM Create SOLR Keystore password file 367 | ECHO aliases=ssl.alfresco.ca,ssl.repo.client>> %SOLR_KEYSTORES_DIR%\ssl-keystore-passwords.properties 368 | ECHO keystore.password=%KEYSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-keystore-passwords.properties 369 | ECHO ssl.repo.client.password=%KEYSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-keystore-passwords.properties 370 | ECHO ssl.alfresco.ca.password=%KEYSTORE_PASS%>> %SOLR_KEYSTORES_DIR%\ssl-keystore-passwords.properties 371 | 372 | 373 | REM -------------------- 374 | REM ZEPPELIN (SOLR JDBC) 375 | REM -------------------- 376 | 377 | REM Copy ZEPPELIN stores 378 | IF "%ALFRESCO_VERSION%" == "enterprise" ( 379 | copy %SOLR_KEYSTORES_DIR%\ssl.repo.client.keystore %ZEPPELIN_KEYSTORES_DIR%\ssl.repo.client.keystore 380 | copy %SOLR_KEYSTORES_DIR%\ssl.repo.client.truststore %ZEPPELIN_KEYSTORES_DIR%\ssl.repo.client.truststore 381 | ) 382 | 383 | 384 | REM -------------------- 385 | REM ALFRESCO 386 | REM -------------------- 387 | 388 | REM Include CA and SOLR certificates in Alfresco Truststore 389 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file ca\certs\ca.cert.pem ^ 390 | -keystore %ALFRESCO_KEYSTORES_DIR%\ssl.truststore -storetype %TRUSTSTORE_TYPE% -storepass %TRUSTSTORE_PASS% 391 | 392 | keytool -importcert -noprompt -alias ssl.repo.client -file %CERTIFICATES_DIR%\solr.cer ^ 393 | -keystore %ALFRESCO_KEYSTORES_DIR%\ssl.truststore -storetype %TRUSTSTORE_TYPE% -storepass %TRUSTSTORE_PASS% 394 | 395 | REM Create Alfresco TrustStore password file 396 | ECHO aliases=alfresco.ca,ssl.repo.client>> %ALFRESCO_KEYSTORES_DIR%\ssl-truststore-passwords.properties 397 | ECHO keystore.password=%TRUSTSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-truststore-passwords.properties 398 | ECHO alfresco.ca.password=%TRUSTSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-truststore-passwords.properties 399 | ECHO ssl.repo.client=%TRUSTSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-truststore-passwords.properties 400 | 401 | REM Include Alfresco Certificate in Alfresco Keystore 402 | keytool -importkeystore ^ 403 | -srckeystore %CERTIFICATES_DIR%\repository.p12 -destkeystore %ALFRESCO_KEYSTORES_DIR%\ssl.keystore ^ 404 | -srcstoretype PKCS12 -deststoretype %KEYSTORE_TYPE% ^ 405 | -srcstorepass %KEYSTORE_PASS% -deststorepass %KEYSTORE_PASS% ^ 406 | -srcalias 1 -destalias ssl.repo ^ 407 | -srckeypass %KEYSTORE_PASS% -destkeypass %KEYSTORE_PASS% ^ 408 | -noprompt 409 | 410 | keytool -importcert -noprompt -alias ssl.alfresco.ca -file ca\certs\ca.cert.pem ^ 411 | -keystore %ALFRESCO_KEYSTORES_DIR%\ssl.keystore -storetype %KEYSTORE_TYPE% -storepass %KEYSTORE_PASS% 412 | 413 | REM Create Alfresco Keystore password file 414 | ECHO aliases=ssl.alfresco.ca,ssl.repo>> %ALFRESCO_KEYSTORES_DIR%\ssl-keystore-passwords.properties 415 | ECHO keystore.password=%KEYSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-keystore-passwords.properties 416 | ECHO ssl.repo.password=%KEYSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-keystore-passwords.properties 417 | ECHO ssl.alfresco.ca.password=%KEYSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-keystore-passwords.properties 418 | 419 | REM Generate Encryption Secret Key 420 | keytool -genseckey -alias metadata -keypass %ENC_METADATA_PASS% -storepass %ENC_STORE_PASS% -keystore %ALFRESCO_KEYSTORES_DIR%\keystore ^ 421 | -storetype %ENC_STORE_TYPE% %ENC_KEY_ALG% 422 | 423 | REM Create Alfresco Encryption password file 424 | ECHO aliases=metadata>> %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties 425 | ECHO keystore.password=%ENC_STORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties 426 | ECHO metadata.keyData=>> %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties 427 | ECHO metadata.algorithm=DESede>> %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties 428 | ECHO metadata.password=%ENC_METADATA_PASS%>> %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties 429 | 430 | 431 | REM -------------------- 432 | REM CLIENT 433 | REM -------------------- 434 | 435 | REM Create client (browser) certificate 436 | copy %CERTIFICATES_DIR%/browser.p12 %CLIENT_KEYSTORES_DIR%/browser.p12 437 | 438 | REM Renaming files for current Alfresco Format 439 | IF "%ALFRESCO_FORMAT%" == "current" ( 440 | del %SOLR_KEYSTORES_DIR%\ssl-truststore-passwords.properties 441 | del %SOLR_KEYSTORES_DIR%\ssl-keystore-passwords.properties 442 | del %ALFRESCO_KEYSTORES_DIR%\ssl-truststore-passwords.properties 443 | del %ALFRESCO_KEYSTORES_DIR%\ssl-keystore-passwords.properties 444 | del %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties 445 | move %SOLR_KEYSTORES_DIR%\ssl.repo.client.truststore %SOLR_KEYSTORES_DIR%\ssl-repo-client.truststore 446 | move %SOLR_KEYSTORES_DIR%\ssl.repo.client.keystore %SOLR_KEYSTORES_DIR%\ssl-repo-client.keystore 447 | move %ZEPPELIN_KEYSTORES_DIR%\ssl.repo.client.keystore %ZEPPELIN_KEYSTORES_DIR%\ssl-repo-client.keystore 448 | move %ZEPPELIN_KEYSTORES_DIR%\ssl.repo.client.truststore %ZEPPELIN_KEYSTORES_DIR%\ssl-repo-client.truststore 449 | ) 450 | 451 | GOTO :eof 452 | 453 | REM Subject Alternative Name provided through config file substitution 454 | :subjectAlternativeNames 455 | setlocal EnableDelayedExpansion 456 | SET SERVICE_SERVER_NAME=%1 457 | SET SED_HOSTNAMES= 458 | IF DEFINED SERVICE_SERVER_NAME ( 459 | REM Clear existing DNS.X lines in openssl.cnf file 460 | powershell -Command "(gc -Encoding utf8 openssl.cnf) | Where-Object {$_ -notmatch '^DNS\.'} | Set-Content openssl.cnf" 461 | 462 | REM Split given server names by "," separator 463 | REM Create a string that would place every hostname as a separate DNS.{counter} = {hostname} line 464 | SET COUNTER=0 465 | FOR %%a IN (%SERVICE_SERVER_NAME%) DO ( 466 | SET /a COUNTER=COUNTER+1 467 | SET "SED_HOSTNAMES=!SED_HOSTNAMES!`nDNS.!COUNTER! = %%a" 468 | ) 469 | 470 | REM Place that string in openssl.cnf file under [alt_names] 471 | powershell -Command "(gc -Encoding utf8 openssl.cnf) -replace '\[alt_names\]', \"[alt_names]!SED_HOSTNAMES!\" | Out-File -Encoding utf8 openssl.cnf" 472 | REM Remove BOM 473 | powershell -Command "(gc -Encoding utf8 openssl.cnf) | Foreach-Object {$_ -replace '\xEF\xBB\xBF', ''} | Set-Content openssl.cnf" 474 | ) 475 | endlocal 476 | GOTO :eof 477 | -------------------------------------------------------------------------------- /ssl-tool-win/run_additional.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM This script is a follow up to run.sh script. 4 | REM It is responsible for sets of keystores and truststores for additional services to be used in mTLS approach. 5 | 6 | REM Open script through new cmd, to not save password inputs in command line history 7 | IF "%~1"=="-clearhistory" GOTO :scriptStart 8 | CMD /S /C "%~f0 -clearhistory %*" 9 | EXIT /b 10 | 11 | :scriptStart 12 | setlocal EnableDelayedExpansion 13 | 14 | 15 | SET PASSWORD_PLACEHOLDER=password_placeholder 16 | 17 | REM ---------- 18 | REM DIRECTORIES 19 | REM ---------- 20 | SET CA_DIR=ca 21 | SET KEYSTORES_DIR=keystores 22 | SET CERTIFICATES_DIR=certificates 23 | 24 | REM ---------- 25 | REM PARAMETERS 26 | REM ---------- 27 | 28 | REM Using "current" format by default (only available from ACS 7.0+) 29 | SET ALFRESCO_FORMAT=current 30 | 31 | REM Service name, to be used as folder name where results are generated to 32 | SET SERVICE_NAME=service 33 | REM Folder name to place results of script in 34 | SET SUBFOLDER_NAME= 35 | REM Alias of private key 36 | SET ALIAS= 37 | REM Role to be fulfilled by the keystore key (both/client/server) 38 | SET ROLE=both 39 | REM Distinguished name of the CA 40 | SET SERVICE_CERT_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Service 41 | REM Service server name, to be used as Alternative Name in the certificates 42 | SET SERVICE_SERVER_NAME=localhost 43 | 44 | REM Root CA Password 45 | SET ROOT_CA_PASS= 46 | REM RSA key length (2048, 4096) 47 | SET KEY_SIZE=2048 48 | REM Keystore format (PKCS12, JKS, JCEKS) 49 | SET KEYSTORE_TYPE=JCEKS 50 | REM Default password for keystore and private key 51 | SET KEYSTORE_PASS=%PASSWORD_PLACEHOLDER% 52 | 53 | SET NO_TRUSTSTORE=false 54 | REM Truststore format (JKS, JCEKS) 55 | SET TRUSTSTORE_TYPE=JCEKS 56 | REM Default password for truststore 57 | SET TRUSTSTORE_PASS=%PASSWORD_PLACEHOLDER% 58 | 59 | REM Parse params from command line 60 | :loop 61 | IF NOT "%1"=="" ( 62 | REM clearhistory is a helper parameter for not storing passwords in command line history 63 | IF "%1"=="-clearhistory" ( 64 | SHIFT 65 | GOTO loop 66 | ) 67 | REM Service name 68 | IF "%1"=="-servicename" ( 69 | SHIFT 70 | SET SERVICE_NAME=%2 71 | SHIFT 72 | GOTO loop 73 | ) 74 | REM Subfolder name, useful multiple keystores per service, if unset will take on -servicename value 75 | IF "%1"=="-subfoldername" ( 76 | SHIFT 77 | SET SUBFOLDER_NAME=%2 78 | SHIFT 79 | GOTO loop 80 | ) 81 | REM Private Key alias 82 | IF "%1"=="-alias" ( 83 | SHIFT 84 | SET ALIAS=%2 85 | SHIFT 86 | GOTO loop 87 | ) 88 | REM Role: server, client, both (default) 89 | IF "%1"=="-role" ( 90 | SHIFT 91 | SET ROLE=%2 92 | SHIFT 93 | GOTO loop 94 | ) 95 | REM Root CA password 96 | IF "%1"=="-rootcapass" ( 97 | SHIFT 98 | SET ROOT_CA_PASS=%2 99 | SHIFT 100 | GOTO loop 101 | ) 102 | REM 2048, 4096, ... 103 | IF "%1"=="-keysize" ( 104 | SHIFT 105 | SET KEY_SIZE=%2 106 | SHIFT 107 | GOTO loop 108 | ) 109 | REM PKCS12, JKS, JCEKS 110 | IF "%1"=="-keystoretype" ( 111 | SHIFT 112 | SET KEYSTORE_TYPE=%2 113 | SHIFT 114 | GOTO loop 115 | ) 116 | REM Password for keystore and private key 117 | IF "%1"=="-keystorepass" ( 118 | SHIFT 119 | SET KEYSTORE_PASS=%2 120 | SHIFT 121 | GOTO loop 122 | ) 123 | REM Flag blocking generating of a truststore 124 | IF "%1"=="-notruststore" ( 125 | SHIFT 126 | SET NO_TRUSTSTORE=true 127 | GOTO loop 128 | ) 129 | REM JKS, JCEKS 130 | IF "%1"=="-truststoretype" ( 131 | SHIFT 132 | SET TRUSTSTORE_TYPE=%2 133 | SHIFT 134 | GOTO loop 135 | ) 136 | REM Password for truststore 137 | IF "%1"=="-truststorepass" ( 138 | SHIFT 139 | SET TRUSTSTORE_PASS=%2 140 | SHIFT 141 | GOTO loop 142 | ) 143 | REM DName for Service certificate 144 | IF "%1"=="-certdname" ( 145 | SHIFT 146 | SET SERVICE_CERT_DNAME=%~2 147 | SHIFT 148 | GOTO loop 149 | ) 150 | REM DNS name for Service 151 | IF "%1"=="-servername" ( 152 | SHIFT 153 | SET SERVICE_SERVER_NAME=%~2 154 | SHIFT 155 | GOTO loop 156 | ) 157 | REM Alfresco Format: "classic" / "current" is supported only from 7.0 158 | IF "%1"=="-alfrescoformat" ( 159 | SHIFT 160 | SET ALFRESCO_FORMAT=%~2 161 | SHIFT 162 | GOTO loop 163 | ) 164 | 165 | ECHO An invalid parameter was received: %1 166 | ECHO Allowed parameters: 167 | ECHO -servicename 168 | ECHO -subfoldername 169 | ECHO -alias 170 | ECHO -role 171 | ECHO -rootcapass 172 | ECHO -keysize 173 | ECHO -keystoretype 174 | ECHO -keystorepass 175 | ECHO -notruststore 176 | ECHO -truststoretype 177 | ECHO -truststorepass 178 | ECHO -certdname 179 | ECHO -servername 180 | ECHO -alfrescoformat 181 | 182 | EXIT /b 1 183 | ) 184 | 185 | ECHO ---Run Additional Script Execution for %SERVICE_NAME%--- 186 | 187 | IF "%ROOT_CA_PASS%" == "" ( 188 | ECHO Root CA password [parameter: rootcapass] is mandatory 189 | EXIT /b 1 190 | ) 191 | 192 | IF "%ALIAS%" == "" ( 193 | SET ALIAS=%SERVICE_NAME% 194 | ) 195 | 196 | IF "%SUBFOLDER_NAME%" == "" ( 197 | SET SUBFOLDER_NAME=%SERVICE_NAME% 198 | ) 199 | 200 | REM Set settings based on role 201 | IF "%ROLE%" == "client" ( 202 | SET EXTENSION=client_cert 203 | SET FILE_SUFFIX=_client 204 | ECHO Warning: For client role, servername parameter will be unused even if provided. 205 | SET SERVICE_SERVER_NAME= 206 | ) ELSE IF "%ROLE%" == "server" ( 207 | SET EXTENSION=server_cert 208 | SET FILE_SUFFIX=_server 209 | ) ELSE IF "%ROLE%" == "both" ( 210 | SET EXTENSION=clientServer_cert 211 | SET FILE_SUFFIX= 212 | ) ELSE IF "%ROLE%" == "" ( 213 | ECHO Warning: No role provided, using default role: 'both' 214 | SET ROLE=both 215 | SET EXTENSION=clientServer_cert 216 | SET FILE_SUFFIX= 217 | ) ELSE ( 218 | ECHO Unsupported role provided %ROLE%, valid roles are client/server/both 219 | EXIT /b 1 220 | ) 221 | 222 | ECHO Warning: If passwords will be provided at runtime, they will be visibe at input. 223 | CALL :readKeystorePassword 224 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 225 | 226 | IF "%NO_TRUSTSTORE%" == "false" ( 227 | CALL :readTruststorePassword 228 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 229 | ) 230 | 231 | REM Generates service keystore, trustore and certificate required for Alfresco SSL configuration 232 | SET SERVICE_KEYSTORES_DIR=%KEYSTORES_DIR%\%SUBFOLDER_NAME% 233 | IF NOT EXIST "%SERVICE_KEYSTORES_DIR%" ( 234 | mkdir %SERVICE_KEYSTORES_DIR% 235 | ) 236 | 237 | IF NOT "%ROLE%" == "client" ( 238 | CALL ./utils_san.cmd "%SERVICE_SERVER_NAME%" 239 | ) 240 | 241 | SET FILE_NAME=%SERVICE_NAME%%FILE_SUFFIX% 242 | 243 | REM Generate key and CSR 244 | openssl req -newkey rsa:%KEY_SIZE% -nodes -out %CERTIFICATES_DIR%\%FILE_NAME%.csr -keyout %CERTIFICATES_DIR%\%FILE_NAME%.key -subj "%SERVICE_CERT_DNAME%" 245 | 246 | REM Sign CSR with CA 247 | openssl ca -config openssl.cnf -extensions %EXTENSION% -passin pass:%ROOT_CA_PASS% -batch -notext ^ 248 | -in %CERTIFICATES_DIR%\%FILE_NAME%.csr -out %CERTIFICATES_DIR%\%FILE_NAME%.cer 249 | 250 | REM Export keystore with key and certificate 251 | openssl pkcs12 -export -out %CERTIFICATES_DIR%\%FILE_NAME%.p12 -inkey %CERTIFICATES_DIR%\%FILE_NAME%.key ^ 252 | -in %CERTIFICATES_DIR%\%FILE_NAME%.cer -password pass:!KEYSTORE_PASS! -certfile %CA_DIR%\certs\ca.cert.pem 253 | 254 | REM Convert keystore to desired format, set alias 255 | keytool -importkeystore ^ 256 | -srckeystore %CERTIFICATES_DIR%\%FILE_NAME%.p12 -destkeystore %SERVICE_KEYSTORES_DIR%\%FILE_NAME%.keystore ^ 257 | -srcstoretype PKCS12 -deststoretype %KEYSTORE_TYPE% ^ 258 | -srcstorepass !KEYSTORE_PASS! -deststorepass !KEYSTORE_PASS! ^ 259 | -srcalias 1 -destalias %ALIAS% ^ 260 | -srckeypass !KEYSTORE_PASS! -destkeypass !KEYSTORE_PASS! ^ 261 | -noprompt 262 | 263 | REM Import CA certificate into Service keystore, for complete certificate chain 264 | keytool -importcert -noprompt -alias alfresco.ca -file ca\certs\ca.cert.pem ^ 265 | -keystore %SERVICE_KEYSTORES_DIR%\%FILE_NAME%.keystore -storetype %KEYSTORE_TYPE% -storepass !KEYSTORE_PASS! 266 | 267 | REM Create Keystore password file 268 | ECHO keystore.password=!KEYSTORE_PASS!>> %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-keystore-passwords.properties 269 | ECHO aliases=%ALIAS%>> %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-keystore-passwords.properties 270 | ECHO %ALIAS%.password=!KEYSTORE_PASS!>> %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-keystore-passwords.properties 271 | 272 | IF "%NO_TRUSTSTORE%" == "false" ( 273 | REM Include CA certificates in Service Truststore 274 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file ca\certs\ca.cert.pem ^ 275 | -keystore %SERVICE_KEYSTORES_DIR%\%FILE_NAME%.truststore -storetype %TRUSTSTORE_TYPE% -storepass !TRUSTSTORE_PASS! 276 | 277 | REM Create TrustStore password file 278 | ECHO keystore.password=!TRUSTSTORE_PASS!>> %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-truststore-passwords.properties 279 | ECHO aliases=alfresco.ca>> %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-truststore-passwords.properties 280 | ) 281 | 282 | REM Removing files for current Alfresco Format 283 | IF "%ALFRESCO_FORMAT%" == "current" ( 284 | del %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-keystore-passwords.properties 285 | IF "%NO_TRUSTSTORE%" == "false" ( 286 | del %SERVICE_KEYSTORES_DIR%\%FILE_NAME%-truststore-passwords.properties 287 | ) 288 | ) 289 | 290 | REM End of processing 291 | GOTO :eof 292 | 293 | :readKeystorePassword 294 | SET PASSWORD=%KEYSTORE_PASS% 295 | CALL ./utils_password_prompt.cmd "[service name] %SERVICE_NAME%, [role] %ROLE%, keystore" 296 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 297 | SET KEYSTORE_PASS=!PASSWORD! 298 | GOTO :eof 299 | 300 | :readTruststorePassword 301 | SET PASSWORD=%TRUSTSTORE_PASS% 302 | CALL ./utils_password_prompt.cmd "[service name] %SERVICE_NAME%, [role] %ROLE%, truststore" 303 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 304 | SET TRUSTSTORE_PASS=!PASSWORD! 305 | GOTO :eof -------------------------------------------------------------------------------- /ssl-tool-win/run_ca.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM This script is generating a Root CA 4 | 5 | REM Open script through new cmd, to not save password inputs in command line history 6 | IF "%~1"=="-clearhistory" GOTO :scriptStart 7 | CMD /S /C "%~f0 -clearhistory %*" 8 | EXIT /b 9 | 10 | :scriptStart 11 | 12 | REM ---------- 13 | REM DIRECTORIES 14 | REM ---------- 15 | SET CA_DIR=ca 16 | SET KEYSTORES_DIR=keystores 17 | SET CERTIFICATES_DIR=certificates 18 | 19 | REM ---------- 20 | REM PARAMETERS 21 | REM ---------- 22 | 23 | REM Distinguished name of the CA 24 | SET CA_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA 25 | 26 | REM Alfresco and SOLR server names, to be used as Alternative Name in the certificates 27 | SET CA_SERVER_NAME=localhost 28 | 29 | REM RSA key length (2048, 4096) 30 | SET KEY_SIZE=2048 31 | REM Default password for every keystore and private key 32 | SET KEYSTORE_PASS=password_placeholder 33 | 34 | REM If not set, assume it's a testing environment, Root CA of a testing environment shouldn't last more than a day 35 | SET VALIDITY_DURATION=365 36 | 37 | REM Parse params from command line 38 | :loop 39 | IF NOT "%1"=="" ( 40 | IF "%1"=="-clearhistory" ( 41 | REM clearhistory is a helper parameter for not storing passwords in command line history 42 | SHIFT 43 | GOTO loop 44 | ) 45 | REM 2048, 4096, ... 46 | IF "%1"=="-keysize" ( 47 | SHIFT 48 | SET KEY_SIZE=%2 49 | SHIFT 50 | GOTO loop 51 | ) 52 | REM Password for keystore and private key 53 | IF "%1"=="-keystorepass" ( 54 | SHIFT 55 | SET KEYSTORE_PASS=%2 56 | SHIFT 57 | GOTO loop 58 | ) 59 | REM DName for CA issuing the certificates 60 | IF "%1"=="-certdname" ( 61 | SHIFT 62 | SET CA_DNAME=%~2 63 | SHIFT 64 | GOTO loop 65 | ) 66 | REM DNS name for CA Server 67 | IF "%1"=="-servername" ( 68 | SHIFT 69 | SET CA_SERVER_NAME=%~2 70 | SHIFT 71 | GOTO loop 72 | ) 73 | REM Validity of Root CA certificate in days 74 | IF "%1"=="-validityduration" ( 75 | SHIFT 76 | SET VALIDITY_DURATION=%2 77 | SHIFT 78 | GOTO loop 79 | ) 80 | ECHO An invalid parameter was received: %1 81 | ECHO Allowed parameters: 82 | ECHO -keysize 83 | ECHO -keystorepass 84 | ECHO -certdname 85 | ECHO -servername 86 | ECHO -validityduration 87 | EXIT /b 88 | ) 89 | 90 | IF %VALIDITY_DURATION% LSS 1 ( 91 | ECHO Minimum validity of Root CA is 1 day 92 | EXIT /b 1 93 | ) 94 | 95 | REM If target folder for Keystores is not empty, skip generation 96 | FOR /F %%A in ('dir /b /a %KEYSTORES_DIR%') DO ( 97 | ECHO Keystores folder is not empty, skipping generation process... 98 | EXIT /b 99 | ) 100 | 101 | setlocal enabledelayedexpansion 102 | 103 | CALL :cleanupFolders 104 | 105 | CALL :readKeystorePassword 106 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 107 | 108 | REM ------------ 109 | REM CA 110 | REM ------------ 111 | 112 | mkdir %CA_DIR%\certs %CA_DIR%\crl %CA_DIR%\newcerts %CA_DIR%\private 113 | TYPE nul > %CA_DIR%\index.txt 114 | ECHO 1000 > %CA_DIR%\serial 115 | 116 | openssl genrsa -aes256 -passout pass:!KEYSTORE_PASS! -out %CA_DIR%\private\ca.key.pem %KEY_SIZE% 117 | 118 | CALL ./utils_san.cmd "%CA_SERVER_NAME%" 119 | 120 | openssl req -config openssl.cnf ^ 121 | -key %CA_DIR%\private\ca.key.pem ^ 122 | -new -x509 -days %VALIDITY_DURATION% -sha256 -extensions v3_ca ^ 123 | -out %CA_DIR%\certs\ca.cert.pem ^ 124 | -subj "%CA_DNAME%" ^ 125 | -passin pass:!KEYSTORE_PASS! 126 | 127 | endlocal 128 | 129 | GOTO :eof 130 | 131 | :readKeystorePassword 132 | SET PASSWORD=%KEYSTORE_PASS% 133 | CALL ./utils_password_prompt.cmd "Root CA" 134 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 135 | SET KEYSTORE_PASS=!PASSWORD! 136 | GOTO :eof 137 | 138 | :cleanupFolders 139 | REM Remove previous working directories and certificates 140 | IF EXIST "%CA_DIR%" ( 141 | rmdir /s /q %CA_DIR% 142 | ) 143 | mkdir %CA_DIR% 144 | 145 | IF NOT EXIST "%KEYSTORES_DIR%" ( 146 | mkdir %KEYSTORES_DIR% 147 | ) 148 | 149 | IF EXIST "%CERTIFICATES_DIR%" ( 150 | rmdir /s /q %CERTIFICATES_DIR% 151 | ) 152 | mkdir %CERTIFICATES_DIR% 153 | GOTO :eof 154 | -------------------------------------------------------------------------------- /ssl-tool-win/run_encryption.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM This script is generating metadata encryption keystore 4 | 5 | REM Open script through new cmd, to not save password inputs in command line history 6 | IF "%~1"=="-clearhistory" GOTO :scriptStart 7 | CMD /S /C "%~f0 -clearhistory %*" 8 | EXIT /b 9 | 10 | :scriptStart 11 | 12 | REM ---------- 13 | REM DIRECTORIES 14 | REM ---------- 15 | SET CA_DIR=ca 16 | SET KEYSTORES_DIR=keystores 17 | SET CERTIFICATES_DIR=certificates 18 | 19 | REM ---------- 20 | REM PARAMETERS 21 | REM ---------- 22 | 23 | SET SERVICE_NAME=encryption 24 | SET SUBFOLDER_NAME= 25 | 26 | REM Using "current" format by default (only available from ACS 7.0+) 27 | SET ALFRESCO_FORMAT=current 28 | 29 | REM Encryption secret key passwords 30 | SET KEYSTORE_PASS=password_placeholder 31 | SET KEY_PASS=password_placeholder 32 | 33 | REM Parse params from command line 34 | :loop 35 | IF NOT "%1"=="" ( 36 | IF "%1"=="-clearhistory" ( 37 | REM clearhistory is a helper parameter for not storing passwords in command line history 38 | SHIFT 39 | GOTO loop 40 | ) 41 | IF "%1"=="-subfoldername" ( 42 | SHIFT 43 | SET SUBFOLDER_NAME=%2 44 | SHIFT 45 | GOTO loop 46 | ) 47 | IF "%1"=="-servicename" ( 48 | SHIFT 49 | SET SERVICE_NAME=%2 50 | SHIFT 51 | GOTO loop 52 | ) 53 | IF "%1"=="-encstorepass" ( 54 | SHIFT 55 | SET KEYSTORE_PASS=%2 56 | SHIFT 57 | GOTO loop 58 | ) 59 | IF "%1"=="-encmetadatapass" ( 60 | SHIFT 61 | SET KEY_PASS=%2 62 | SHIFT 63 | GOTO loop 64 | ) 65 | IF "%1"=="-alfrescoformat" ( 66 | SHIFT 67 | SET ALFRESCO_FORMAT=%~2 68 | SHIFT 69 | GOTO loop 70 | ) 71 | ECHO An invalid parameter was received: %1 72 | ECHO Allowed parameters: 73 | ECHO -subfoldername 74 | ECHO -servicename 75 | ECHO -encstorepass 76 | ECHO -encmetadatapass 77 | ECHO -alfrescoformat 78 | EXIT /b 79 | ) 80 | 81 | IF "%SUBFOLDER_NAME%"=="" ( 82 | SET SUBFOLDER_NAME=%SERVICE_NAME% 83 | ) 84 | 85 | REM Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic") 86 | IF "%ALFRESCO_FORMAT%" == "current" ( 87 | SET ENC_STORE_TYPE=PKCS12 88 | ) ELSE ( 89 | SET ENC_STORE_TYPE=JCEKS 90 | ) 91 | 92 | REM Key algorithm: AES (default for "current"), DESede (default for "classic") 93 | IF "%ALFRESCO_FORMAT%" == "current" ( 94 | SET ENC_KEY_ALG=-keyalg AES -keysize 256 95 | ) ELSE ( 96 | SET ENC_KEY_ALG=-keyalg DESede 97 | ) 98 | 99 | SET DESTINATION_DIR=%KEYSTORES_DIR%\%SUBFOLDER_NAME% 100 | IF NOT EXIST "%DESTINATION_DIR%" ( 101 | mkdir %DESTINATION_DIR% 102 | ) 103 | 104 | setlocal enabledelayedexpansion 105 | 106 | CALL :readKeystorePassword 107 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 108 | CALL :readKeyPassword 109 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 110 | 111 | REM Generate Encryption Secret Key 112 | keytool -genseckey -alias metadata -keypass !KEY_PASS! -storepass !KEYSTORE_PASS! -keystore %DESTINATION_DIR%\%SERVICE_NAME%.keystore ^ 113 | -storetype %ENC_STORE_TYPE% %ENC_KEY_ALG% 114 | 115 | IF NOT "%ALFRESCO_FORMAT%" == "current" ( 116 | REM Create Alfresco Encryption password file 117 | ECHO aliases=metadata>> %DESTINATION_DIR%\%SERVICE_NAME%-keystore-passwords.properties 118 | ECHO keystore.password=!KEYSTORE_PASS!>> %DESTINATION_DIR%\%SERVICE_NAME%-keystore-passwords.properties 119 | ECHO metadata.keyData=>> %DESTINATION_DIR%\%SERVICE_NAME%-keystore-passwords.properties 120 | ECHO metadata.algorithm=DESede>> %DESTINATION_DIR%\%SERVICE_NAME%-keystore-passwords.properties 121 | ECHO metadata.password=!KEY_PASS!>> %DESTINATION_DIR%\%SERVICE_NAME%-keystore-passwords.properties 122 | ) 123 | 124 | endlocal 125 | GOTO :eof 126 | 127 | 128 | :readKeystorePassword 129 | SET PASSWORD=%KEYSTORE_PASS% 130 | CALL ./utils_password_prompt.cmd "Encryption Keystore" 131 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 132 | SET KEYSTORE_PASS=!PASSWORD! 133 | GOTO :eof 134 | 135 | :readKeyPassword 136 | SET PASSWORD=%KEY_PASS% 137 | CALL ./utils_password_prompt.cmd "Encryption Key" 138 | IF ERRORLEVEL 1 ( EXIT /b 1 ) 139 | SET KEY_PASS=!PASSWORD! 140 | GOTO :eof -------------------------------------------------------------------------------- /ssl-tool-win/samples/client_server.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | SET KEYSTORES_DIR=keystores 4 | 5 | rd /s /q ca 6 | rd /s /q certificates 7 | rd /s /q %KEYSTORES_DIR% 8 | 9 | REM SETTINGS 10 | REM Alfresco Format: "classic" / "current" is supported only from 7.0 11 | SET ALFRESCO_FORMAT=current 12 | 13 | REM CA 14 | call run_ca.cmd -keysize 2048 -keystorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername localhost -validityduration 1 15 | REM Alfresco 16 | call run_additional.cmd -servicename alfresco -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 17 | REM Alfresco Metadata encryption 18 | call run_encryption.cmd -subfoldername alfresco -servicename encryption -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat %ALFRESCO_FORMAT% 19 | REM Solr 20 | call run_additional.cmd -servicename solr -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 21 | REM Zeppelin (copy of Solr for enterprise) 22 | SET ZEPPELIN_DIR=%KEYSTORES_DIR%\zeppelin 23 | IF EXIST "%ZEPPELIN_DIR%" ( 24 | rmdir /s /q %ZEPPELIN_DIR% 25 | ) 26 | mkdir %ZEPPELIN_DIR% 27 | copy %KEYSTORES_DIR%\solr\solr.keystore %ZEPPELIN_DIR%\zeppelin.keystore 28 | copy %KEYSTORES_DIR%\solr\solr.truststore %ZEPPELIN_DIR%\zeppelin.truststore 29 | REM Solr browser 30 | call run_additional.cmd -subfoldername client -servicename browser -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype PKCS12 -keystorepass kT9X6oe68t -notruststore -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" -alfrescoformat %ALFRESCO_FORMAT% 31 | 32 | REM Shared file store 33 | call run_additional.cmd -servicename sharedFileStore -alias sharedFileStore_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 34 | REM Transform Router 35 | call run_additional.cmd -servicename transformRouter -alias transformRouter_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Client" -alfrescoformat %ALFRESCO_FORMAT% 36 | call run_additional.cmd -servicename transformRouter -alias transformRouter_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 37 | REM T-Engine AIO 38 | call run_additional.cmd -servicename tengineAIO -alias tengineAIO_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Client" -alfrescoformat %ALFRESCO_FORMAT% 39 | call run_additional.cmd -servicename tengineAIO -alias tengineAIO_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 40 | REM T-Engine Imagemagick 41 | call run_additional.cmd -servicename tengineImageMagick -alias tengineImageMagick_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Client" -alfrescoformat %ALFRESCO_FORMAT% 42 | call run_additional.cmd -servicename tengineImageMagick -alias tengineImageMagick_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 43 | REM T-Engine Libreoffice 44 | call run_additional.cmd -servicename tengineLibreOffice -alias tengineLibreOffice_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Client" -alfrescoformat %ALFRESCO_FORMAT% 45 | call run_additional.cmd -servicename tengineLibreOffice -alias tengineLibreOffice_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 46 | REM T-Engine Pdfrenderer 47 | call run_additional.cmd -servicename tenginePdfRenderer -alias tenginePdfRenderer_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Client" -alfrescoformat %ALFRESCO_FORMAT% 48 | call run_additional.cmd -servicename tenginePdfRenderer -alias tenginePdfRenderer_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 49 | REM T-Engine Tika 50 | call run_additional.cmd -servicename tengineTika -alias tengineTika_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Client" -alfrescoformat %ALFRESCO_FORMAT% 51 | call run_additional.cmd -servicename tengineTika -alias tengineTika_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 52 | REM T-Engine Misc 53 | call run_additional.cmd -servicename tengineMisc -alias tengineMisc_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Client" -alfrescoformat %ALFRESCO_FORMAT% 54 | call run_additional.cmd -servicename tengineMisc -alias tengineMisc_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 55 | 56 | REM Custom T-Engine 57 | call run_additional.cmd -servicename tengineCustom -alias tengineCustom_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Client" -alfrescoformat %ALFRESCO_FORMAT% 58 | call run_additional.cmd -servicename tengineCustom -alias tengineCustom_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Server" -servername "localhost,additional" -alfrescoformat %ALFRESCO_FORMAT% 59 | -------------------------------------------------------------------------------- /ssl-tool-win/samples/legacy_client_server.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | rd /s /q ca 4 | rd /s /q certificates 5 | rd /s /q keystores 6 | 7 | REM SETTINGS 8 | REM Alfresco Format: "classic" / "current" is supported only from 7.0 9 | SET ALFRESCO_FORMAT=current 10 | 11 | REM CA, Repository, Solr, Zeppelin 12 | call run.cmd -alfrescoversion community -keysize 2048 -keystoretype JCEKS -truststoretype JCEKS -keystorepass kT9X6oe68t -truststorepass kT9X6oe68t -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat %ALFRESCO_FORMAT% -cavalidityduration 1 13 | 14 | REM Shared file store 15 | call run_additional.cmd -servicename sharedFileStore -alias sharedFileStore_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 16 | 17 | REM Transform Router 18 | call run_additional.cmd -servicename transformRouter -alias transformRouter_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Client" -alfrescoformat %ALFRESCO_FORMAT% 19 | call run_additional.cmd -servicename transformRouter -alias transformRouter_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 20 | 21 | REM T-Engine AIO 22 | call run_additional.cmd -servicename tengineAIO -alias tengineAIO_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Client" -alfrescoformat %ALFRESCO_FORMAT% 23 | call run_additional.cmd -servicename tengineAIO -alias tengineAIO_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 24 | 25 | REM T-Engine Imagemagick 26 | call run_additional.cmd -servicename tengineImageMagick -alias tengineImageMagick_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Client" -alfrescoformat %ALFRESCO_FORMAT% 27 | call run_additional.cmd -servicename tengineImageMagick -alias tengineImageMagick_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 28 | REM T-Engine Libreoffice 29 | call run_additional.cmd -servicename tengineLibreOffice -alias tengineLibreOffice_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Client" -alfrescoformat %ALFRESCO_FORMAT% 30 | call run_additional.cmd -servicename tengineLibreOffice -alias tengineLibreOffice_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 31 | REM T-Engine Pdfrenderer 32 | call run_additional.cmd -servicename tenginePdfRenderer -alias tenginePdfRenderer_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Client" -alfrescoformat %ALFRESCO_FORMAT% 33 | call run_additional.cmd -servicename tenginePdfRenderer -alias tenginePdfRenderer_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 34 | REM T-Engine Tika 35 | call run_additional.cmd -servicename tengineTika -alias tengineTika_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Client" -alfrescoformat %ALFRESCO_FORMAT% 36 | call run_additional.cmd -servicename tengineTika -alias tengineTika_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 37 | REM T-Engine Misc 38 | call run_additional.cmd -servicename tengineMisc -alias tengineMisc_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Client" -alfrescoformat %ALFRESCO_FORMAT% 39 | call run_additional.cmd -servicename tengineMisc -alias tengineMisc_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Server" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 40 | 41 | REM Custom T-Engine 42 | call run_additional.cmd -servicename tengineCustom -alias tengineCustom_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Client" -alfrescoformat %ALFRESCO_FORMAT% 43 | call run_additional.cmd -servicename tengineCustom -alias tengineCustom_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Server" -servername "localhost,additional" -alfrescoformat %ALFRESCO_FORMAT% 44 | -------------------------------------------------------------------------------- /ssl-tool-win/samples/legacy_simple.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | rd /s /q ca 4 | rd /s /q certificates 5 | rd /s /q keystores 6 | 7 | REM SETTINGS 8 | REM Alfresco Format: "classic" / "current" is supported only from 7.0 9 | SET ALFRESCO_FORMAT=current 10 | 11 | REM CA, Repository, Solr, Zeppelin 12 | call run.cmd -alfrescoversion community -keysize 2048 -keystoretype JCEKS -truststoretype JCEKS -keystorepass kT9X6oe68t -truststorepass kT9X6oe68t -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat %ALFRESCO_FORMAT% -cavalidityduration 1 13 | 14 | REM Shared file store 15 | call run_additional.cmd -servicename sharedFileStore -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 16 | REM Transform Router 17 | call run_additional.cmd -servicename transformRouter -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 18 | REM T-Engine AIO 19 | call run_additional.cmd -servicename tengineAIO -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 20 | REM T-Engine Imagemagick 21 | call run_additional.cmd -servicename tengineImageMagick -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 22 | REM T-Engine Libreoffice 23 | call run_additional.cmd -servicename tengineLibreOffice -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 24 | REM T-Engine Pdfrenderer 25 | call run_additional.cmd -servicename tenginePdfRenderer -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 26 | REM T-Engine Tika 27 | call run_additional.cmd -servicename tengineTika -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 28 | REM T-Engine Misc 29 | call run_additional.cmd -servicename tengineMisc -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 30 | 31 | REM Custom T-Engine 32 | call run_additional.cmd -servicename tengineCustom -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom" -servername "localhost,additional" -alfrescoformat %ALFRESCO_FORMAT% 33 | -------------------------------------------------------------------------------- /ssl-tool-win/samples/simple.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | SET KEYSTORES_DIR=keystores 4 | 5 | rd /s /q ca 6 | rd /s /q certificates 7 | rd /s /q %KEYSTORES_DIR% 8 | 9 | REM SETTINGS 10 | REM Alfresco Format: "classic" / "current" is supported only from 7.0 11 | SET ALFRESCO_FORMAT=current 12 | 13 | REM CA 14 | call run_ca.cmd -keysize 2048 -keystorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername localhost -validityduration 1 15 | REM Alfresco 16 | call run_additional.cmd -servicename alfresco -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 17 | REM Alfresco Metadata encryption 18 | call run_encryption.cmd -subfoldername alfresco -servicename encryption -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat %ALFRESCO_FORMAT% 19 | REM Solr 20 | call run_additional.cmd -servicename solr -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 21 | REM Zeppelin (copy of Solr for enterprise) 22 | SET ZEPPELIN_DIR=%KEYSTORES_DIR%\zeppelin 23 | IF EXIST "%ZEPPELIN_DIR%" ( 24 | rmdir /s /q %ZEPPELIN_DIR% 25 | ) 26 | mkdir %ZEPPELIN_DIR% 27 | copy %KEYSTORES_DIR%\solr\solr.keystore %ZEPPELIN_DIR%\zeppelin.keystore 28 | copy %KEYSTORES_DIR%\solr\solr.truststore %ZEPPELIN_DIR%\zeppelin.truststore 29 | REM Solr browser 30 | call run_additional.cmd -subfoldername client -servicename browser -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype PKCS12 -keystorepass kT9X6oe68t -notruststore -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" -alfrescoformat %ALFRESCO_FORMAT% 31 | 32 | REM Shared file store 33 | call run_additional.cmd -servicename sharedFileStore -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 34 | REM Transform Router 35 | call run_additional.cmd -servicename transformRouter -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 36 | REM T-Engine AIO 37 | call run_additional.cmd -servicename tengineAIO -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 38 | REM T-Engine Imagemagick 39 | call run_additional.cmd -servicename tengineImageMagick -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 40 | REM T-Engine Libreoffice 41 | call run_additional.cmd -servicename tengineLibreOffice -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 42 | REM T-Engine Pdfrenderer 43 | call run_additional.cmd -servicename tenginePdfRenderer -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 44 | REM T-Engine Tika 45 | call run_additional.cmd -servicename tengineTika -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 46 | REM T-Engine Misc 47 | call run_additional.cmd -servicename tengineMisc -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc" -servername localhost -alfrescoformat %ALFRESCO_FORMAT% 48 | 49 | REM Custom T-Engine 50 | call run_additional.cmd -servicename tengineCustom -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom" -servername "localhost,additional" -alfrescoformat %ALFRESCO_FORMAT% 51 | -------------------------------------------------------------------------------- /ssl-tool-win/utils_password_prompt.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | SET PASSWORD_DESCRIPTION=%~1 3 | SET PASSWORD_PLACEHOLDER=password_placeholder 4 | 5 | REM Password reading functions 6 | IF NOT "%PASSWORD%" == "%PASSWORD_PLACEHOLDER%" ( 7 | CALL :verifyPasswordConditions 8 | IF !CHECK_FAILED! == true ( 9 | EXIT /B 1 10 | ) ELSE ( 11 | EXIT /B 0 12 | ) 13 | ) 14 | CALL :readPassword 15 | GOTO :eof 16 | 17 | :readPassword 18 | SET /p "PASSWORD=Please enter password for %PASSWORD_DESCRIPTION%: " 19 | 20 | CALL :verifyPasswordConditions 21 | 22 | IF !CHECK_FAILED! == true ( 23 | SET PASSWORD=%PASSWORD_PLACEHOLDER% 24 | GOTO :readPassword 25 | ) 26 | 27 | SET /p "PASSWORD_CHECK=Please repeat pass phrase : " 28 | IF NOT "%PASSWORD%" == "%PASSWORD_CHECK%" ( 29 | ECHO Password verification failed 30 | SET PASSWORD=%PASSWORD_PLACEHOLDER% 31 | GOTO :readPassword 32 | ) 33 | GOTO :eof 34 | 35 | :verifyPasswordConditions 36 | SET CHECK_FAILED=false 37 | 38 | CALL :strLen PASSWORD PASSWORD_LENGTH 39 | IF %PASSWORD_LENGTH% LSS 6 ( 40 | ECHO Password must have at least 6 characters and no more than 1023 41 | SET CHECK_FAILED=true 42 | ) ELSE IF %PASSWORD_LENGTH% GTR 1023 ( 43 | ECHO Password must have at least 6 characters and no more than 1023 44 | SET CHECK_FAILED=true 45 | ) 46 | GOTO :eof 47 | 48 | :strLen 49 | setlocal enabledelayedexpansion 50 | 51 | :strLen_Loop 52 | IF NOT "!%1:~%len%!"=="" SET /A len+=1 & goto :strLen_Loop 53 | (endlocal & SET %2=%len%) 54 | GOTO :eof 55 | -------------------------------------------------------------------------------- /ssl-tool-win/utils_san.cmd: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | REM Subject Alternative Name provided through config file substitution 4 | setlocal EnableDelayedExpansion 5 | SET SERVICE_SERVER_NAME=%~1 6 | SET SED_HOSTNAMES= 7 | IF DEFINED SERVICE_SERVER_NAME ( 8 | REM Clear existing DNS.X lines in openssl.cnf file 9 | powershell -Command "(gc -Encoding utf8 openssl.cnf) | Where-Object {$_ -notmatch '^DNS\.'} | Set-Content openssl.cnf" 10 | REM Split given server names by "," separator 11 | REM Create a string that would place every hostname as a separate DNS.{counter} = {hostname} line 12 | SET COUNTER=0 13 | FOR %%a IN (%SERVICE_SERVER_NAME%) DO ( 14 | SET /a COUNTER=COUNTER+1 15 | SET "SED_HOSTNAMES=!SED_HOSTNAMES!`nDNS.!COUNTER! = %%a" 16 | ) 17 | 18 | REM Place that string in openssl.cnf file under [alt_names] 19 | powershell -Command "(gc -Encoding utf8 openssl.cnf) -replace '\[alt_names\]', \"[alt_names]!SED_HOSTNAMES!\" | Out-File -Encoding utf8 openssl.cnf" 20 | REM Remove BOM 21 | powershell -Command "(gc -Encoding utf8 openssl.cnf) | Foreach-Object {$_ -replace '\xEF\xBB\xBF', ''} | Set-Content openssl.cnf" 22 | ) 23 | endlocal 24 | GOTO :eof -------------------------------------------------------------------------------- /ssl-tool/openssl.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | # Directory and file locations 6 | dir = ./ca 7 | certs = $dir/certs 8 | crl_dir = $dir/crl 9 | new_certs_dir = $dir/newcerts 10 | database = $dir/index.txt 11 | serial = $dir/serial 12 | RANDFILE = $dir/private/.rand 13 | 14 | # The root key and root certificate. 15 | certificate = $dir/certs/ca.cert.pem 16 | private_key = $dir/private/ca.key.pem 17 | 18 | # For certificate revocation lists. 19 | crlnumber = $dir/crlnumber 20 | crl = $dir/crl/ca.crl.pem 21 | crl_extensions = crl_ext 22 | default_crl_days = 30 23 | 24 | # SHA-1 is deprecated, so use SHA-2 instead. 25 | default_md = sha256 26 | 27 | name_opt = ca_default 28 | cert_opt = ca_default 29 | default_days = 375 30 | preserve = no 31 | policy = policy_strict 32 | 33 | default_days = 3650 34 | 35 | [ policy_strict ] 36 | # The root CA should only sign intermediate certificates that match. 37 | # See the POLICY FORMAT section of `man ca`. 38 | countryName = match 39 | stateOrProvinceName = match 40 | organizationName = match 41 | organizationalUnitName = optional 42 | commonName = supplied 43 | emailAddress = optional 44 | 45 | [ req ] 46 | # Options for the `req` tool (`man req`). 47 | default_bits = 2048 48 | distinguished_name = req_distinguished_name 49 | string_mask = utf8only 50 | 51 | # SHA-1 is deprecated, so use SHA-2 instead. 52 | default_md = sha256 53 | 54 | # Extension to add when the -x509 option is used. 55 | x509_extensions = v3_ca 56 | 57 | [ req_distinguished_name ] 58 | # See . 59 | countryName = Country Name (2 letter code) 60 | stateOrProvinceName = State or Province Name 61 | localityName = Locality Name 62 | 0.organizationName = Organization Name 63 | organizationalUnitName = Organizational Unit Name 64 | commonName = Common Name 65 | emailAddress = Email Address 66 | 67 | # Optionally, specify some defaults. 68 | countryName_default = GB 69 | stateOrProvinceName_default = England 70 | localityName_default = 71 | 0.organizationName_default = Alice Ltd 72 | #organizationalUnitName_default = 73 | #emailAddress_default = 74 | 75 | [ v3_ca ] 76 | # Extensions for a typical CA (`man x509v3_config`). 77 | subjectKeyIdentifier = hash 78 | authorityKeyIdentifier = keyid:always,issuer 79 | basicConstraints = CA:true 80 | keyUsage = critical, digitalSignature, cRLSign, keyCertSign 81 | 82 | [ clientServer_cert ] 83 | # Extensions for client/server certificates (`man x509v3_config`). 84 | basicConstraints = CA:FALSE 85 | nsCertType = server, client 86 | nsComment = "OpenSSL Generated Client/Server Certificate" 87 | subjectKeyIdentifier = hash 88 | authorityKeyIdentifier = keyid,issuer:always 89 | keyUsage = critical, digitalSignature, keyEncipherment 90 | extendedKeyUsage = serverAuth, clientAuth 91 | subjectAltName = @alt_names 92 | 93 | [ server_cert ] 94 | # Extensions for server certificates (`man x509v3_config`). 95 | basicConstraints = CA:FALSE 96 | nsCertType = server 97 | nsComment = "OpenSSL Generated Server Certificate" 98 | subjectKeyIdentifier = hash 99 | authorityKeyIdentifier = keyid,issuer:always 100 | keyUsage = critical, digitalSignature, keyEncipherment 101 | extendedKeyUsage = serverAuth 102 | subjectAltName = @alt_names 103 | 104 | [ client_cert ] 105 | basicConstraints = CA:FALSE 106 | nsCertType = client 107 | nsComment = "OpenSSL Generated Client Certificate" 108 | subjectKeyIdentifier = hash 109 | authorityKeyIdentifier = keyid,issuer:always 110 | keyUsage = critical, digitalSignature, keyEncipherment 111 | extendedKeyUsage = clientAuth 112 | 113 | [ crl_ext ] 114 | # Extension for CRLs (`man x509v3_config`). 115 | authorityKeyIdentifier=keyid:always 116 | 117 | [alt_names] 118 | DNS.1 = localhost 119 | -------------------------------------------------------------------------------- /ssl-tool/run.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | # This script generates certificates for Repository and SOLR TLS/SSL Mutual Auth Communication: 8 | # 9 | # * CA Entity to issue all required certificates (alias alfresco.ca) 10 | # * Server Certificate for Alfresco (alias ssl.repo) 11 | # * Server Certificate for SOLR (alias ssl.repo.client) 12 | # 13 | # "openssl.cnf" file is provided for CA Configuration. 14 | # 15 | # Once this script has been executed successfully, following resources are generated in ${KEYSTORES_DIR} folder for "classic" Alfresco format: 16 | # 17 | # . 18 | # ├── alfresco 19 | # │   ├── keystore 20 | # │   ├── keystore-passwords.properties 21 | # │   ├── ssl-keystore-passwords.properties 22 | # │   ├── ssl-truststore-passwords.properties 23 | # │   ├── ssl.keystore 24 | # │   └── ssl.truststore 25 | # ├── client 26 | # │   └── browser.p12 27 | # ├── solr 28 | # │   ├── ssl-keystore-passwords.properties 29 | # │   ├── ssl-truststore-passwords.properties 30 | # │   ├── ssl.repo.client.keystore 31 | # │   └── ssl.repo.client.truststore 32 | # └── zeppelin 33 | # ├── ssl.repo.client.keystore 34 | # └── ssl.repo.client.truststore 35 | # 36 | # When using "current" Alfresco format (available from ACS 7.0), following resources are generated in ${KEYSTORES_DIR} 37 | # . 38 | # ├── alfresco 39 | # │   ├── keystore 40 | # │   ├── ssl.keystore 41 | # │   └── ssl.truststore 42 | # ├── client 43 | # │   └── browser.p12 44 | # ├── solr 45 | # │   ├── ssl-repo-client.keystore 46 | # │   └── ssl-repo-client.truststore 47 | # └── zeppelin 48 | # ├── ssl-repo-client.keystore 49 | # └── ssl-repo-client.truststore 50 | # 51 | # "alfresco" files must be copied to "alfresco/keystore" folder 52 | # "solr" files must be copied to "solr6/keystore" 53 | # "zeppelin" files must be copied to "zeppelin/keystore" 54 | # "client" files can be used from a browser to access the server using HTTPS in port 8443 55 | 56 | # Load common functions and variables 57 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 58 | source $SCRIPT_DIR/utils.sh 59 | 60 | # PARAMETERS 61 | 62 | # Version of Alfresco: enterprise, community 63 | ALFRESCO_VERSION=enterprise 64 | 65 | # Using "current" format by default (only available from ACS 7.0+) 66 | ALFRESCO_FORMAT=current 67 | 68 | # Distinguished name of the CA 69 | CA_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" 70 | # Distinguished name of the Server Certificate for Alfresco 71 | REPO_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" 72 | # Distinguished name of the Server Certificate for SOLR 73 | SOLR_CLIENT_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" 74 | # Distinguished name of the Browser Certificate for SOLR 75 | BROWSER_CLIENT_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" 76 | 77 | # Alfresco and SOLR server names, to be used as Alternative Name in the certificates 78 | CA_SERVER_NAME=localhost 79 | ALFRESCO_SERVER_NAME=localhost 80 | SOLR_SERVER_NAME=localhost 81 | 82 | # RSA key length (2048, 4096) 83 | KEY_SIZE=2048 84 | 85 | # Keystore format (PKCS12, JKS, JCEKS) 86 | KEYSTORE_TYPE=JCEKS 87 | # Truststore format (JKS, JCEKS) 88 | TRUSTSTORE_TYPE=JCEKS 89 | 90 | # Default password for every keystore and private key 91 | KEYSTORE_PASS=keystore 92 | # Default password for every truststore 93 | TRUSTSTORE_PASS=truststore 94 | 95 | # Encryption secret key passwords 96 | ENC_STORE_PASS=password 97 | ENC_METADATA_PASS=password 98 | 99 | # Folder where keystores, truststores and cerfiticates are generated 100 | KEYSTORES_DIR=keystores 101 | ALFRESCO_KEYSTORES_DIR=keystores/alfresco 102 | SOLR_KEYSTORES_DIR=keystores/solr 103 | ZEPPELIN_KEYSTORES_DIR=keystores/zeppelin 104 | CLIENT_KEYSTORES_DIR=keystores/client 105 | CERTIFICATES_DIR=certificates 106 | 107 | #Root CA validity, left as 7300 for backwards compatibility 108 | CA_VALIDITY_DURATION=7300 109 | 110 | # SCRIPT 111 | # Generates every keystore, trustore and certificate required for Alfresco SSL configuration 112 | function generate { 113 | 114 | # Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic") 115 | if [ "$ALFRESCO_FORMAT" == "current" ]; then 116 | ENC_STORE_TYPE=PKCS12 117 | else 118 | ENC_STORE_TYPE=JCEKS 119 | fi 120 | 121 | # Key algorithm: AES (default for "current"), DESede (default for "classic") 122 | if [ "$ALFRESCO_FORMAT" == "current" ]; then 123 | ENC_KEY_ALG="-keyalg AES -keysize 256" 124 | else 125 | ENC_KEY_ALG="-keyalg DESede" 126 | fi 127 | 128 | # If target folder for Keystores is not empty, skip generation 129 | if [ "$(ls -A $KEYSTORES_DIR)" ]; then 130 | echo "Keystores folder is not empty, skipping generation process..." 131 | exit 1 132 | fi 133 | 134 | # Remove previous working directories and certificates 135 | if [ -d ca ]; then 136 | rm -rf ca/* 137 | fi 138 | 139 | # Create folders for truststores, keystores and certificates 140 | if [ ! -d "$KEYSTORES_DIR" ]; then 141 | mkdir -p $KEYSTORES_DIR 142 | else 143 | rm -rf $KEYSTORES_DIR/* 144 | fi 145 | 146 | if [ ! -d "$ALFRESCO_KEYSTORES_DIR" ]; then 147 | mkdir -p $ALFRESCO_KEYSTORES_DIR 148 | else 149 | rm -rf $ALFRESCO_KEYSTORES_DIR/* 150 | fi 151 | 152 | if [ ! -d "$SOLR_KEYSTORES_DIR" ]; then 153 | mkdir -p $SOLR_KEYSTORES_DIR 154 | else 155 | rm -rf $SOLR_KEYSTORES_DIR/* 156 | fi 157 | 158 | if [ "$ALFRESCO_VERSION" = "enterprise" ]; then 159 | if [ ! -d "$ZEPPELIN_KEYSTORES_DIR" ]; then 160 | mkdir -p $ZEPPELIN_KEYSTORES_DIR 161 | else 162 | rm -rf $ZEPPELIN_KEYSTORES_DIR/* 163 | fi 164 | fi 165 | 166 | if [ ! -d "$CLIENT_KEYSTORES_DIR" ]; then 167 | mkdir -p $CLIENT_KEYSTORES_DIR 168 | else 169 | rm -rf $CLIENT_KEYSTORES_DIR/* 170 | fi 171 | 172 | if [ ! -d "$CERTIFICATES_DIR" ]; then 173 | mkdir -p $CERTIFICATES_DIR 174 | else 175 | rm -rf $CERTIFICATES_DIR/* 176 | fi 177 | 178 | # 179 | # CA 180 | # 181 | 182 | # Generate a new CA Entity 183 | if [ ! -d ca ]; then 184 | mkdir ca 185 | fi 186 | 187 | mkdir ca/certs ca/crl ca/newcerts ca/private 188 | chmod 700 ca/private 189 | touch ca/index.txt 190 | echo 1000 > ca/serial 191 | 192 | openssl genrsa -aes256 -passout pass:$KEYSTORE_PASS -out ca/private/ca.key.pem $KEY_SIZE 193 | chmod 400 ca/private/ca.key.pem 194 | 195 | subjectAlternativeNames $CA_SERVER_NAME 196 | 197 | openssl req -config $SCRIPT_DIR/openssl.cnf \ 198 | -key ca/private/ca.key.pem \ 199 | -new -x509 -days $CA_VALIDITY_DURATION -sha256 -extensions v3_ca \ 200 | -out ca/certs/ca.cert.pem \ 201 | -subj "$CA_DNAME" \ 202 | -passin pass:$KEYSTORE_PASS 203 | chmod 444 ca/certs/ca.cert.pem 204 | 205 | # Generate Server Certificate for Alfresco (issued by just generated CA) 206 | subjectAlternativeNames $ALFRESCO_SERVER_NAME 207 | 208 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/repository.csr -keyout $CERTIFICATES_DIR/repository.key -subj "$REPO_CERT_DNAME" 209 | 210 | openssl ca -config $SCRIPT_DIR/openssl.cnf -extensions clientServer_cert -passin pass:$KEYSTORE_PASS -batch -notext \ 211 | -in $CERTIFICATES_DIR/repository.csr -out $CERTIFICATES_DIR/repository.cer 212 | 213 | openssl pkcs12 -export -out $CERTIFICATES_DIR/repository.p12 -inkey $CERTIFICATES_DIR/repository.key \ 214 | -in $CERTIFICATES_DIR/repository.cer -password pass:$KEYSTORE_PASS -certfile ca/certs/ca.cert.pem 215 | 216 | # Server Certificate for SOLR (issued by just generated CA) 217 | subjectAlternativeNames $SOLR_SERVER_NAME 218 | 219 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/solr.csr -keyout $CERTIFICATES_DIR/solr.key -subj "$SOLR_CLIENT_CERT_DNAME" 220 | 221 | openssl ca -config $SCRIPT_DIR/openssl.cnf -extensions clientServer_cert -passin pass:$KEYSTORE_PASS -batch -notext \ 222 | -in $CERTIFICATES_DIR/solr.csr -out $CERTIFICATES_DIR/solr.cer 223 | 224 | openssl pkcs12 -export -out $CERTIFICATES_DIR/solr.p12 -inkey $CERTIFICATES_DIR/solr.key \ 225 | -in $CERTIFICATES_DIR/solr.cer -password pass:$KEYSTORE_PASS -certfile ca/certs/ca.cert.pem 226 | 227 | # Client Certificate for SOLR (issued by just generated CA) 228 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/browser.csr -keyout $CERTIFICATES_DIR/browser.key \ 229 | -subj "$BROWSER_CLIENT_CERT_DNAME" 230 | 231 | openssl ca -config $SCRIPT_DIR/openssl.cnf -extensions client_cert -passin pass:$KEYSTORE_PASS -batch -notext \ 232 | -in $CERTIFICATES_DIR/browser.csr -out $CERTIFICATES_DIR/browser.cer 233 | 234 | openssl pkcs12 -export -out $CERTIFICATES_DIR/browser.p12 -inkey $CERTIFICATES_DIR/browser.key \ 235 | -in $CERTIFICATES_DIR/browser.cer -password pass:$KEYSTORE_PASS -certfile ca/certs/ca.cert.pem 236 | 237 | # 238 | # SOLR 239 | # 240 | 241 | # Include CA and Alfresco certificates in SOLR Truststore 242 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file ca/certs/ca.cert.pem \ 243 | -keystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 244 | 245 | keytool -importcert -noprompt -alias ssl.repo -file $CERTIFICATES_DIR/repository.cer \ 246 | -keystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 247 | 248 | keytool -importcert -noprompt -alias ssl.repo.client -file $CERTIFICATES_DIR/solr.cer \ 249 | -keystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 250 | 251 | # Create SOLR TrustStore password file 252 | echo "aliases=alfresco.ca,ssl.repo,ssl.repo.client" >> ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties 253 | echo "keystore.password=$TRUSTSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties 254 | echo "alfresco.ca.password=$TRUSTSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties 255 | echo "ssl.repo.password=$TRUSTSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties 256 | echo "ssl.repo.client.password=$TRUSTSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties 257 | 258 | # Include SOLR Certificate in SOLR Keystore 259 | # Also adding CA Certificate for historical reasons 260 | keytool -importkeystore \ 261 | -srckeystore $CERTIFICATES_DIR/solr.p12 -destkeystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.keystore \ 262 | -srcstoretype PKCS12 -deststoretype $KEYSTORE_TYPE \ 263 | -srcstorepass $KEYSTORE_PASS -deststorepass $KEYSTORE_PASS \ 264 | -srcalias 1 -destalias ssl.repo.client \ 265 | -srckeypass $KEYSTORE_PASS -destkeypass $KEYSTORE_PASS \ 266 | -noprompt 267 | 268 | keytool -importcert -noprompt -alias ssl.alfresco.ca -file ca/certs/ca.cert.pem \ 269 | -keystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.keystore -storetype $KEYSTORE_TYPE -storepass $KEYSTORE_PASS 270 | 271 | # Create SOLR Keystore password file 272 | echo "aliases=ssl.alfresco.ca,ssl.repo.client" >> ${SOLR_KEYSTORES_DIR}/ssl-keystore-passwords.properties 273 | echo "keystore.password=$KEYSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-keystore-passwords.properties 274 | echo "ssl.repo.client.password=$KEYSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-keystore-passwords.properties 275 | echo "ssl.alfresco.ca.password=$KEYSTORE_PASS" >> ${SOLR_KEYSTORES_DIR}/ssl-keystore-passwords.properties 276 | 277 | 278 | # 279 | # Zeppelin (SOLR JDBC) 280 | # 281 | 282 | # Copy ZEPPELIN stores 283 | if [ "$ALFRESCO_VERSION" = "enterprise" ]; then 284 | 285 | cp ${SOLR_KEYSTORES_DIR}/ssl.repo.client.keystore ${ZEPPELIN_KEYSTORES_DIR}/ssl.repo.client.keystore 286 | cp ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore ${ZEPPELIN_KEYSTORES_DIR}/ssl.repo.client.truststore 287 | 288 | fi 289 | 290 | # 291 | # ALFRESCO 292 | # 293 | 294 | # Include CA and SOLR certificates in Alfresco Truststore 295 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file ca/certs/ca.cert.pem \ 296 | -keystore ${ALFRESCO_KEYSTORES_DIR}/ssl.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 297 | 298 | keytool -importcert -noprompt -alias ssl.repo.client -file $CERTIFICATES_DIR/solr.cer \ 299 | -keystore ${ALFRESCO_KEYSTORES_DIR}/ssl.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 300 | 301 | # Create Alfresco TrustStore password file 302 | echo "aliases=alfresco.ca,ssl.repo.client" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-truststore-passwords.properties 303 | echo "keystore.password=$TRUSTSTORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-truststore-passwords.properties 304 | echo "alfresco.ca.password=$TRUSTSTORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-truststore-passwords.properties 305 | echo "ssl.repo.client=$TRUSTSTORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-truststore-passwords.properties 306 | 307 | # Include Alfresco Certificate in Alfresco Keystore 308 | # Also adding CA Certificate for historical reasons 309 | keytool -importkeystore \ 310 | -srckeystore $CERTIFICATES_DIR/repository.p12 -destkeystore ${ALFRESCO_KEYSTORES_DIR}/ssl.keystore \ 311 | -srcstoretype PKCS12 -deststoretype $KEYSTORE_TYPE \ 312 | -srcstorepass $KEYSTORE_PASS -deststorepass $KEYSTORE_PASS \ 313 | -srcalias 1 -destalias ssl.repo \ 314 | -srckeypass $KEYSTORE_PASS -destkeypass $KEYSTORE_PASS \ 315 | -noprompt 316 | 317 | keytool -importcert -noprompt -alias ssl.alfresco.ca -file ca/certs/ca.cert.pem \ 318 | -keystore ${ALFRESCO_KEYSTORES_DIR}/ssl.keystore -storetype $KEYSTORE_TYPE -storepass $KEYSTORE_PASS 319 | 320 | # Create Alfresco Keystore password file 321 | echo "aliases=ssl.alfresco.ca,ssl.repo" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-keystore-passwords.properties 322 | echo "keystore.password=$KEYSTORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-keystore-passwords.properties 323 | echo "ssl.repo.password=$KEYSTORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-keystore-passwords.properties 324 | echo "ssl.alfresco.ca.password=$KEYSTORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/ssl-keystore-passwords.properties 325 | 326 | # Generate Encryption Secret Key 327 | keytool -genseckey -alias metadata -keypass $ENC_METADATA_PASS -storepass $ENC_STORE_PASS -keystore ${ALFRESCO_KEYSTORES_DIR}/keystore \ 328 | -storetype $ENC_STORE_TYPE $ENC_KEY_ALG 329 | 330 | # Create Alfresco Encryption password file 331 | echo "aliases=metadata" >> ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties 332 | echo "keystore.password=$ENC_STORE_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties 333 | echo "metadata.keyData=" >> ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties 334 | echo "metadata.algorithm=DESede" >> ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties 335 | echo "metadata.password=$ENC_METADATA_PASS" >> ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties 336 | 337 | 338 | # 339 | # CLIENT 340 | # 341 | 342 | # Create client (browser) certificate 343 | cp $CERTIFICATES_DIR/browser.p12 $CLIENT_KEYSTORES_DIR/browser.p12 344 | 345 | # 346 | # Renaming files for current Alfresco Format 347 | # 348 | if [ "$ALFRESCO_FORMAT" = "current" ]; then 349 | rm ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties 350 | rm ${SOLR_KEYSTORES_DIR}/ssl-keystore-passwords.properties 351 | rm ${ALFRESCO_KEYSTORES_DIR}/ssl-truststore-passwords.properties 352 | rm ${ALFRESCO_KEYSTORES_DIR}/ssl-keystore-passwords.properties 353 | rm ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties 354 | mv ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore ${SOLR_KEYSTORES_DIR}/ssl-repo-client.truststore 355 | mv ${SOLR_KEYSTORES_DIR}/ssl.repo.client.keystore ${SOLR_KEYSTORES_DIR}/ssl-repo-client.keystore 356 | if [ "$ALFRESCO_VERSION" = "enterprise" ]; then 357 | mv ${ZEPPELIN_KEYSTORES_DIR}/ssl.repo.client.keystore ${ZEPPELIN_KEYSTORES_DIR}/ssl-repo-client.keystore 358 | mv ${ZEPPELIN_KEYSTORES_DIR}/ssl.repo.client.truststore ${ZEPPELIN_KEYSTORES_DIR}/ssl-repo-client.truststore 359 | fi 360 | fi 361 | 362 | } 363 | 364 | # EXECUTION 365 | # Parse params from command line 366 | while test $# -gt 0 367 | do 368 | case "$1" in 369 | # community, enterprise 370 | -alfrescoversion) 371 | ALFRESCO_VERSION=$2 372 | shift 373 | ;; 374 | # 2048, 4096, ... 375 | -keysize) 376 | KEY_SIZE=$2 377 | shift 378 | ;; 379 | # PKCS12, JKS, JCEKS 380 | -keystoretype) 381 | KEYSTORE_TYPE=$2 382 | shift 383 | ;; 384 | # JKS, JCEKS 385 | -truststoretype) 386 | TRUSTSTORE_TYPE=$2 387 | shift 388 | ;; 389 | # Password for keystores and private keys 390 | -keystorepass) 391 | KEYSTORE_PASS=$2 392 | shift 393 | ;; 394 | # Password for truststores 395 | -truststorepass) 396 | TRUSTSTORE_PASS=$2 397 | shift 398 | ;; 399 | # Password for encryption keystore 400 | -encstorepass) 401 | ENC_STORE_PASS=$2 402 | shift 403 | ;; 404 | # Password for encryption metadata 405 | -encmetadatapass) 406 | ENC_METADATA_PASS=$2 407 | shift 408 | ;; 409 | # DName for CA issuing the certificates 410 | -cacertdname) 411 | CA_DNAME="$2" 412 | shift 413 | ;; 414 | # DName for Repository certificate 415 | -repocertdname) 416 | REPO_CERT_DNAME="$2" 417 | shift 418 | ;; 419 | # DName for SOLR certificate 420 | -solrcertdname) 421 | SOLR_CLIENT_CERT_DNAME="$2" 422 | shift 423 | ;; 424 | # DName for Browser certificate 425 | -browsercertdname) 426 | BROWSER_CLIENT_CERT_DNAME="$2" 427 | shift 428 | ;; 429 | # DNS name for CA Server 430 | -caservername) 431 | CA_SERVER_NAME="$2" 432 | shift 433 | ;; 434 | # DNS name for Alfresco Server 435 | -alfrescoservername) 436 | ALFRESCO_SERVER_NAME="$2" 437 | shift 438 | ;; 439 | # DNS name for SOLR Server 440 | -solrservername) 441 | SOLR_SERVER_NAME="$2" 442 | shift 443 | ;; 444 | # Alfresco Format: "classic" / "current" is supported only from 7.0 445 | -alfrescoformat) 446 | ALFRESCO_FORMAT="$2" 447 | shift 448 | ;; 449 | # Validity of Root CA certificate in days 450 | -cavalidityduration) 451 | CA_VALIDITY_DURATION="$2" 452 | shift 453 | ;; 454 | *) 455 | echo "An invalid parameter was received: $1" 456 | echo "Allowed parameters:" 457 | echo " -alfrescoversion" 458 | echo " -keysize" 459 | echo " -keystoretype" 460 | echo " -keystorepass" 461 | echo " -truststoretype" 462 | echo " -truststorepass" 463 | echo " -encstorepass" 464 | echo " -encmetadatapass" 465 | echo " -cacertdname" 466 | echo " -repocertdname" 467 | echo " -solrcertdname" 468 | echo " -browsercertdname" 469 | echo " -caservername" 470 | echo " -alfrescoservername" 471 | echo " -solrservername" 472 | echo " -alfrescoformat" 473 | echo " -cavalidityduration" 474 | exit 1 475 | ;; 476 | esac 477 | shift 478 | done 479 | 480 | # Generating keystores, truststores and certificates 481 | generate 482 | -------------------------------------------------------------------------------- /ssl-tool/run_additional.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | # This script is a follow up to run_ca.sh script. 8 | # It is responsible for sets of keystores and truststores for services to be used in mTLS approach. 9 | 10 | # Load common functions and variables 11 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 12 | source $SCRIPT_DIR/utils.sh 13 | 14 | 15 | # PARAMETERS 16 | 17 | # Using "current" format by default (only available from ACS 7.0+) 18 | ALFRESCO_FORMAT=current 19 | 20 | # Service name, to be used as folder name where results are generated to 21 | SERVICE_NAME=service 22 | # Folder name to place results of script in 23 | SUBFOLDER_NAME= 24 | # Alias of private key 25 | ALIAS= 26 | # Role to be fulfilled by the keystore key (both/client/server) 27 | ROLE="both" 28 | # Distinguished name of the CA 29 | SERVICE_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Service" 30 | # Service server name, to be used as Alternative Name in the certificates 31 | SERVICE_SERVER_NAME=localhost 32 | 33 | # Root CA Password 34 | ROOT_CA_PASS= 35 | # RSA key length (2048, 4096) 36 | KEY_SIZE=2048 37 | # Keystore format (PKCS12, JKS, JCEKS) 38 | KEYSTORE_TYPE=JCEKS 39 | # Default password for keystore and private key 40 | KEYSTORE_PASS=$PASSWORD_PLACEHOLDER 41 | 42 | NO_TRUSTSTORE=false 43 | # Truststore format (JKS, JCEKS) 44 | TRUSTSTORE_TYPE=JCEKS 45 | # Default password for truststore 46 | TRUSTSTORE_PASS=$PASSWORD_PLACEHOLDER 47 | 48 | function readKeystorePassword { 49 | PASSWORD=$KEYSTORE_PASS 50 | askForPasswordIfNeeded "[service name] $SERVICE_NAME, [role] $ROLE, keystore" 51 | KEYSTORE_PASS=$PASSWORD 52 | } 53 | 54 | function readTruststorePassword { 55 | PASSWORD=$TRUSTSTORE_PASS 56 | askForPasswordIfNeeded "[service name] $SERVICE_NAME, [role] $ROLE, truststore" 57 | TRUSTSTORE_PASS=$PASSWORD 58 | } 59 | 60 | # Set basic settings depending on role 61 | function settingsBasedOnRole { 62 | if [ "$ROLE" == "client" ]; then 63 | EXTENSION=client_cert 64 | FILE_SUFFIX=_client 65 | echo "Warning: For client role, servername parameter will be unused even if provided." 66 | SERVICE_SERVER_NAME= 67 | elif [ "$ROLE" == "server" ]; then 68 | EXTENSION=server_cert 69 | FILE_SUFFIX=_server 70 | elif [ "$ROLE" == "both" ]; then 71 | EXTENSION=clientServer_cert 72 | FILE_SUFFIX= 73 | elif [ -z "$ROLE" ]; then 74 | echo "Warning: No role provided, using default role: 'both'" 75 | ROLE="both" 76 | EXTENSION=clientServer_cert 77 | FILE_SUFFIX= 78 | else 79 | echo "Unsupported role provided $ROLE, valid roles are client/server/both" 80 | exit 1 81 | fi 82 | } 83 | 84 | # Generates service keystore, trustore and certificate required for Alfresco SSL configuration 85 | function generate { 86 | echo "---Run Additional Script Execution for $SERVICE_NAME---" 87 | 88 | if [ -z "$ROOT_CA_PASS" ]; then 89 | echo "Root CA password [parameter: rootcapass] is mandatory" 90 | exit 1 91 | fi 92 | 93 | if [ -z "$ALIAS" ]; then 94 | ALIAS=$SERVICE_NAME 95 | fi 96 | 97 | if [ -z "$SUBFOLDER_NAME" ]; then 98 | SUBFOLDER_NAME=$SERVICE_NAME 99 | fi 100 | 101 | settingsBasedOnRole 102 | 103 | readKeystorePassword 104 | if [ "$NO_TRUSTSTORE" = "false" ]; then 105 | readTruststorePassword 106 | fi 107 | 108 | SERVICE_KEYSTORES_DIR=$KEYSTORES_DIR/$SUBFOLDER_NAME 109 | if [ ! -d "$SERVICE_KEYSTORES_DIR" ]; then 110 | mkdir -p $SERVICE_KEYSTORES_DIR 111 | fi 112 | 113 | if [ "$ROLE" != "client" ]; then 114 | subjectAlternativeNames $SERVICE_SERVER_NAME 115 | fi 116 | 117 | FILE_NAME=$SERVICE_NAME$FILE_SUFFIX 118 | 119 | #Generate key and CSR 120 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/$FILE_NAME.csr -keyout $CERTIFICATES_DIR/$FILE_NAME.key -subj "$SERVICE_CERT_DNAME" 121 | 122 | #Sign CSR with CA 123 | openssl ca -config $SCRIPT_DIR/openssl.cnf -extensions $EXTENSION -passin pass:$ROOT_CA_PASS -batch -notext \ 124 | -in $CERTIFICATES_DIR/$FILE_NAME.csr -out $CERTIFICATES_DIR/$FILE_NAME.cer 125 | 126 | #Export keystore with key and certificate 127 | openssl pkcs12 -export -out $CERTIFICATES_DIR/$FILE_NAME.p12 -inkey $CERTIFICATES_DIR/$FILE_NAME.key \ 128 | -in $CERTIFICATES_DIR/$FILE_NAME.cer -password pass:$KEYSTORE_PASS -certfile $CA_DIR/certs/ca.cert.pem 129 | 130 | #Convert keystore to desired format, set alias 131 | keytool -importkeystore \ 132 | -srckeystore $CERTIFICATES_DIR/$FILE_NAME.p12 -destkeystore ${SERVICE_KEYSTORES_DIR}/$FILE_NAME.keystore \ 133 | -srcstoretype PKCS12 -deststoretype $KEYSTORE_TYPE \ 134 | -srcstorepass $KEYSTORE_PASS -deststorepass $KEYSTORE_PASS \ 135 | -srcalias 1 -destalias $ALIAS \ 136 | -srckeypass $KEYSTORE_PASS -destkeypass $KEYSTORE_PASS \ 137 | -noprompt 138 | 139 | #Import CA certificate into Service keystore, for complete certificate chain 140 | keytool -importcert -noprompt -alias ssl.alfresco.ca -file $CA_DIR/certs/ca.cert.pem \ 141 | -keystore ${SERVICE_KEYSTORES_DIR}/$FILE_NAME.keystore -storetype $KEYSTORE_TYPE -storepass $KEYSTORE_PASS 142 | 143 | # Create Keystore password file 144 | echo "keystore.password=$KEYSTORE_PASS" >> ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-keystore-passwords.properties 145 | echo "aliases=$ALIAS" >> ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-keystore-passwords.properties 146 | echo "$ALIAS.password=$KEYSTORE_PASS" >> ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-keystore-passwords.properties 147 | 148 | if [ "$NO_TRUSTSTORE" = "false" ]; then 149 | # Include CA certificates in Service Truststore 150 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file $CA_DIR/certs/ca.cert.pem \ 151 | -keystore ${SERVICE_KEYSTORES_DIR}/$FILE_NAME.