Use this information to review your system before you install Alfred Edge.
Alfred Edge is a Spring Boot application. It can run as a stand-alone application or can be deployed in any Servlet 3.0+ compatible container.
In order to let Alfred Edge and Alfresco work seemless together, a few additional modules are available for Alfresco Content Services and Alfresco Share.
These modules (aka amps) are :
Alfred Edge itself depends on the JSESSIONID cookie to keep
browser-based connections authenticated. It requires sticky sessions
to be configured in your load balancer.
A second set of additional modules contains:
These modules allow a centralized logging of messages with Zipkin, initiated by Alfred Edge.
It is possible to install these different amps as one amp for Alfresco and one for Share. The above mentioned amps are assembled in order to guarantee the installation has the correct version of the different amps, needed by Alfred Edge.
alfresco-edge-repo.amp: module with all Edge amps for the alfresco
deploymentalfresco-edge-share.amp: module with all Edge amps for the share
deploymentThe following are estimated system requirements for Alfred Edge 1.1. Actual requirements will vary based on your system configuration and workload.
For the application server:
JAVA_OPTS parameter Xmx=512G). For a production system 2G RAM
for the Tomcat process is recommended.These list of components have been tested with Alfred Edge and are officially supported.
For the Alfred Edge application, the following platforms have been tested:
| Server OS | Edge 1.1 |
|---|---|
| Ubuntu 16.04 LTS | ✓ |
| CentOS Linux 7 | ✓ |
Alfred Edge is developed and tested with an embedded Tomcat 8.5.23
| Application Servers | Edge 1.1 |
|---|---|
| Tomcat 8.0 | ✓ |
| Tomcat 8.5 | ✓ |
Alfred Edge can also be deployed to any Servlet 3.0+ compatible container, but this is not routinely tested.
Java 8+ is required to run Alfred Edge.
| JRE | Edge 1.1 |
|---|---|
| Oracle JRE 1.8.0_121 | ✓ |
Alfred Edge works with all Alfresco 5.x+ versions, both Enterprise and Community.
Internal testing is performed on the following versions:
| Alfresco | Edge 1.1 |
|---|---|
| Alfresco Content Services 5.2.1 | ✓ |
There are multiple ways to run Alfred Edge in production.
Alfred Edge is a Spring Boot application and can be deployed in various ways:
hub.xenit.eu/edge:1.1. This packages the application and it’s
dependencies in an immutable image..war file.
This .war file embeds a Tomcat application server, which allows
you to run Alfred Edge without the installation and configuration
of an application server..war.You can contact XeniT Support at support@xenit.eu for account credentials on our private Docker Hub.
The artifact that allows Alfred Edge to run as a standalone
application is edge-x.x.x.war. A Tomcat 8.5 application server is
embedded in the .jar file and does not require installation or
configuration.
Alfred Edge can be run in the foreground with
java -jar edge-x.x.x.war.
There is no out of the box support to run this as a background program or as a service, but there are various guides available online.
Running Alfred Edge in an application server like Apache Tomcat is the traditional method.
edge-x.x.x.war in \$TOMCAT/webapps and rename to
ROOT.war.To configure edge through external configuration, place the
edge.ymlconfiguration file in${CATALINA_HOME}/lib/config. You can also add the-Dspring.config.location=/path/to/config/edge.ymlto theCATALINA_OPTSenv variable.
The sections below describe how to install some additional modules in Alfresco and Share to facilitate the functionality Alfred Edge provides. These modules are grouped in individual amps but also into one single amp, containing the appropriate versions of the different modules for the Edge version that is released:
alfresco-edge-repo.amp: module to add to the alfresco deploymentalfresco-edge-share.amp: module to add to the share deploymentThe major and minor version of the single amps will be identical to the major and minor version of the corresponding Alfred Edge version.
It is possible to install only some of the individual amps, if the functionality of the other amps is not wanted, but the recommended way is to install the provided single Edge amp.
Alfred Edge provides central request authentication and securely propagates this information by embedding it in a JWT (Json Web Token). This JWT is signed with a secret passphrase or a private key. The signed JWT is sent with every request Alfred Edge routes to any of the backend services.
The backend services - like Alfresco or Share - can verify the signature and decode the information (containing among others the authenticated username) embedded in the JWT.
This module adds a new external authentication subsystem to Alfresco,
named external-jwt.
To integrate central authentication with Alfred Edge and Alfresco, the
alfresco-edge-repo.amp (or only alfresco-jwt-auth-repo.amp) artifact
needs to be installed and the authentication chain in Alfresco needs to
be configured.
Install alfresco-edge-repo.amp (or only alfresco-jwt-auth-repo.amp).
More information on the Alfresco Module Packages and how to install
them, can be found in the Alfresco
Documentation.
In alfresco-global.properties you can configure the new JWT
authentication subsystem.
Configure the Alfresco authentication chain (authentication.chain) to
make use of the external-jwt authentication subsystem.
For example, you can configure the authentication chain with two members: JWT authentication and the default Alfresco Internal authentication. This means that Alfresco will first check if the request header contains a (valid!) JWT header and uses that to authenticate. If the JWT is missing from the headers or the signature is invalid, the system falls back onto the default Alfresco Internal authentication.
authentication.chain=external-jwt:external,alfrescoNtlm1:alfrescoNtlm
See the Alfresco documentation on the Authentication Subsystem Chain for more information on this topic.
Alfred Edge can use either a shared secret or public/private keys to sign the JWT.
