Support for ACS 7.0+ default configuration

aborroy · aborroy · commit 66c17f64c0e6 · 2020-06-30T13:45:51.000+02:00
From ACS 7.0, passwords for truststores, keystores and certificates can be passed using Java Environment variables via JAVA_TOOL_OPTIONS. So password files are not required any more.
Additionally, default generation for metadata encryption has been changed.
diff --git a/Dockerfile b/Dockerfile
@@ -33,7 +33,8 @@ ENV ALFRESCO_VERSION=enterprise \
     BROWSER_CERT_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Browser Client" \
     CA_SERVER_NAME=localhost \
     ALFRESCO_SERVER_NAME=localhost \
-    SOLR_SERVER_NAME=localhost
+    SOLR_SERVER_NAME=localhost \
+    ALFRESCO_FORMAT=current
 
 # Exposing working folders:
 # - keystores folder, where generated keystores, truststores and password files are produced
@@ -58,4 +59,5 @@ CMD ["sh", "-c", "./run.sh \
 -caservername \"$CA_SERVER_NAME\" \
 -alfrescoservername \"$ALFRESCO_SERVER_NAME\" \
 -solrservername \"$SOLR_SERVER_NAME\" \
+-alfrescoformat \"$ALFRESCO_FORMAT\" \
 "]
diff --git a/README.md b/README.md
@@ -107,6 +107,7 @@ Both command line scripts and Docker Image resources can be parametrised by usin
 | -caservername         | CA_SERVER_NAME        | DNS Name for CA Server       | Any string, `localhost` by default        |
 | -alfrescoservername   | ALFRESCO_SERVER_NAME  | DNS Name for Alfresco Server | Any string, `localhost` by default        |
 | -solrservername       | SOLR_SERVER_NAME      | DNS Name for SOLR Server     | Any string, `localhost` by default        |
+| -alfrescoformat       | ALFRESCO_FORMAT       | Default format for certificates, truststores and keystores | `classic` or `current` (only supported from ACS 7.0) |
 
 When using Alfresco on an internal network, each server should have a different name. This names can be configured on the parameters named as `*servername`. In order to avoid browser complains about certificates, it's recommended to include the name of the server as `Alternative Name` in the certificate. This should be at least required for SOLR Web Console, as this application is only available in `https` when using this configuration. If you are working under a Web Proxy, use the name of this proxy for the `*servername` parameters.
 
@@ -121,7 +122,7 @@ For instance, the following command will produce `keystores` folder in a host fo
 ```bash
 $ cd ssl-tool
 
-$ ./run.sh -keysize 2048 -alfrescoversion enterprise
+$ ./run.sh -keysize 2048 -alfrescoversion enterprise -alfrescoformat classic
 
 $ tree keystores/
 keystores/
@@ -155,6 +156,30 @@ $ ./run.sh -cacertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Linux
 
 Note that when `keystores` folder is not empty, the program exists without producing any keystore or truststore.
 
+When using `current` Alfresco format (default option), instead of `classic`, following output is generated.
+
+```bash
+$ cd ssl-tool
+
+$ ./run.sh -keysize 2048 -alfrescoversion enterprise
+
+$ tree keystores/
+keystores/
+├── alfresco
+│   ├── keystore
+│   ├── ssl.keystore
+│   └── ssl.truststore
+├── client
+│   └── browser.p12
+├── solr
+│   ├── ssl-repo-client.keystore
+│   └── ssl-repo-client.truststore
+└── zeppelin
+    ├── ssl-repo-client.keystore
+    └── ssl-repo-client.truststore
+```
+
+For the `current` format all the passwords are passed to the applications using Java Environment Variables, so the password files are not required any more.
 
 ## Batch Script Standalone (Windows)
 
@@ -167,7 +192,7 @@ For instance, the following command will produce `keystores` folder in a host fo
 ```bash
 C:\> cd ssl-tool-win
 
-C:\> run.cmd -keysize 2048 -alfrescoversion community
+C:\> run.cmd -keysize 2048 -alfrescoversion community -alfrescoformat classic
 
 C:\> tree /F keystores
 ├───alfresco
@@ -199,6 +224,28 @@ C:\> run.cmd -cacertdname "/C=GB/ST=UK/L=Maidenhead/O=Alfresco/OU=Unknown/CN=Win
 
 Note that when `keystores` folder is not empty, the program exists without producing any keystore or truststore.
 