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 152 | 153 | # Create TrustStore password file 154 | echo "keystore.password=$TRUSTSTORE_PASS" >> ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-truststore-passwords.properties 155 | echo "aliases=alfresco.ca" >> ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-truststore-passwords.properties 156 | fi 157 | 158 | # 159 | # Removing files for current Alfresco Format 160 | # 161 | if [ "$ALFRESCO_FORMAT" = "current" ]; then 162 | rm ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-keystore-passwords.properties 163 | if [ "$NO_TRUSTSTORE" = "false" ]; then 164 | rm ${SERVICE_KEYSTORES_DIR}/$FILE_NAME-truststore-passwords.properties 165 | fi 166 | fi 167 | } 168 | 169 | # EXECUTION 170 | # Parse params from command line 171 | while test $# -gt 0 172 | do 173 | case "$1" in 174 | # Service name 175 | -servicename) 176 | SERVICE_NAME=$2 177 | shift 178 | ;; 179 | # Subfolder name, useful multiple keystores per service, if unset will take on -servicename value 180 | -subfoldername) 181 | SUBFOLDER_NAME=$2 182 | shift 183 | ;; 184 | # Private Key alias 185 | -alias) 186 | ALIAS=$2 187 | shift 188 | ;; 189 | # Role: server, client, both (default) 190 | -role) 191 | ROLE=$2 192 | shift 193 | ;; 194 | # Root CA password 195 | -rootcapass) 196 | ROOT_CA_PASS=$2 197 | shift 198 | ;; 199 | # 2048, 4096, ... 200 | -keysize) 201 | KEY_SIZE=$2 202 | shift 203 | ;; 204 | # PKCS12, JKS, JCEKS 205 | -keystoretype) 206 | KEYSTORE_TYPE=$2 207 | shift 208 | ;; 209 | # Password for keystore and private key 210 | -keystorepass) 211 | KEYSTORE_PASS=$2 212 | shift 213 | ;; 214 | # Flag blocking generating of a truststore 215 | -notruststore) 216 | NO_TRUSTSTORE=true 217 | ;; 218 | # JKS, JCEKS 219 | -truststoretype) 220 | TRUSTSTORE_TYPE=$2 221 | shift 222 | ;; 223 | # Password for truststore 224 | -truststorepass) 225 | TRUSTSTORE_PASS=$2 226 | shift 227 | ;; 228 | # DName for Service certificate 229 | -certdname) 230 | SERVICE_CERT_DNAME="$2" 231 | shift 232 | ;; 233 | # DNS name for Service 234 | -servername) 235 | SERVICE_SERVER_NAME="$2" 236 | shift 237 | ;; 238 | # Alfresco Format: "classic" / "current" is supported only from 7.0 239 | -alfrescoformat) 240 | ALFRESCO_FORMAT="$2" 241 | shift 242 | ;; 243 | *) 244 | echo "An invalid parameter was received: $1" 245 | echo "Allowed parameters:" 246 | echo " -servicename" 247 | echo " -subfoldername" 248 | echo " -alias" 249 | echo " -role" 250 | echo " -rootcapass" 251 | echo " -keysize" 252 | echo " -keystoretype" 253 | echo " -keystorepass" 254 | echo " -notruststore" 255 | echo " -truststoretype" 256 | echo " -truststorepass" 257 | echo " -certdname" 258 | echo " -servername" 259 | echo " -alfrescoformat" 260 | exit 1 261 | ;; 262 | esac 263 | shift 264 | done 265 | 266 | generate -------------------------------------------------------------------------------- /ssl-tool/run_ca.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | # This script is generating a Root CA 8 | 9 | # Load common functions and variables 10 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 11 | source $SCRIPT_DIR/utils.sh 12 | 13 | # ---------- 14 | # PARAMETERS 15 | # ---------- 16 | 17 | # Distinguished name of the CA 18 | CA_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" 19 | # Alfresco and SOLR server names, to be used as Alternative Name in the certificates 20 | CA_SERVER_NAME=localhost 21 | 22 | # RSA key length (2048, 4096) 23 | KEY_SIZE=2048 24 | # Password placeholder 25 | KEYSTORE_PASS=$PASSWORD_PLACEHOLDER 26 | 27 | #If not set, assume it's a testing environment, Root CA of a testing environment shouldn't last more than a day 28 | VALIDITY_DURATION=365 29 | 30 | # SCRIPT 31 | function cleanupFolders { 32 | # Remove previous working directories and certificates 33 | if [ -d $CA_DIR ]; then 34 | rm -rf $CA_DIR/* 35 | else 36 | mkdir $CA_DIR 37 | fi 38 | 39 | # Create folders for truststores, keystores and certificates 40 | if [ ! -d "$KEYSTORES_DIR" ]; then 41 | mkdir -p $KEYSTORES_DIR 42 | fi 43 | 44 | if [ ! -d "$CERTIFICATES_DIR" ]; then 45 | mkdir -p $CERTIFICATES_DIR 46 | else 47 | rm -rf $CERTIFICATES_DIR/* 48 | fi 49 | } 50 | 51 | function readKeystorePassword { 52 | PASSWORD=$KEYSTORE_PASS 53 | askForPasswordIfNeeded "Root CA" 54 | KEYSTORE_PASS=$PASSWORD 55 | } 56 | 57 | # Generates CA 58 | function generate { 59 | 60 | if [ $VALIDITY_DURATION -lt 1 ]; then 61 | echo "Minimum validity of Root CA is 1 day" 62 | exit 1 63 | fi 64 | 65 | # If target folder for Keystores is not empty, skip generation 66 | if [ "$(ls -A $KEYSTORES_DIR)" ]; then 67 | echo "Keystores folder is not empty, skipping generation process..." 68 | exit 1 69 | fi 70 | 71 | cleanupFolders 72 | 73 | readKeystorePassword 74 | 75 | # ------------ 76 | # CA 77 | # ------------ 78 | 79 | mkdir $CA_DIR/certs $CA_DIR/crl $CA_DIR/newcerts $CA_DIR/private 80 | chmod 700 $CA_DIR/private 81 | touch $CA_DIR/index.txt 82 | echo 1000 > $CA_DIR/serial 83 | 84 | openssl genrsa -aes256 -passout pass:$KEYSTORE_PASS -out $CA_DIR/private/ca.key.pem $KEY_SIZE 85 | chmod 400 $CA_DIR/private/ca.key.pem 86 | 87 | subjectAlternativeNames $CA_SERVER_NAME 88 | 89 | openssl req -config $SCRIPT_DIR/openssl.cnf \ 90 | -key $CA_DIR/private/ca.key.pem \ 91 | -new -x509 -days $VALIDITY_DURATION -sha256 -extensions v3_ca \ 92 | -out $CA_DIR/certs/ca.cert.pem \ 93 | -subj "$CA_DNAME" \ 94 | -passin pass:$KEYSTORE_PASS 95 | chmod 444 $CA_DIR/certs/ca.cert.pem 96 | } 97 | 98 | # EXECUTION 99 | # Parse params from command line 100 | while test $# -gt 0 101 | do 102 | case "$1" in 103 | # 2048, 4096, ... 104 | -keysize) 105 | KEY_SIZE=$2 106 | shift 107 | ;; 108 | # Password for keystore and private key 109 | -keystorepass) 110 | KEYSTORE_PASS=$2 111 | shift 112 | ;; 113 | # DName for CA issuing the certificates 114 | -certdname) 115 | CA_DNAME="$2" 116 | shift 117 | ;; 118 | # DNS name for CA Server 119 | -servername) 120 | CA_SERVER_NAME="$2" 121 | shift 122 | ;; 123 | # Validity of Root CA certificate in days 124 | -validityduration) 125 | VALIDITY_DURATION="$2" 126 | shift 127 | ;; 128 | *) 129 | echo "An invalid parameter was received: $1" 130 | echo "Allowed parameters:" 131 | echo " -keysize" 132 | echo " -keystorepass" 133 | echo " -certdname" 134 | echo " -servername" 135 | echo " -validityduration" 136 | exit 1 137 | ;; 138 | esac 139 | shift 140 | done 141 | 142 | # Generating CA 143 | generate -------------------------------------------------------------------------------- /ssl-tool/run_encryption.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | # This script is generating metadata encryption keystore 8 | 9 | # Load common functions and variables 10 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 11 | source $SCRIPT_DIR/utils.sh 12 | 13 | # ---------- 14 | # PARAMETERS 15 | # ---------- 16 | 17 | SERVICE_NAME=encryption 18 | SUBFOLDER_NAME= 19 | 20 | # Using "current" format by default (only available from ACS 7.0+) 21 | ALFRESCO_FORMAT=current 22 | 23 | # Encryption secret key passwords 24 | KEYSTORE_PASS=$PASSWORD_PLACEHOLDER 25 | KEY_PASS=$PASSWORD_PLACEHOLDER 26 | 27 | function readKeystorePassword { 28 | PASSWORD=$KEYSTORE_PASS 29 | askForPasswordIfNeeded "Encryption Keystore" 30 | KEYSTORE_PASS=$PASSWORD 31 | } 32 | 33 | function readKeyPassword { 34 | PASSWORD=$KEY_PASS 35 | askForPasswordIfNeeded "Encryption Key" 36 | KEY_PASS=$PASSWORD 37 | } 38 | 39 | # Generates Metadata keystore 40 | function generate { 41 | if [ -z "$SUBFOLDER_NAME" ]; then 42 | SUBFOLDER_NAME=$SERVICE_NAME 43 | fi 44 | 45 | # Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic") 46 | if [ "$ALFRESCO_FORMAT" == "current" ]; then 47 | ENC_STORE_TYPE=PKCS12 48 | else 49 | ENC_STORE_TYPE=JCEKS 50 | fi 51 | 52 | # Key algorithm: AES (default for "current"), DESede (default for "classic") 53 | if [ "$ALFRESCO_FORMAT" == "current" ]; then 54 | ENC_KEY_ALG="-keyalg AES -keysize 256" 55 | else 56 | ENC_KEY_ALG="-keyalg DESede" 57 | fi 58 | 59 | DESTINATION_DIR=$KEYSTORES_DIR/$SUBFOLDER_NAME 60 | if [ ! -d $DESTINATION_DIR ]; then 61 | mkdir $DESTINATION_DIR 62 | fi 63 | 64 | readKeystorePassword 65 | readKeyPassword 66 | 67 | # Generate Encryption Secret Key 68 | keytool -genseckey -alias metadata -keypass $KEY_PASS -storepass $KEYSTORE_PASS -keystore ${DESTINATION_DIR}/$SERVICE_NAME.keystore \ 69 | -storetype $ENC_STORE_TYPE $ENC_KEY_ALG 70 | 71 | if [ "$ALFRESCO_FORMAT" != "current" ]; then 72 | # Create Alfresco Encryption password file 73 | echo "aliases=metadata" >> ${DESTINATION_DIR}/$SERVICE_NAME-keystore-passwords.properties 74 | echo "keystore.password=$KEYSTORE_PASS" >> ${DESTINATION_DIR}/$SERVICE_NAME-keystore-passwords.properties 75 | echo "metadata.keyData=" >> ${DESTINATION_DIR}/$SERVICE_NAME-keystore-passwords.properties 76 | echo "metadata.algorithm=DESede" >> ${DESTINATION_DIR}/$SERVICE_NAME-keystore-passwords.properties 77 | echo "metadata.password=$KEY_PASS" >> ${DESTINATION_DIR}/$SERVICE_NAME-keystore-passwords.properties 78 | fi 79 | } 80 | 81 | # EXECUTION 82 | # Parse params from command line 83 | while test $# -gt 0 84 | do 85 | case "$1" in 86 | # Subfolder name, useful multiple keystores per service, if unset will take on -servicename value 87 | -subfoldername) 88 | SUBFOLDER_NAME=$2 89 | shift 90 | ;; 91 | # Service name 92 | -servicename) 93 | SERVICE_NAME=$2 94 | shift 95 | ;; 96 | # Password for encryption keystore 97 | -encstorepass) 98 | KEYSTORE_PASS=$2 99 | shift 100 | ;; 101 | # Password for encryption metadata 102 | -encmetadatapass) 103 | KEY_PASS=$2 104 | shift 105 | ;; 106 | # Alfresco Format: "classic" / "current" is supported only from 7.0 107 | -alfrescoformat) 108 | ALFRESCO_FORMAT="$2" 109 | shift 110 | ;; 111 | *) 112 | echo "An invalid parameter was received: $1" 113 | echo "Allowed parameters:" 114 | echo " -subfoldername" 115 | echo " -servicename" 116 | echo " -encstorepass" 117 | echo " -encmetadatapass" 118 | echo " -alfrescoformat" 119 | exit 1 120 | ;; 121 | esac 122 | shift 123 | done 124 | 125 | # Generating CA 126 | generate -------------------------------------------------------------------------------- /ssl-tool/samples/client_server.