[How to] Enable and configure FTPs on Alfresco
Recently for security reasons, we have to configure FTPs with Alfresco in one of our clients. The goal of this post is learn how to enable and configure FTPs against Alfresco.
If we take a look in Wikipedia we can read:
FTPS (also known as FTPES, FTP-SSL, and FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. FTPS should not be confused with the SSH File Transfer Protocol (SFTP), a secure file transfer subsystem for the Secure Shell (SSH) protocol it is not compatible with. It is also different from FTP over SSH, the practice of tunneling FTP through an SSH connection.
So, FTPs is not sFTP. As we read, sFTP is an entirely different protocol based on the network protocol SSH (Secure Shell) rather than FTP and, in other hand, FTPs authenticates your connection using either a user ID and password, a certificate, or both.
Go ahead \m/
What I use to make this tutorial (and side notes)
- SO: Ubuntu 16.04
- Alfresco 5.2.0 installed on /opt/alfresco/
- I’ll generate the certificates to be valid during 360 days
- I’ll keep changeit default password. As administrator, it’s up to you to change it (strongly recommended!!)
To generate & configure certification
cd java/bin
./keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -validity 360
Note: Please, change the password changeit by the one you like it. Argument validity is number of days. You can adapt it following your company needs. By default is only trusted during 3 months.- Now you need to introduce the password for this, by default we’ll use changeit
- You will need to full fill more information:
Enter keystore password: changeit What is your first and last name? [Unknown]: Cristina Martin What is the name of your organizational unit? [Unknown]: IT what is the name of your organization? [Unknown]: Venzia IT What is the name of your City or Locality? [Unknown]: Seville What is the name of your State or Province? [Unknown]: Seville What is the two-letter country code for this unit? [Unknown]: ES Is<CN=Cristina Martin, OU=IT, O=Venzia IT, L=Seville, ST=Seville, C=ES> correct? [no]: yes
- By default, keystore will be created on
/home/user/.keystore
in my case it’s on/home/cristina/.keystore
- To export this keystore and create a certificate file called server.crt:
./keytool -export -alias tomcat -keypass changeit -file server.crt
- Introduce again password, by defatult changeit and “A Certificate stored in file <server.crt>” message will appear as success.
- Import this file generated into our cacerts:
./keytool -import -file server.crt -keypass changeit -keystore ../lib/security/cacerts
- Introduce your keystore password to confirm the action (remember, by default changeit)
- Shell shows you details of your actions, if everything looks right, type yes and click on enter. “Certificate was added to keystore” message will appear as success. Congratulations!
Alfresco configuration
Open your alfresco-global.properties and add these information:
### FTP Server Configuration ### ftp.enabled=true ftp.port=2121 ftp.requireSecureSession=true ftp.sslEngineDebug=false ftp.keyStore=/home/cristina/.keystore ftp.trustStore=/opt/alfresco/java/lib/security/cacerts ftp.trustStorePassphrase=changeit ftp.keyStorePassphrase=changeit ftp.ipv6.enabled=false
Restart you Alfresco and test your ftps connection.
Connecting via client
In my case, I’ll use WinSCP. This is the configuration you need to use:
Options:
- Protocol “FTP – File Transfer Protocol”
- Encyption “Require explicit FTP over TLS”
- Login Type “Normal” (Alfresco user/pass)
And here it’s: You can navigate and access now in a secure mode!
Troubleshooting
– To debug, add in your custom-log4j.properties following lines and try it again to check the error:
# File servers log4j.logger.org.alfresco.fileserver=debug # FTP server debugging log4j.logger.org.alfresco.ftp.protocol=debug log4j.logger.org.alfresco.ftp.server=debug
– “java.io.IOException: Keystore was tampered with, or password was incorrect ”
Be sure password you’ve specified in your alfresco-global.properties it’s the same one when you generated certificate (step 2) and import it into cacerts (step 8).
- Check if your FTP port is used by other app using the following command:
netstat -patn |grep 2121
– If you still don’t know why is not working, you can generate a dump file to check the behaviour. To generate the dump file:
sudo tcpdump -s0 -i any -w /home/cristina/ftps_trace.pcap
You can open this pcap file with Wireshark or another tool to analyse the output and verify where is the problem.
I hope these advices will help you 😉 If you like it or you want to discuss something, please ping us on Twitter.
Hola Cristina, muchas gracias por el artículo.
Tenemos montado alfresco 7 con contenedores, hemos configurado los ficheros de manera de que tanto el keystore como el truststore queden dentro del contenedor de alfresco en un directorio, referenciando al directorio desde el fichero de configuración docker-compose.yml donde ponemos los parámetros de config de alfresco para que los coja en el arranque del contenedor.
El caso es que no hay problema con respecto al ftp normal pero cuando queremos configurar un ftps como es el caso, eso no funciona, se queda en proceso de autenticación y el socket expira por tiempo. Sorprendentemente no produce logs, con lo cual tampoco podemos determinar de qué problema se trata.
La configuración básica que tenemos es la misma que la tuya pero además añadimos las siguiente directrices por reservar internamente para los contenedores puertos y limitar las conexiones.
-Dftp.dataPortFrom=2433
-Dftp.dataPortTo=2453
Intentamos hacer la conexion explicita TSL por el 21 , quedándose ahí colgado sin ofrecer mensajes… hasta que expira.
Un saludo