You are here

Configuring SSL for a test environment

If you are configuring SSL in a development or test environment, you can edit some configuration files to enable SSL.

Note: These instructions should only be used for configuring a test environment. If you are configuring a production environment, you should use a proxy server to handle all SSL communication. See Configuring SSL for a production environment for more information.

Here is an example of how to configure Tomcat 8.5 to work with HTTPS for your development or test system. At this point, we assume that:
  • You've already set up Alfresco Content Services with Tomcat 8.5, running HTTP on port 8080.
  • You may have already setup HTTPS on port 8443 for Alfresco Content Services to communicate with Alfresco Search Services.
  • In our documentation, such as Secure Sockets Layer (SSL) and the repository, port 8443 is generally provided as an example when setting up secure HTTPS connections. This is recommended only for use with Search Services as it should use real client certificates, where certificateVerification="required". For this development or test setup, we won't necessarily use client certificates, so we'll setup a separate HTTPS connector on a different port. You can have multiple connectors in Tomcat that use HTTPS and different ports.
  1. Copy the alf_data/keystore folder from the distribution zip to <CATALINA_BASE>/alf_data/keystore.

    See Installing the Alfresco WARs to review the structure of the distribution zip.

    In the alf_data/keystore folder, you'll find sample self-signed generated certificates that you can use to configure an HTTPS connection for development or test purpose.

  2. Open your Tomcat settings file <CATALINA_BASE>/conf/settings.xml and add an entry for a new connector:

    <Connector port="7070" 
            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
            sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
            maxThreads="150"
            SSLEnabled="true">
        <SSLHostConfig certificateVerification="none" 
            truststoreFile="<CATALINA_BASE>/alf_data/keystore/ssl.truststore" 
            truststorePassword="kT9X6oe68t" 
            truststoreType="JCEKS" >
        <Certificate certificateKeystoreFile="<CATALINA_BASE>/alf_data/keystore/ssl.keystore"
            certificateKeystorePassword="kT9X6oe68t"
            certificateKeystoreType="JCEKS" />
        </SSLHostConfig>
    </Connector>
  3. Replace <CATALINA_BASE>/alf_data/keystore/ with the actual path to those certificates.
  4. Change the password, if required.

    You can find the password in the .properties files from the sample alf_data/keystore folder.

  5. Replace the port 7070 with the one that you want to use.

    Avoid using port 8443 as that is generally configured for Search Services.

    1. On Linux systems, if you want to use the default HTTPS port 443, you can edit the server iptables configuration to specify the redirection:

      # Redirect external packets
      -A PREROUTING -j NAT-Port-Redirect
                                      
      # redirect http traffic
      -A NAT-Port-Redirect -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
      # redirect https traffic
      -A NAT-Port-Redirect -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 7070

      However, you also need to add proxyPort="443" to the Connector xml tag (from above) as shown:

      <Connector port="7070" 
              proxyPort="443"
      ...

      Note: If you use the 443 redirect, you'll need to override the value for Alfresco Office Services in alfresco-global.properties:
      aos.baseUrlOverwrite=https://localhost/alfresco/aos
    2. On Windows, you can just use port 443 without any proxy.

    Note that we use the certificateVerification="none" setting. See the official Tomcat 8.5 page to learn more about the HTTPS security settings for the connector.

    If you're using an older version of Tomcat (which we don't recommend and don't support), the security settings are specified in a different format. See example for Tomcat 7.0.

  6. Edit alfresco-global.properties and replace the relevant values for your case:

    dir.keystore=${dir.root}/keystore
    
    alfresco.context=alfresco
    alfresco.protocol=https
    alfresco.host=localhost
    alfresco.port=7070
    
    share.host=localhost
    share.port=7070
    share.context=share
    share.protocol=https
    
    aos.baseUrlOverwrite=https://localhost:7070/alfresco/aos
  7. Restart your Tomcat server.

    Access Alfresco Content Services and Alfresco Share using HTTPS:

    • https://localhost:7070/alfresco
    • https://localhost:7070/share

    If you installed the Alfresco Office Services AMP, you'll also be able to edit files from your Microsoft Office applications.

    See Considerations when using Alfresco Office Services and AOS registry settings for more details.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.