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 8 | source ${SCRIPT_DIR}/../utils.sh 9 | 10 | # SETTINGS 11 | # Alfresco Format: "classic" / "current" is supported only from 7.0 12 | ALFRESCO_FORMAT=current 13 | 14 | #CA 15 | bash ${SCRIPT_DIR}/../run_ca.sh -keysize 2048 -keystorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername localhost -validityduration 1 16 | #Alfresco 17 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename alfresco -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 18 | #Alfresco Metadata encryption 19 | bash ${SCRIPT_DIR}/../run_encryption.sh -subfoldername alfresco -servicename encryption -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT 20 | #Solr 21 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename solr -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 22 | #Zeppelin (copy of Solr) 23 | ZEPPELIN_DIR=$KEYSTORES_DIR/zeppelin 24 | if [ -d $ZEPPELIN_DIR ]; then 25 | rm -rf $ZEPPELIN_DIR/* 26 | else 27 | mkdir $ZEPPELIN_DIR 28 | fi 29 | cp $KEYSTORES_DIR/solr/solr.keystore $ZEPPELIN_DIR/zeppelin.keystore 30 | cp $KEYSTORES_DIR/solr/solr.truststore $ZEPPELIN_DIR/zeppelin.truststore 31 | #Solr browser 32 | bash ${SCRIPT_DIR}/../run_additional.sh -subfoldername client -servicename browser -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype PKCS12 -keystorepass kT9X6oe68t -notruststore -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" -alfrescoformat $ALFRESCO_FORMAT 33 | 34 | #Shared file store 35 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename sharedFileStore -alias sharedFileStore_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 36 | #Transform Router 37 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename transformRouter -alias transformRouter_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Client" -alfrescoformat $ALFRESCO_FORMAT 38 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename transformRouter -alias transformRouter_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 39 | #T-Engine AIO 40 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineAIO -alias tengineAIO_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Client" -alfrescoformat $ALFRESCO_FORMAT 41 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineAIO -alias tengineAIO_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 42 | #T-Engine Imagemagick 43 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineImageMagick -alias tengineImageMagick_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Client" -alfrescoformat $ALFRESCO_FORMAT 44 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineImageMagick -alias tengineImageMagick_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 45 | #T-Engine Libreoffice 46 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineLibreOffice -alias tengineLibreOffice_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Client" -alfrescoformat $ALFRESCO_FORMAT 47 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineLibreOffice -alias tengineLibreOffice_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 48 | #T-Engine Pdfrenderer 49 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tenginePdfRenderer -alias tenginePdfRenderer_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Client" -alfrescoformat $ALFRESCO_FORMAT 50 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tenginePdfRenderer -alias tenginePdfRenderer_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 51 | #T-Engine Tika 52 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineTika -alias tengineTika_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Client" -alfrescoformat $ALFRESCO_FORMAT 53 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineTika -alias tengineTika_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 54 | #T-Engine Misc 55 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineMisc -alias tengineMisc_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Client" -alfrescoformat $ALFRESCO_FORMAT 56 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineMisc -alias tengineMisc_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 57 | 58 | #Custom T-Engine 59 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineCustom -alias tengineCustom_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Client" -alfrescoformat $ALFRESCO_FORMAT 60 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineCustom -alias tengineCustom_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Server" -servername localhost,additional -alfrescoformat $ALFRESCO_FORMAT 61 | -------------------------------------------------------------------------------- /ssl-tool/samples/community.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | # This script generates certificates for Repository and SOLR TLS/SSL Mutual Auth Communication: 8 | # 9 | # * CA Entity to issue all required certificates 10 | # * Server Certificate for Alfresco 11 | # * Server Certificate for SOLR 12 | # 13 | # "openssl.cnf" file is provided for CA Configuration. 14 | # 15 | # Following resources are generated in ${KEYSTORES_DIR} 16 | # . 17 | # ├── alfresco 18 | # │ ├── ssl.keystore 19 | # │ └── ssl.truststore 20 | # ├── client 21 | # │ └── browser.p12 22 | # └── solr 23 | # ├── ssl-repo-client.keystore 24 | # └── ssl-repo-client.truststore 25 | # 26 | # "alfresco" files must be copied to "alfresco/keystore" folder 27 | # "solr" files must be copied to "solr6/keystore" 28 | # "client" files can be used from a browser to access the server using HTTPS in port 8983 29 | 30 | # Load common functions and variables 31 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 32 | source ${SCRIPT_DIR}/../utils.sh 33 | 34 | cd .. 35 | SCRIPT_DIR="$(pwd)" 36 | cd samples 37 | 38 | 39 | # PARAMETERS 40 | 41 | # Version of Alfresco: enterprise, community 42 | ALFRESCO_VERSION=community 43 | 44 | # Using "current" format by default (only available from ACS 7.0+) 45 | ALFRESCO_FORMAT=current 46 | 47 | # Distinguished name of the CA 48 | CA_DNAME="/C=US/ST=OH/L=Cleveland/O=Hyland/OU=Alfresco/CN=Alfresco CA" 49 | # Distinguished name of the Server Certificate for Alfresco 50 | REPO_CERT_DNAME="/C=US/ST=OH/L=Cleveland/O=Hyland/OU=Alfresco/CN=Repository" 51 | # Distinguished name of the Server Certificate for Search 52 | SOLR_CLIENT_CERT_DNAME="/C=US/ST=OH/L=Cleveland/O=Hyland/OU=Alfresco/CN=Search" 53 | # Distinguished name of the Browser Certificate for Search 54 | BROWSER_CLIENT_CERT_DNAME="/C=US/ST=OH/L=Cleveland/O=Hyland/OU=Alfresco/CN=Search Client" 55 | 56 | # Alfresco and SOLR server names, to be used as Alternative Name in the certificates 57 | CA_SERVER_NAME=localhost 58 | ALFRESCO_SERVER_NAME=localhost 59 | SOLR_SERVER_NAME=localhost 60 | 61 | # RSA key length (2048 or 3072) 62 | KEY_SIZE=2048 63 | 64 | # Keystore format (PKCS12 is recommended) 65 | KEYSTORE_TYPE=PKCS12 66 | # Truststore format (PKCS12 is recommended) 67 | TRUSTSTORE_TYPE=PKCS12 68 | 69 | # Default password for every keystore and private key 70 | KEYSTORE_PASS=keystore 71 | # Default password for every truststore 72 | TRUSTSTORE_PASS=truststore 73 | 74 | # Folder where keystores, truststores and cerfiticates are generated 75 | KEYSTORES_DIR=keystores 76 | ALFRESCO_KEYSTORES_DIR=keystores/alfresco 77 | SOLR_KEYSTORES_DIR=keystores/solr 78 | ZEPPELIN_KEYSTORES_DIR=keystores/zeppelin 79 | CLIENT_KEYSTORES_DIR=keystores/client 80 | CERTIFICATES_DIR=certificates 81 | 82 | #Root CA validity, left as 7300 for backwards compatibility 83 | CA_VALIDITY_DURATION=7300 84 | 85 | # SCRIPT 86 | # Generates every keystore, trustore and certificate required for Alfresco SSL configuration 87 | function generate { 88 | 89 | # If target folder for Keystores is not empty, skip generation 90 | if [ "$(ls -A $KEYSTORES_DIR)" ]; then 91 | echo "Keystores folder is not empty, skipping generation process..." 92 | exit 1 93 | fi 94 | 95 | # Remove previous working directories and certificates 96 | if [ -d ca ]; then 97 | rm -rf ca/* 98 | fi 99 | 100 | # Create folders for truststores, keystores and certificates 101 | if [ ! -d "$ALFRESCO_KEYSTORES_DIR" ]; then 102 | mkdir -p $ALFRESCO_KEYSTORES_DIR 103 | else 104 | rm -rf $ALFRESCO_KEYSTORES_DIR/* 105 | fi 106 | 107 | if [ ! -d "$SOLR_KEYSTORES_DIR" ]; then 108 | mkdir -p $SOLR_KEYSTORES_DIR 109 | else 110 | rm -rf $SOLR_KEYSTORES_DIR/* 111 | fi 112 | 113 | if [ ! -d "$CLIENT_KEYSTORES_DIR" ]; then 114 | mkdir -p $CLIENT_KEYSTORES_DIR 115 | else 116 | rm -rf $CLIENT_KEYSTORES_DIR/* 117 | fi 118 | 119 | if [ ! -d "$CERTIFICATES_DIR" ]; then 120 | mkdir -p $CERTIFICATES_DIR 121 | else 122 | rm -rf $CERTIFICATES_DIR/* 123 | fi 124 | 125 | # 126 | # CA 127 | # 128 | 129 | # Generate a new CA Entity 130 | if [ ! -d ca ]; then 131 | mkdir ca 132 | fi 133 | 134 | mkdir ca/certs ca/crl ca/newcerts ca/private 135 | chmod 700 ca/private 136 | touch ca/index.txt 137 | RAND=$(od -N 4 -t uL -An /dev/urandom | tr -d " ") 138 | echo "${RAND}" > ca/serial 139 | 140 | openssl genrsa -aes256 -passout pass:$KEYSTORE_PASS -out ca/private/ca.key.pem $KEY_SIZE 141 | chmod 400 ca/private/ca.key.pem 142 | 143 | subjectAlternativeNames $CA_SERVER_NAME 144 | 145 | openssl req -config ../openssl.cnf \ 146 | -key ca/private/ca.key.pem \ 147 | -new -x509 -days $CA_VALIDITY_DURATION -sha256 -extensions v3_ca \ 148 | -out ca/certs/ca.cert.pem \ 149 | -subj "$CA_DNAME" \ 150 | -passin pass:$KEYSTORE_PASS 151 | chmod 444 ca/certs/ca.cert.pem 152 | 153 | # Generate Server Certificate for Alfresco (issued by just generated CA) 154 | subjectAlternativeNames $ALFRESCO_SERVER_NAME 155 | 156 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/repository.csr -keyout $CERTIFICATES_DIR/repository.key -subj "$REPO_CERT_DNAME" 157 | 158 | openssl ca -config ../openssl.cnf -extensions clientServer_cert -passin pass:$KEYSTORE_PASS -batch -notext \ 159 | -in $CERTIFICATES_DIR/repository.csr -out $CERTIFICATES_DIR/repository.cer 160 | 161 | openssl pkcs12 -export -out $CERTIFICATES_DIR/repository.p12 -inkey $CERTIFICATES_DIR/repository.key \ 162 | -in $CERTIFICATES_DIR/repository.cer -password pass:$KEYSTORE_PASS -certfile ca/certs/ca.cert.pem 163 | 164 | # Server Certificate for SOLR (issued by just generated CA) 165 | subjectAlternativeNames $SOLR_SERVER_NAME 166 | 167 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/solr.csr -keyout $CERTIFICATES_DIR/solr.key -subj "$SOLR_CLIENT_CERT_DNAME" 168 | 169 | openssl ca -config ../openssl.cnf -extensions clientServer_cert -passin pass:$KEYSTORE_PASS -batch -notext \ 170 | -in $CERTIFICATES_DIR/solr.csr -out $CERTIFICATES_DIR/solr.cer 171 | 172 | openssl pkcs12 -export -out $CERTIFICATES_DIR/solr.p12 -inkey $CERTIFICATES_DIR/solr.key \ 173 | -in $CERTIFICATES_DIR/solr.cer -password pass:$KEYSTORE_PASS -certfile ca/certs/ca.cert.pem 174 | 175 | # Client Certificate for SOLR (issued by just generated CA) 176 | openssl req -newkey rsa:$KEY_SIZE -nodes -out $CERTIFICATES_DIR/browser.csr -keyout $CERTIFICATES_DIR/browser.key \ 177 | -subj "$BROWSER_CLIENT_CERT_DNAME" 178 | 179 | openssl ca -config ../openssl.cnf -extensions client_cert -passin pass:$KEYSTORE_PASS -batch -notext \ 180 | -in $CERTIFICATES_DIR/browser.csr -out $CERTIFICATES_DIR/browser.cer 181 | 182 | openssl pkcs12 -export -out $CERTIFICATES_DIR/browser.p12 -inkey $CERTIFICATES_DIR/browser.key \ 183 | -in $CERTIFICATES_DIR/browser.cer -password pass:$KEYSTORE_PASS -certfile ca/certs/ca.cert.pem 184 | 185 | # 186 | # SOLR 187 | # 188 | 189 | # Include CA and Alfresco certificates in SOLR Truststore 190 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file ca/certs/ca.cert.pem \ 191 | -keystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 192 | 193 | keytool -importcert -noprompt -alias ssl.repo -file $CERTIFICATES_DIR/repository.cer \ 194 | -keystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 195 | 196 | # Include Solr Certificate in Solr Keystore 197 | keytool -importkeystore \ 198 | -srckeystore $CERTIFICATES_DIR/solr.p12 -destkeystore ${SOLR_KEYSTORES_DIR}/ssl.repo.client.keystore \ 199 | -srcstoretype PKCS12 -deststoretype $KEYSTORE_TYPE \ 200 | -srcstorepass $KEYSTORE_PASS -deststorepass $KEYSTORE_PASS \ 201 | -srcalias 1 -destalias ssl.repo.client \ 202 | -srckeypass $KEYSTORE_PASS -destkeypass $KEYSTORE_PASS \ 203 | -noprompt 204 | 205 | # 206 | # ALFRESCO 207 | # 208 | 209 | # Include CA and SOLR certificates in Alfresco Truststore 210 | keytool -import -trustcacerts -noprompt -alias alfresco.ca -file ca/certs/ca.cert.pem \ 211 | -keystore ${ALFRESCO_KEYSTORES_DIR}/ssl.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 212 | 213 | keytool -importcert -noprompt -alias ssl.repo.client -file $CERTIFICATES_DIR/solr.cer \ 214 | -keystore ${ALFRESCO_KEYSTORES_DIR}/ssl.truststore -storetype $TRUSTSTORE_TYPE -storepass $TRUSTSTORE_PASS 215 | 216 | # Include Alfresco Certificate in Alfresco Keystore 217 | keytool -importkeystore \ 218 | -srckeystore $CERTIFICATES_DIR/repository.p12 -destkeystore ${ALFRESCO_KEYSTORES_DIR}/ssl.keystore \ 219 | -srcstoretype PKCS12 -deststoretype $KEYSTORE_TYPE \ 220 | -srcstorepass $KEYSTORE_PASS -deststorepass $KEYSTORE_PASS \ 221 | -srcalias 1 -destalias ssl.repo \ 222 | -srckeypass $KEYSTORE_PASS -destkeypass $KEYSTORE_PASS \ 223 | -noprompt 224 | 225 | # 226 | # CLIENT 227 | # 228 | 229 | # Create client (browser) certificate 230 | cp $CERTIFICATES_DIR/browser.p12 $CLIENT_KEYSTORES_DIR/browser.p12 231 | 232 | } 233 | 234 | # EXECUTION 235 | # Parse params from command line 236 | while test $# -gt 0 237 | do 238 | case "$1" in 239 | # community, enterprise 240 | -alfrescoversion) 241 | ALFRESCO_VERSION=$2 242 | shift 243 | ;; 244 | # 2048, 4096, ... 245 | -keysize) 246 | KEY_SIZE=$2 247 | shift 248 | ;; 249 | # PKCS12, JKS, JCEKS 250 | -keystoretype) 251 | KEYSTORE_TYPE=$2 252 | shift 253 | ;; 254 | # JKS, JCEKS 255 | -truststoretype) 256 | TRUSTSTORE_TYPE=$2 257 | shift 258 | ;; 259 | # Password for keystores and private keys 260 | -keystorepass) 261 | KEYSTORE_PASS=$2 262 | shift 263 | ;; 264 | # Password for truststores 265 | -truststorepass) 266 | TRUSTSTORE_PASS=$2 267 | shift 268 | ;; 269 | # Password for encryption keystore 270 | -encstorepass) 271 | ENC_STORE_PASS=$2 272 | shift 273 | ;; 274 | # DName for CA issuing the certificates 275 | -cacertdname) 276 | CA_DNAME="$2" 277 | shift 278 | ;; 279 | # DName for Repository certificate 280 | -repocertdname) 281 | REPO_CERT_DNAME="$2" 282 | shift 283 | ;; 284 | # DName for SOLR certificate 285 | -solrcertdname) 286 | SOLR_CLIENT_CERT_DNAME="$2" 287 | shift 288 | ;; 289 | # DName for Browser certificate 290 | -browsercertdname) 291 | BROWSER_CLIENT_CERT_DNAME="$2" 292 | shift 293 | ;; 294 | # DNS name for CA Server 295 | -caservername) 296 | CA_SERVER_NAME="$2" 297 | shift 298 | ;; 299 | # DNS name for Alfresco Server 300 | -alfrescoservername) 301 | ALFRESCO_SERVER_NAME="$2" 302 | shift 303 | ;; 304 | # DNS name for SOLR Server 305 | -solrservername) 306 | SOLR_SERVER_NAME="$2" 307 | shift 308 | ;; 309 | # Alfresco Format: "classic" / "current" is supported only from 7.0 310 | -alfrescoformat) 311 | ALFRESCO_FORMAT="$2" 312 | shift 313 | ;; 314 | # Validity of Root CA certificate in days 315 | -cavalidityduration) 316 | CA_VALIDITY_DURATION="$2" 317 | shift 318 | ;; 319 | *) 320 | echo "An invalid parameter was received: $1" 321 | echo "Allowed parameters:" 322 | echo " -alfrescoversion" 323 | echo " -keysize" 324 | echo " -keystoretype" 325 | echo " -keystorepass" 326 | echo " -truststoretype" 327 | echo " -truststorepass" 328 | echo " -encstorepass" 329 | echo " -encmetadatapass" 330 | echo " -cacertdname" 331 | echo " -repocertdname" 332 | echo " -solrcertdname" 333 | echo " -browsercertdname" 334 | echo " -caservername" 335 | echo " -alfrescoservername" 336 | echo " -solrservername" 337 | echo " -alfrescoformat" 338 | echo " -cavalidityduration" 339 | exit 1 340 | ;; 341 | esac 342 | shift 343 | done 344 | 345 | # Generating keystores, truststores and certificates 346 | generate 347 | -------------------------------------------------------------------------------- /ssl-tool/samples/legacy_client_server.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 8 | source ${SCRIPT_DIR}/../utils.sh 9 | 10 | # SETTINGS 11 | # Alfresco Format: "classic" / "current" is supported only from 7.0 12 | ALFRESCO_FORMAT=current 13 | 14 | #CA, Repository, Solr, Zeppelin 15 | bash ${SCRIPT_DIR}/../run.sh -alfrescoversion community -keysize 2048 -keystoretype JCEKS -truststoretype JCEKS -keystorepass kT9X6oe68t -truststorepass kT9X6oe68t -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT -cavalidityduration 1 16 | 17 | #Shared file store 18 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename sharedFileStore -alias sharedFileStore_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 19 | 20 | #Transform Router 21 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename transformRouter -alias transformRouter_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Client" -alfrescoformat $ALFRESCO_FORMAT 22 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename transformRouter -alias transformRouter_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 23 | 24 | #T-Engine AIO 25 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineAIO -alias tengineAIO_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Client" -alfrescoformat $ALFRESCO_FORMAT 26 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineAIO -alias tengineAIO_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 27 | 28 | #T-Engine Imagemagick 29 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineImageMagick -alias tengineImageMagick_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Client" -alfrescoformat $ALFRESCO_FORMAT 30 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineImageMagick -alias tengineImageMagick_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 31 | #T-Engine Libreoffice 32 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineLibreOffice -alias tengineLibreOffice_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Client" -alfrescoformat $ALFRESCO_FORMAT 33 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineLibreOffice -alias tengineLibreOffice_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 34 | #T-Engine Pdfrenderer 35 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tenginePdfRenderer -alias tenginePdfRenderer_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Client" -alfrescoformat $ALFRESCO_FORMAT 36 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tenginePdfRenderer -alias tenginePdfRenderer_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 37 | #T-Engine Tika 38 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineTika -alias tengineTika_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Client" -alfrescoformat $ALFRESCO_FORMAT 39 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineTika -alias tengineTika_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 40 | #T-Engine Misc 41 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineMisc -alias tengineMisc_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Client" -alfrescoformat $ALFRESCO_FORMAT 42 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineMisc -alias tengineMisc_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc Server" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 43 | 44 | #Custom T-Engine 45 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineCustom -alias tengineCustom_client -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Client" -alfrescoformat $ALFRESCO_FORMAT 46 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineCustom -alias tengineCustom_server -role server -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom Server" -servername localhost,additional -alfrescoformat $ALFRESCO_FORMAT 47 | -------------------------------------------------------------------------------- /ssl-tool/samples/legacy_simple.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 8 | source ${SCRIPT_DIR}/../utils.sh 9 | 10 | # SETTINGS 11 | # Alfresco Format: "classic" / "current" is supported only from 7.0 12 | ALFRESCO_FORMAT=current 13 | 14 | #CA, Repository, Solr, Zeppelin 15 | bash ${SCRIPT_DIR}/../run.sh -alfrescoversion community -keysize 2048 -keystoretype JCEKS -truststoretype JCEKS -keystorepass kT9X6oe68t -truststorepass kT9X6oe68t -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT -cavalidityduration 1 16 | 17 | #Shared file store 18 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename sharedFileStore -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 19 | #Transform Router 20 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename transformRouter -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 21 | #T-Engine AIO 22 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineAIO -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 23 | #T-Engine Imagemagick 24 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineImageMagick -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 25 | #T-Engine Libreoffice 26 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineLibreOffice -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 27 | #T-Engine Pdfrenderer 28 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tenginePdfRenderer -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 29 | #T-Engine Tika 30 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineTika -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 31 | #T-Engine Misc 32 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineMisc -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 33 | 34 | #Custom T-Engine 35 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineCustom -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom" -servername localhost,additional -alfrescoformat $ALFRESCO_FORMAT 36 | -------------------------------------------------------------------------------- /ssl-tool/samples/simple.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 8 | source ${SCRIPT_DIR}/../utils.sh 9 | 10 | # SETTINGS 11 | # Alfresco Format: "classic" / "current" is supported only from 7.0 12 | ALFRESCO_FORMAT=current 13 | 14 | #CA 15 | bash ${SCRIPT_DIR}/../run_ca.sh -keysize 2048 -keystorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA" -servername localhost -validityduration 1 16 | #Alfresco 17 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename alfresco -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 18 | #Alfresco Metadata encryption 19 | bash ${SCRIPT_DIR}/../run_encryption.sh -subfoldername alfresco -servicename encryption -encstorepass mp6yc0UD9e -encmetadatapass oKIWzVdEdA -alfrescoformat $ALFRESCO_FORMAT 20 | #Solr 21 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename solr -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco Repository Client" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 22 | #Zeppelin (copy of Solr) 23 | ZEPPELIN_DIR=$KEYSTORES_DIR/zeppelin 24 | if [ -d $ZEPPELIN_DIR ]; then 25 | rm -rf $ZEPPELIN_DIR/* 26 | else 27 | mkdir $ZEPPELIN_DIR 28 | fi 29 | cp $KEYSTORES_DIR/solr/solr.keystore $ZEPPELIN_DIR/zeppelin.keystore 30 | cp $KEYSTORES_DIR/solr/solr.truststore $ZEPPELIN_DIR/zeppelin.truststore 31 | #Solr browser 32 | bash ${SCRIPT_DIR}/../run_additional.sh -subfoldername client -servicename browser -role client -rootcapass kT9X6oe68t -keysize 2048 -keystoretype PKCS12 -keystorepass kT9X6oe68t -notruststore -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" -alfrescoformat $ALFRESCO_FORMAT 33 | 34 | #Shared file store 35 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename sharedFileStore -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Shared File Store" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 36 | #Transform Router 37 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename transformRouter -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Transform Router" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 38 | #T-Engine AIO 39 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineAIO -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine AIO" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 40 | #T-Engine Imagemagick 41 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineImageMagick -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine ImageMagick" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 42 | #T-Engine Libreoffice 43 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineLibreOffice -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine LibreOffice" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 44 | #T-Engine Pdfrenderer 45 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tenginePdfRenderer -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine PdfRenderer" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 46 | #T-Engine Tika 47 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineTika -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Tika" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 48 | #T-Engine Misc 49 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineMisc -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Misc" -servername localhost -alfrescoformat $ALFRESCO_FORMAT 50 | 51 | #Custom T-Engine 52 | bash ${SCRIPT_DIR}/../run_additional.sh -servicename tengineCustom -rootcapass kT9X6oe68t -keysize 2048 -keystoretype JCEKS -keystorepass kT9X6oe68t -truststoretype JCEKS -truststorepass kT9X6oe68t -certdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=T-Engine Custom" -servername localhost,additional -alfrescoformat $ALFRESCO_FORMAT 53 | -------------------------------------------------------------------------------- /ssl-tool/utils.sh: -------------------------------------------------------------------------------- 1 | SCRIPT_DIR="$(dirname "$(realpath "$0")")" 2 | 3 | # DIRECTORIES 4 | CA_DIR=ca 5 | KEYSTORES_DIR=keystores 6 | CERTIFICATES_DIR=certificates 7 | 8 | # PASSWORD RELATED 9 | PASSWORD_PLACEHOLDER="password_placeholder" 10 | 11 | function verifyPasswordConditions { 12 | CHECK_FAILED=false 13 | 14 | PASSWORD_LENGTH=${#PASSWORD} 15 | if [ $PASSWORD_LENGTH -lt 6 ] || [ $PASSWORD_LENGTH -gt 1023 ] 16 | then 17 | printf "\nPassword must have at least 6 characters and no more than 1023\n" 18 | CHECK_FAILED=true 19 | fi 20 | } 21 | 22 | function readPassword { 23 | read -s -r -p "Please enter password for $1 (leading and trailing spaces will be removed): " PASSWORD 24 | 25 | verifyPasswordConditions 26 | if $CHECK_FAILED; then 27 | PASSWORD=$PASSWORD_PLACEHOLDER 28 | return 29 | fi 30 | 31 | read -s -r -p $'\nPlease repeat pass phrase : ' PASSWORD_CHECK 32 | 33 | if [ "$PASSWORD" != "$PASSWORD_CHECK" ] 34 | then 35 | echo 36 | echo "Password verification failed" 37 | PASSWORD=$PASSWORD_PLACEHOLDER 38 | return 39 | fi 40 | } 41 | 42 | function askForPasswordIfNeeded { 43 | if [ "$PASSWORD" != "$PASSWORD_PLACEHOLDER" ]; then 44 | verifyPasswordConditions 45 | if $CHECK_FAILED; then 46 | exit 1 47 | fi 48 | fi 49 | 50 | while [ "$PASSWORD" == "$PASSWORD_PLACEHOLDER" ] 51 | do 52 | readPassword "$1" 53 | done 54 | 55 | echo 56 | } 57 | 58 | # SUBJECT ALTERNATIVE NAME 59 | function subjectAlternativeNames { 60 | #Subject Alternative Name provided through config file substitution 61 | if [ -n "$1" ]; then 62 | #Clear existing DNS.X lines in openssl.cnf file 63 | if [[ "$OSTYPE" == "darwin"* ]]; then 64 | sed -i '' '/^DNS./d' $SCRIPT_DIR/openssl.cnf 65 | else 66 | sed -i '/^DNS./d' $SCRIPT_DIR/openssl.cnf 67 | fi 68 | 69 | SED_HOSTNAMES= 70 | COUNTER=0 71 | #Split given server names by "," separator 72 | #Create a string that would place every hostname as a separate DNS.{counter} = {hostname} line 73 | IFS=',' read -ra HOSTNAMES <<< "$1" 74 | for HOSTNAME in "${HOSTNAMES[@]}"; do 75 | COUNTER=$((COUNTER + 1)) 76 | SED_HOSTNAMES="$SED_HOSTNAMES\\ 77 | DNS.$COUNTER = $HOSTNAME" 78 | done 79 | 80 | #Place that string in openssl.cnf file under [alt_names] 81 | if [[ "$OSTYPE" == "darwin"* ]]; then 82 | sed -i '' "/\[alt_names\]/ {a${SED_HOSTNAMES} 83 | }" $SCRIPT_DIR/openssl.cnf 84 | else 85 | sed -i "/\[alt_names\]/ {a${SED_HOSTNAMES} 86 | }" $SCRIPT_DIR/openssl.cnf 87 | fi 88 | fi 89 | } --------------------------------------------------------------------------------