The Alfresco JWT module ships without a default shared password. This
can be set by setting the property authentication.jwt.token.secret in
alfresco-global.properties or as a system property on the command
that starts the application.
authentication.jwt.token.secret=my-shared-secret
It is recommended to validate the installation and configuration of the JWT module first by following the steps in the next section, after changing the shared secret to “secret”.
Once Alfresco is started, the JWT Alfresco Module installation and configuration can be validated by making a request to Alfresco with curl with a valid JWT in the Authorization header.
If the shared secret is still the sample “secret”, this is a valid JWT token, representing the admin user:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.
PGnRccPTXeaxA8nzfytWewWRkizJa_ihI_3H6ec-Zbw
(split in two lines to make the whole token visible)
With this token, we can make a request to Alfresco with curl:
$ curl --head
--header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJhZG1pbiJ9.PGnRccPTXeaxA8nzfytWewWRkizJa_ihI_3H6ec-Zbw"
http://localhost/alfresco/webdav/
(split in multiple lines to make the complete command visible)
If everything was installed and configured correctly, an
HTTP/1.1 200 OK should be returned and the JWT authentication works!
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Set-Cookie: JSESSIONID=D1782281AEE974435776BA7D0848C81C; Path=/alfresco; HttpOnly
> Content-Length: 0
> Date: Mon, 05 Feb 2018 10:59:10 GMT
If something is not correct (authentication.chain is not configured
correctly, the JWT is invalid, …) curl will print
HTTP/1.1 401 Unauthorized.
> HTTP/1.1 401 Unauthorized
> Server: Apache-Coyote/1.1
> Set-Cookie: JSESSIONID=A7F4B0E005F0FFE1CB5C2D01F0FF1F11; Path=/alfresco; HttpOnly
> WWW-Authenticate: BASIC realm="Alfresco DAV Server"
> Transfer-Encoding: chunked
> Date: Mon, 05 Feb 2018 10:58:10 GMT
If the sample shared secret is already changed in the previous configuration step, the JWT is no longer valid. The JWT can be copied & pasted into the Encoded textfield in the JWT Debugger at https://jwt.io/#debugger-io. This will decode the JWT and allows you to edit the payload and the secret.
To enable JWT authentication in Alfresco Share, there is a module named
alfresco-edge-share.amp (or only alfresco-jwt-auth-share.amp) that
needs to be installed and configured in share.war.
Unlike the Alfresco repository itself, Share does not have a global .properties file, but it can read that file if it is on the classpath. This module reads the needed parameters from the system properties and if not found from the global properties file on the class path So after installing the .amp in share.war, the needed values must be added as VM argument to the Tomcat startup parameters. For example:
JAVA_OPTS="$JAVA_OPTS -Dauthentication.jwt.header.name=Authorization
-Dauthentication.jwt.header.schema=Bearer
-Dauthentication.jwt.secret=<shared-secret>
-Dauthentication.jwt.keystore.path
="file:<path-to-keystore>"
-Dauthentication.jwt.keystore.password=<keystore-password>
-Dauthentication.jwt.keystore.alias=<keystore-alias>
(in the snippet the line is split into multiple lines to make it completely visible)
The configuration reference is for both the modules
alfresco-jwt-auth-repo.amp and alfresco-jwt-auth-share.amp.
external-jwt.authentication
Enable/disable the JWT authentication module.
authentication.jwt.header.name
The http request header that carries the JWT. The default is the
Authorization header.
authentication.jwt.header.schema
The authentication schema used. The defaults is Bearer, as defined
RFC 6750. The Bearer scheme is
originally defined in RFC 6750 for the OAuth 2.0 authorization
framework, but this is also appropriate for JWT-based authentication.
authentication.jwt.keystore.path
The path to the keystore on the filesystem.
authentication.jwt.keystore.password
The password or passphrase for the keystore.
authentication.jwt.keystore.alias
The name or alias of the public key in the keystore.
In order to have distributed tracing with Zipkin available from the Alfresco Repository and Alfresco Share, the -zipkin modules need to be installed to instrument these applications.
The two amps alfresco-edge-repo.amp (or only
alfresco-zipkin-repo.amp) for the Alfresco Repo and
alfresco-edge-share.amp (or only alfresco-zipkin-share.amp) must be
installed in the standard way.
To allow them to send the tracing to a Zipkin server, the url of the
Zipkin-collector needs to be specified as zipkin.collector. This can
be configured in alfresco-global.properties or as a JVM property.
For example:
JAVA_OPTS="$JAVA_OPTS -Dzipkin.collector="http://<zipkin-host>:<zipkin-port>/api/v2/spans"
The default port for the Zipkin service is TCP port 9411.
When the Alfresco Repo or Share module receives a request with a trace id, e.g. from Alfred Edge, trace information will be sent to the specified Zipkin collector.
The sampled traces can be inspected via the Zipkin UI, by default running on your Zipkin service, together with the collector.
If one wants the Alfresco Repo or Share to send these tracing, without the incoming requests having tracing, properties can be set to specify a rate of traced requests:
JAVA_OPTS="$JAVA_OPTS -Dzipkin.collector="http://<zipkin-host>:<zipkin-port>/api/v2/spans"
-Dzipkin.service.repo.sampler.rate=0.01
-Dzipkin.service.share.sampler.rate=0.10
(in the snippet the line is split into multiple lines to make it completely visible)
In the above example, 1% of the repo requests and 10% of the share requests are spontaneously traced.