There are a number of ways to access Alfresco in addition to the common usage of the Share UI. One of the ways that Alfresco exposes itself is through FTP. Often however, organizations prefer to secure their FTP connection into Alfresco using certificates and keys (FTPS). This knowledge base article aims to show one how to configure Alfresco for FTPS access.
There are four areas to focus to accomplish this:
1. Alfresco Keystore and Truststore
2. FTP and FTPS configurations in Alfresco's global properties
3. FTP client connection instructions
4. Debugging in case you run into issues
First, we'll start with creating the keystore and cacerts file. Here we'll create a self-signed certificate for this KB articles' example.
Part 1. Create the keystore and cacerts file.
In this simple example, you will create a self-signed certificate for both Java keystore and cacert file.
Run the following command to create a key for Alfresco:
# <Alfresco Install Dir>/java/bin keytool -genkey -alias tomcat -keypass secret -keyalg RSA
You will be prompted for a password (use "secret" as shown from the command above). Also, give your name, the hostname, ogranization, city, state and country code.
This command will by default create a .keystore file in your user's home directory. In my example this will write to the .keystore file in /root/ directory (/root/.keystore).
Next, we'll export the generated key into a server.crt file
# <Alfresco Install Dir>/java/bin keytool -export -alias tomcat -keypass secret -file server.crt
After entering the password you will see the response:
Certificate stored in file <server.crt>
Now, import the server.crt into this Alfresco keystore:
# <Alfresco Install Dir>/bin keytool -import -file server.crt -keypass secret -keystore /root/.truststore
Provide the password (default "secret") and confirm the certificate. If all goes well, you will see this response:
Certificate was added to keystore
Part 2: Configure the alfresco-global.properties file
Open the file <Alfresco Install Dir>/tomcat/shared/classes/alfresco-global.properties and add the following settings:
### FTP Server Configuration ###
ftp.port=21 (Change to a different port if running Alfresco as a non-root user)
ftp.ipv6.enabled=false
ftp.keyStore=/root/.keystore
ftp.trustStore=/root/.truststore
ftp.keyStorePassphrase=secret
ftp.trustStorePassphrase=secret
ftp.requireSecureSession=true
Make sure the keyStore and trustStore paths are absolute or Java will not find the certificate at runtime.
Part 3: Connecting to Alfresco FTP server using FileZilla FTP client
On a client (Windows) open FileZilla and go to File > Site Manager. In the General tab, enter the Alfresco hostname and the ftp port number as it was set in Part 2.
Make sure these client configurations are used within Filezilla:
- Protocol "FTP - File Transfer Protocol"
- Encyption "Require explicit FTP over TLS"
- Login Type "Normal"
Use your Alfresco user's username and password and then click Connect. You should see something similar in Filezilla that will confirm the FTPS connection to Alfresco is working:
Status: Resolving address of <alfresco_host>
Status: Connecting to 192.168.163.168:2121...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful
Keep in mind that during the first connection, Filezilla will prompt you to accept an unknown Certificate from Alfresco. Select "Always trust this certificate in future sessions". Subsequent connections will not show this dialogue. If there is any error connection, you should see something similar to the following in FileZilla:
Command: AUTH SSL
Response: 534 SSL/TLS sessions not available
Error: Critical error: Could not connect to server
Status: Disconnected from server
If you do see errors, double-check your Alfresco global properties file. If needed, have a look at Part 4 and follow steps to debug the connection. There should then be more information in Alfresco's log files.
Part 4: Configure and Enable DEBUG logging for Alfresco FTP
Add the following to <Alfresco Install Dir>/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties and restart Alfresco:
# File servers
log4j.logger.org.alfresco.fileserver=debug
# FTP server debugging
log4j.logger.org.alfresco.ftp.protocol=debug
log4j.logger.org.alfresco.ftp.server=debug
No comments:
Post a Comment