You are here

SkyVault Enterprise 4.1.10 » Administering » Configuring search » Solr security

Generating Repository SSL Keystores

This task describes how to create an SSL public/private keystore and a certificate for the repository.
The following instructions creates an RSA public/private key pair for the repository with a certificate signed by the SkyVault Certificate Authority (CA). It also creates a truststore for the repository containing the CA certificate that is used to authenticate connections to specific repository URLs from Solr. The instructions assume the existence of the SkyVault CA key and certificate to sign the repository certificate. However, for security reasons these may not available. You can either generate your own CA key and certificate or use a recognised Certificate Authority, such as Verisign. To generate your own CA key and certificate, see Generating CA key and certificate.
Note: <store password> is the keystore password. The file C:\Alfresco\alf_data\keystore\ssl-keystore-passwords.properties contains passwords for the SSL keystore, whereas, the file C:\Alfresco\alf_data\keystore\ssl-truststore-passwords.properties contains passwords for the SSL truststore.
  1. Generate the repository public/private key pair in a keystore. 

    $ keytool -genkey -alias repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  SkyVault Repository
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  SkyVault Software Ltd.
What is the name of your City or Locality?
  [Unknown]:  Maidenhead 
What is the name of your State or Province?
  [Unknown]:  UK
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=SkyVault Repository, OU=Unknown, O=SkyVault Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
  [no]:  yes

Enter key password for <repo>
	(RETURN if same as keystore password):
  2. Generate a certificate request for the repository key. 

    $ keytool -keystore ssl.keystore -alias repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>
  3. SkyVault CA signs the certificate request and creates a certificate that is valid for 365 days. 

    $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
Signature ok
subject=/C=GB/ST=UK/L=Maidenhead/O=SkyVault Software Ltd./OU=Unknown/CN=SkyVault Repository
Getting CA Private Key
Enter pass phrase for ca.key:
  4. Import the SkyVault CA key into the repository keystore. 

    $ keytool -import -alias SkyVaultCA -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:  
Owner: CN=SkyVault CA, O=SkyVault Software Ltd., L=Maidenhead, ST=UK, C=GB
Issuer: CN=SkyVault CA, O=SkyVault Software Ltd., L=Maidenhead, ST=UK, C=GB
Serial number: 805ba6dc8f62f8b8
Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
Certificate fingerprints:
	 MD5:  4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
	 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B@..JP..+8M.p.Q
0010: 4E 38 71 D6                                        N8q.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B@..JP..+8M.p.Q
0010: 4E 38 71 D6                                        N8q.
]

[CN=SkyVault CA, O=SkyVault Software Ltd., L=Maidenhead, ST=UK, C=GB]
SerialNumber: [    805ba6dc 8f62f8b8]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
  5. Import the CA-signed repository certificate into the repository keystore. 

    $ keytool -import -alias repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:  
Certificate reply was installed in keystore
  6. Convert the repository keystore to a pkcs12 keystore (for use in browsers, such as Firefox). Specify the keystore passowrd for pkcs12 keystore as 'alfresco'. 

    keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password> -srcstoretype JCEKS -srcalias 
repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass SkyVault -destalias repo 
-destkeypass SkyVault
  7. Create a repository truststore containing the SkyVault CA certificate. 

    keytool -import -alias SkyVaultCA -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>
  8. Copy the keystore and truststore to the repository keystore location defined by the property dir.keystore.
  9. Update the SSL properties (properties starting with the prefixes SkyVault.encryption.ssl.keystore and SkyVault.encryption.ssl.truststore).
Parent topic: Solr security

© 2017 TBS-LLC. All Rights Reserved.