+When using `current` Alfresco format (default option), instead of `classic`, following output is generated.
+
+```bash
+C:\> cd ssl-tool-win
+
+C:\> run.cmd -keysize 2048 -alfrescoversion community
+
+C:\> tree /F keystores
+├───alfresco
+│       keystore
+│       ssl.keystore
+│       ssl.truststore
+│
+├───client
+│       browser.p12
+│
+└───solr
+        ssl.repo.client.keystore
+        ssl.repo.client.truststore
+```
+
+For the `current` format all the passwords are passed to the applications using Java Environment Variables, so the password files are not required any more.
 
 ## Installing Browser certificate
 
@@ -251,21 +298,16 @@ $ tree keystores
 keystores
 ├── alfresco
 │   ├── keystore
-│   ├── keystore-passwords.properties
-│   ├── ssl-keystore-passwords.properties
-│   ├── ssl-truststore-passwords.properties
 │   ├── ssl.keystore
 │   └── ssl.truststore
 ├── client
 │   └── browser.p12
 ├── solr
-│   ├── ssl-keystore-passwords.properties
-│   ├── ssl-truststore-passwords.properties
-│   ├── ssl.repo.client.keystore
-│   └── ssl.repo.client.truststore
+│   ├── ssl-repo-client.keystore
+│   └── ssl-repo-client.truststore
 └── zeppelin
-    ├── ssl.repo.client.keystore
-    └── ssl.repo.client.truststore
+    ├── ssl-repo-client.keystore
+    └── ssl-repo-client.truststore
 ```    
 
 **Parameters**
diff --git a/ssl-tool-win/run.cmd b/ssl-tool-win/run.cmd
@@ -8,7 +8,7 @@ REM * Server Certificate for SOLR (alias ssl.repo.client)
 REM
 REM "openssl.cnf" file is provided for CA Configuration.
 REM
-REM Once this script has been executed successfully, following resources are generated in ${KEYSTORES_DIR} folder:
+REM Once this script has been executed successfully, following resources are generated in %KEYSTORES_DIR% folder:
 REM
 REM .
 REM ├── alfresco
@@ -29,6 +29,22 @@ REM └── zeppelin
 REM     ├── ssl.repo.client.keystore
 REM     └── ssl.repo.client.truststore
 REM
+REM When using "current" Alfresco format (available from ACS 7.0), following resources are generated in %KEYSTORES_DIR%
+REM
+REM .
+REM ├── alfresco
+REM │   ├── keystore
+REM │   ├── ssl.keystore
+REM │   └── ssl.truststore
+REM ├── client
+REM │   └── browser.p12
+REM ├── solr
+REM │   ├── ssl-repo-client.keystore
+REM │   └── ssl-repo-client.truststore
+REM └── zeppelin
+REM     ├── ssl-repo-client.keystore
+REM     └── ssl-repo-client.truststore
+REM
 REM "alfresco" files must be copied to "alfresco/keystore" folder
 REM "solr" files must be copied to "solr6/keystore"
 REM "zeppelin" files must be copied to "zeppelin/keystore"
@@ -41,6 +57,9 @@ REM ----------
 REM Version of Alfresco: enterprise, community
 SET ALFRESCO_VERSION=enterprise
 
+REM Using "current" format by default (only available from ACS 7.0+)
+SET ALFRESCO_FORMAT=current
+
 REM Distinguished name of the CA
 SET CA_DNAME=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA
 REM Distinguished name of the Server Certificate for Alfresco
@@ -62,8 +81,12 @@ REM Keystore format (PKCS12, JKS, JCEKS)
 SET KEYSTORE_TYPE=JCEKS
 REM Truststore format (JKS, JCEKS)
 SET TRUSTSTORE_TYPE=JCEKS
-REM Encryption keystore format (JCEKS)
-SET ENC_STORE_TYPE=JCEKS
+REM Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic")
+IF "%ALFRESCO_FORMAT%" == "current" (
+  SET ENC_STORE_TYPE=PKCS12
+) ELSE (
+  SET ENC_STORE_TYPE=JCEKS
+)
 
 REM Default password for every keystore and private key
 SET KEYSTORE_PASS=keystore
@@ -73,6 +96,12 @@ SET TRUSTSTORE_PASS=truststore
 REM Encryption secret key passwords
 SET ENC_STORE_PASS=password
 SET ENC_METADATA_PASS=password
+REM Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic")
+IF "%ALFRESCO_FORMAT%" == "current" (
+  SET ENC_KEY_ALG="-keyalg AES -keysize 256"
+) ELSE (
+  SET ENC_KEY_ALG="-keyalg DESede"
+)
 
 REM Parse params from command line
 :loop
@@ -167,6 +196,12 @@ IF NOT "%1"=="" (
     SHIFT
     GOTO loop
   )
+  IF "%1"=="-alfrescoformat" (
+    SHIFT
+    SET ALFRESCO_FORMAT=%~2
+    SHIFT
+    GOTO loop
+  )
   ECHO "An invalid parameter was received: %1"
   EXIT /b
 )
@@ -376,7 +411,7 @@ ECHO ssl.alfresco.ca.password=%KEYSTORE_PASS%>> %ALFRESCO_KEYSTORES_DIR%\ssl-key
 
 REM Generate Encryption Secret Key
 keytool -genseckey -alias metadata -keypass %ENC_METADATA_PASS% -storepass %ENC_STORE_PASS% -keystore %ALFRESCO_KEYSTORES_DIR%\keystore ^
--storetype %ENC_STORE_TYPE% -keyalg DESede
+-storetype %ENC_STORE_TYPE% %ENC_KEY_ALG%
 
 REM Create Alfresco Encryption password file
 ECHO aliases=metadata>> %ALFRESCO_KEYSTORES_DIR%\keystore-passwords.properties
@@ -398,3 +433,16 @@ keytool -importkeystore ^
 -srcalias 1 -destalias browser ^
 -srckeypass %KEYSTORE_PASS% -destkeypass %KEYSTORE_PASS% ^
 -noprompt
+
+REM Renaming files for current Alfresco Format
+IF "%ALFRESCO_FORMAT%" == "current" (
+    del %SOLR_KEYSTORES_DIR%/ssl-truststore-passwords.properties
+    del %SOLR_KEYSTORES_DIR%/ssl-keystore-passwords.properties
+    del %ALFRESCO_KEYSTORES_DIR%/ssl-truststore-passwords.properties
+    del %ALFRESCO_KEYSTORES_DIR%/ssl-keystore-passwords.properties
+    del %ALFRESCO_KEYSTORES_DIR%/keystore-passwords.properties
+    move %SOLR_KEYSTORES_DIR%/ssl.repo.client.truststore %SOLR_KEYSTORES_DIR%/ssl-repo-client.truststore
+    move %SOLR_KEYSTORES_DIR%/ssl.repo.client.keystore %SOLR_KEYSTORES_DIR%/ssl-repo-client.keystore
+    move %ZEPPELIN_KEYSTORES_DIR%/ssl.repo.client.keystore %ZEPPELIN_KEYSTORES_DIR%/ssl-repo-client.keystore
+    move %ZEPPELIN_KEYSTORES_DIR%/ssl.repo.client.truststore %ZEPPELIN_KEYSTORES_DIR%/ssl-repo-client.truststore
+)
diff --git a/ssl-tool/run.sh b/ssl-tool/run.sh
@@ -12,7 +12,7 @@ set -o nounset
 #
 # "openssl.cnf" file is provided for CA Configuration.
 #
-# Once this script has been executed successfully, following resources are generated in ${KEYSTORES_DIR} folder:
+# Once this script has been executed successfully, following resources are generated in ${KEYSTORES_DIR} folder for "classic" Alfresco format:
 #
 # .
 # ├── alfresco
@@ -33,6 +33,21 @@ set -o nounset
 #     ├── ssl.repo.client.keystore
 #     └── ssl.repo.client.truststore
 #
+# When using "current" Alfresco format (available from ACS 7.0), following resources are generated in ${KEYSTORES_DIR}
+# .
+# ├── alfresco
+# │   ├── keystore
+# │   ├── ssl.keystore
+# │   └── ssl.truststore
+# ├── client
+# │   └── browser.p12
+# ├── solr
+# │   ├── ssl-repo-client.keystore
+# │   └── ssl-repo-client.truststore
+# └── zeppelin
+#     ├── ssl-repo-client.keystore
+#     └── ssl-repo-client.truststore
+#
 # "alfresco" files must be copied to "alfresco/keystore" folder
 # "solr" files must be copied to "solr6/keystore"
 # "zeppelin" files must be copied to "zeppelin/keystore"
@@ -43,6 +58,9 @@ set -o nounset
 # Version of Alfresco: enterprise, community
 ALFRESCO_VERSION=enterprise
 
+# Using "current" format by default (only available from ACS 7.0+)
+ALFRESCO_FORMAT=current
+
 # Distinguished name of the CA
 CA_DNAME="/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Custom Alfresco CA"
 # Distinguished name of the Server Certificate for Alfresco
@@ -64,8 +82,12 @@ KEY_SIZE=1024
 KEYSTORE_TYPE=JCEKS
 # Truststore format (JKS, JCEKS)
 TRUSTSTORE_TYPE=JCEKS
-# Encryption keystore format (JCEKS)
-ENC_STORE_TYPE=JCEKS
+# Encryption keystore format: PKCS12 (default for "current"), JCEKS (default for "classic")
+if [ "$ALFRESCO_FORMAT" = "current" ]; then
+  ENC_STORE_TYPE=PKCS12
+else
+  ENC_STORE_TYPE=JCEKS
+fi
 
 # Default password for every keystore and private key
 KEYSTORE_PASS=keystore
@@ -75,6 +97,12 @@ TRUSTSTORE_PASS=truststore
 # Encryption secret key passwords
 ENC_STORE_PASS=password
 ENC_METADATA_PASS=password
+# Key algorithm: AES (default for "current"), DESede (default for "classic")
+if [ "$ALFRESCO_FORMAT" = "current" ]; then
+  ENC_KEY_ALG="-keyalg AES -keysize 256"
+else
+  ENC_KEY_ALG="-keyalg DESede"
+fi
 
 # Folder where keystores, truststores and cerfiticates are generated
 KEYSTORES_DIR=keystores
@@ -303,7 +331,7 @@ function generate {
 
   # Generate Encryption Secret Key
   keytool -genseckey -alias metadata -keypass $ENC_METADATA_PASS -storepass $ENC_STORE_PASS -keystore ${ALFRESCO_KEYSTORES_DIR}/keystore \
-  -storetype $ENC_STORE_TYPE -keyalg DESede
+  -storetype $ENC_STORE_TYPE $ENC_KEY_ALG
 
   # Create Alfresco Encryption password file
   echo "aliases=metadata" >> ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties
@@ -326,6 +354,21 @@ function generate {
   -srckeypass $KEYSTORE_PASS -destkeypass $KEYSTORE_PASS \
   -noprompt
 
+  #
+  # Renaming files for current Alfresco Format
+  #
+  if [ "$ALFRESCO_FORMAT" = "current" ]; then
+    rm ${SOLR_KEYSTORES_DIR}/ssl-truststore-passwords.properties
+    rm ${SOLR_KEYSTORES_DIR}/ssl-keystore-passwords.properties
+    rm ${ALFRESCO_KEYSTORES_DIR}/ssl-truststore-passwords.properties
+    rm ${ALFRESCO_KEYSTORES_DIR}/ssl-keystore-passwords.properties
+    rm ${ALFRESCO_KEYSTORES_DIR}/keystore-passwords.properties
+    mv ${SOLR_KEYSTORES_DIR}/ssl.repo.client.truststore ${SOLR_KEYSTORES_DIR}/ssl-repo-client.truststore
+    mv ${SOLR_KEYSTORES_DIR}/ssl.repo.client.keystore ${SOLR_KEYSTORES_DIR}/ssl-repo-client.keystore
+    mv ${ZEPPELIN_KEYSTORES_DIR}/ssl.repo.client.keystore ${ZEPPELIN_KEYSTORES_DIR}/ssl-repo-client.keystore
+    mv ${ZEPPELIN_KEYSTORES_DIR}/ssl.repo.client.truststore ${ZEPPELIN_KEYSTORES_DIR}/ssl-repo-client.truststore
+  fi
+
 }
 
 # EXECUTION
@@ -408,6 +451,11 @@ do
             SOLR_SERVER_NAME="$2"
             shift
         ;;
+        # Alfresco Format: "classic" / "current" is supported only from 7.0
+        -alfrescoformat)
+            ALFRESCO_FORMAT="$2"
+            shift
+        ;;
         *)
             echo "An invalid parameter was received: $1"
             echo "Allowed parameters:"
@@ -426,6 +474,7 @@ do
             echo "  -caservername"
             echo "  -alfrescoservername"
             echo "  -solrservername"
+            echo "  -alfrescoformat"
             exit 1
         ;;
     esac
