Entity view (Content)

Making Healthcare Organizations More Efficient and Secure

By kso
Jul. 8, 2013

For the past year, I have been working with multiple healthcare organizations and the one area that is always is a concern is security. One example is to secure the connection between the Drupal and Alfresco integration and to do that the first step is to secure the Alfresco instance.

In this example, we are working with only one Drupal development and one Alfresco development instance, in most cases there will be more than one instance to account for disaster recovery and replication.

Assumptions:
We are assuming that we already have Drupal and Alfresco installed.

Other assumptions:
Ubuntu Server 13.10
Alfresco 4.1.4 (compatible version from 4.x)
Apache 2.2.22 (compatible version from 2.x)
Install Alfresco (version 4.1.4)

  • Install Alfresco
  • Configure CSRF for Alfresco Share
$ sudo vim /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

Alfresco-CSRFToken
Alfresco-CSRFToken
Alfresco-CSRFToken

POST\/page\/caches\/dependency\/clear|\/page\/index|\/page\/surfBugStatus|\/page\/modules\/deploy|\/page\/modules\/module|\/page\/api\/javascript\/debuggerfalsehttps://alfresco.mysite.com:8080/.*falsehttps://alfresco.mysite.com:8080

POST/page/dologin.*|\/page/site\/[^\/]+\/start-workflow|^\/page/start-workflowfalsehttps://alfresco.mysite.com:8080/.*falsehttps://alfresco.mysite.com:8080

GET^/page/dologout.*Alfresco-CSRFTokenAlfresco-CSRFToken

.*

Alfresco-CSRFTokenAlfresco-CSRFToken

GET^/page/.*.*.*Alfresco-CSRFTokenAlfresco-CSRFToken

POST^multipart/.*.*Alfresco-CSRFTokenAlfresco-CSRFTokenfalsehttps://alfresco.mysite.com:8080/.*falsehttps://alfresco.mysite.com:8080

POST|PUT|DELETE.*Alfresco-CSRFTokenAlfresco-CSRFTokenfalsehttps://alfresco.mysite.com:8080/.*falsehttps://alfresco.mysite.com:8080
  • Restart Alfresco
$ sudo /opt/alfresco_ent414/alfresco.sh stop
$ sudo /opt/alfresco_ent414/alfresco.sh start


Install HTTPS over Apache Webserver (Ubuntu)

  • Install Apache webserver
$ sudo apt-get install apache2
  • Install Apache modules mod_jk, mod_ssl and enable the modules.
$ sudo apt-get install libapache2-mod-jk
$ sudo a2enmod jk ssl
  • Create cert/key file.
$ cd /etc/apache2
$ mkdir cert key
$ openssl req -new -x509 -days 365 -keyout key/mysite.key -out cert/mysite.crt -nodes -subj '/O=mysite Technology/OU=Alfresco Department/CN=alfresco.mysite.com'
  • Create a workers properties file to define the load balancing.
$ sudo vim /etc/libapache2-mod-jk/workers.properties

workers.properties:
workers.tomcat_home=<tomcat_home alf_home="">
workers.java_home=<java_home>
worker.list=<worker_id>

worker.<worker_id>.port=8009
worker.<worker_id>.host=localhost
worker.<worker_id>.type=ajp13
worker.<worker_id>.lbfactor=1

For example:
workers.tomcat_home=/opt/alfresco_ent414
workers.java_home=/opt/alfresco_ent414/java
worker.list=ajp13_worker
worker.ajp13_worker.port=8009
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.lbfactor=1 
  • Define a virtual host configuration. (This will depend on your system setup)
ServerName alfresco.appno.com

SSLEngine On

SSLCertificateFile cert/mysite.crt

SSLCertificateKeyFile key/mysite.key

SSLVerifyClient optional

SSLVerifyDepth 1

SSLOptions +StdEnvVars +StrictRequire


# Send everything for context / to worker named worker1 via ajp13

JkMount /alfresco ajp13_worker

JkMount /alfresco/* ajp13_worker

JkMount /share ajp13_worker

JkMount /share/* ajp13_worker

 

ErrorLog ${APACHE_LOG_DIR}/error.log


# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn


CustomLog ${APACHE_LOG_DIR}/access.log combined

  • Restart Apache webserver
$ sudo service apache restart

If everything went well, you should now be able to visit your site at alfresco.mysite.com/alfresco and alfresco.mysite.com/share.

For a similar installation under centOS/Redhat see a related post here.

 

 

Post Tags: