SSL and why you should configure Tomcat Properly

I spent a few hours today troubleshooting an issue with CMIS. In a nutshell a user couldn’t connect and I was figuring out why. Initially I noticed in the XML response from CMIS the urls were http and not https. A bit of research pointed me to a fix I could add to Alfresco which would force it to use the correct protocol, I added this in but found this didn’t completely fix it as the http connector was still being used.

A whole lot more research and I found that with Tomcat the servlets/web applications will get the servername and port from Tomcat programmatically, this defaults to the hostname and http (port 80). I set these to the hostname on the reverse proxy and 443, the url updated but it was still http! A little more reading and I found that to change the protocol you need to set the scheme and secure attributes. With this information I modified my tomcat connector to look like this:

    <Connector port="8080" protocol="HTTP/1.1" proxyName="chipnick.com" proxyPort="443" scheme="https" secure="true"
               connectionTimeout="20000"
               redirectPort="8443" />

After restarting tomcat the urls were generating properly! I grabbed an iPad to test things out and on the Dev Environment browsing worked beautifully without a hitch. I turned it to the Prod environment to compare and noticed something strange in the HAProxy log, ssl handshake failures! I hadn’t noticed this on the Dev side, I worked backwards until I was able to reproduce it and found that because the protocol wasn’t set in the Tomcat connector the web application was always defaulting to http. In the Alfresco global properties I’d set the protocol to https in a couple parameters Alfresco uses to general urls which covered most cases, apparently because the CMIS API uses OpenCMIS it did not check these parameters.

Moral of the story? If you’re setting up Tomcat behind a reverse proxy, make sure you set the hostname and protocol!

References
* http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy%20Support

Restrict Site Creation to Administrators in Alfresco

Default behavior in Alfresco allows any user to create a site, which is really bad when the whole reason users are switching is to get away from a document graveyard. I found this thread discussing how to disable it and it worked really well for me, seeing that the file link I posted in that thread expired I decided it would be better to document it here and explain what’s going on. The file paths have changed since I originally did this, so I’ll include paths for both 4.0 and 4.1.3.

Before we start, we’re going to need to copy a few files from the share WAR.

Copy the following files from the exploded share webapp:

4.0: TOMCAT_HOME/webapps/share/WEB-INF/classes/alfresco/web-extension/site-webscripts/org/alfresco/

4.1.3: TOMCAT_HOME/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/

And place them in this path:

TOMCAT_HOME/shared/classes/alfresco/web-extension/site-webscripts/org/alfresco/


--components/dashlets--

my-sites.get.html.ftl

my-sites.get.js

--modules/header--

sites.get.html.ftl

sites.get.js

 

Continue reading “Restrict Site Creation to Administrators in Alfresco”

Super simple redirect for tomcat

For Alfresco there’s nothing at /, rather then setup a redirect on the front-end I decided to do it within tomcat. I’m not a fan of meta redirects (mainly because python doesn’t know how to handle meta redirects and requires extra coding) so I went the route of using jsp.

It’s rather simple, create the file TOMCAT_HOME/webapps/ROOT/index.jsp with the following content (adapt the url for your needs):

We have two options for a redirect, a 302 Temporary

<%
    response.sendRedirect("/share/"); 
%>

Or a 301 Permanent (better for SEO)

<%
    response.setStatus(response.SC_MOVED_PERMANENTLY);
    response.setHeader("Location", "/share/");
%>

Save and restart tomcat, you’re done!

Resource:

http://www.ninthavenue.com.au/blog/301-permanent-redirect-in-java

Installing ffmpeg on Amazon Linux 2013.03

Update 20131007: The ffmpeg package in this repo isn’t exactly new, so if you’re looking for the latest and greatest featureset consider using the static builds.

I ran into some trouble installing ffmpeg on Amazon linux and while there are some guides out there I didn’t like that they just told you to “Figure out the repo conflicts”. I’m very paranoid about mixing repos especially on production servers so whenever I need to use another repo I explicitly allow only the packages I want with includepkgs. To save others the headache of tracking down dependencies, I’ve decided to record my work here. Before you do anything, make sure all your packages are up to date.

Continue reading “Installing ffmpeg on Amazon Linux 2013.03”

Monitor a Windows restart

I’ve been doing a bit of work with Automation lately and have been leveraging Jenkins for my builds.
There’s a stage during the build where I reboot the machine after setting auto login (this is a minor test to make sure the Firewall is set properly and other things).
I first added shutdown -rt to a script that ran then used ping to figure out when it came back, but this created a race condition.
If the computer responded to a ping but hadn’t finished starting, the next command that mapped a drive would fail. I finally got tired of the trouble this was causing me and did a little research, I discovered that PowerShell 3.0 added a -Wait paramter to Restart-Computer. This parameter is absolutely beautiful, when used the target computer is restarted and it will wait for it to come back before exiting. You can even set it to run as a job in the background and check the job status (which I’m eventually going to do).

Continue reading “Monitor a Windows restart”

Alfresco Community – The mighty underdog that needs some work

Back in November I was asked to give a demo of SharePoint 2010 to an internal customer. They were looking for somewhere to host their documents but wanted to avoid a document graveyard (while the linked article is about SharePoint it should be clear that this is a common symptom with many DM solutions out there). Additionally they wanted to be able to build a library to present to other people. I went with an Enterprise Wiki and created several sites within it and inserted the library views into the wiki to show how they could have different groups contributing documents then present it on the wiki easily.

During the presentation we ran into a couple problems, first that they wanted to keep costs down and paying for a SharePoint license + Server wasn’t something that wanted to do. The other problem was that it was SharePoint. While SharePoint 2010 made significant changes to the interface and overhauled many features that users complained about, its predecessors built a bad reputation that has yet to be turned around. These two issues combined made it a bit tricky to sway our customer. During the demo Alfresco was brought up as an alternative, this was the first time I had heard of the name. Once I wrapped up the Demo I looked it up and after some reading setup an instance.

I demoed it for the customer and they loved it. Within a few weeks they were trying it out and soon after we  had a couple other customers using it. Since then we’ve run into several issues and after much investigation haven’t found a proper solution for. I’ve decided to take the time to describe them here so that other people looking into Alfresco are aware of them. Before I get into it I want to make it clear that there are great people behind Alfresco, they are easy to reach and are happy to offer you advice and assistance wherever able; when compared to other companies I would rank them among the top for accessibility.

For the record we’re using Alfresco Community 4.0d

 

Continue reading “Alfresco Community – The mighty underdog that needs some work”

Kerberos, Apache, and Mediawiki. A horrible mix

I’ve been working on setting up Mediawiki at work for internal use with several teams and I recently ran into a minor speed bump on the way to production.

Simply put, In our company NTLMv2 is the default authentication method on all workstations and if you want to change it you have to go into group policy. I had tweaked this setting a year ago for some application so while I was working with SSO I was convinced it was working fine. Unfortunately my co-worker Kevin who was doing some development for me couldn’t get SSO working, and after digging around we found it was because of NTLMv2.

Why is this a problem? Well on Linux almost every AD/LDAP SSO solution out there only supports NTLMv1 with Apache. The two that do work are Samba with winbind (you join the linux machine to the domain and do some other wizardry) and Kerberos. I decided to go with Kerberos since I would need to implement something for Alfresco (another app I’m working on) and I could hook it in. I dug in and got Kerberos setup with the keytabs and what-not then turned back to getting mediawiki working.
Continue reading “Kerberos, Apache, and Mediawiki. A horrible mix”