Ansible is great for automating common tasks for Alfresco and Solr. In addition to basic functions like installing Alfresco and deploying third-party modules, there are some less common—yet more powerful—use cases. Encrypting Alfresco properties is one example of this.

Encrypting Alfresco properties

Alfresco supports encrypting property values, through the following, manual process:

  1. Use an Alfresco-provided jar file to generate public and private encryption keys (the Alfresco Encrypted Properties Management Tool, alfresco-spring-encryptor.jar)
  2. Use the same jar file and the generated public key to encrypt a user-supplied property value.
  3. Validate the encrypted password value can be decrypted by the private key.
  4. Store the encrypted value in the “alfresco-encrypted.properties” file.
  5. Store a reference to the encrypted value in the “alfresco-global.properties” file.

(Note: This process is documented by Alfresco.

Even for cases where you only need to do this for one environment (typically production), there are often multiple sensitive properties that need to be encrypted, such as the database password, external systems access passwords, etc.

This can be done through a few steps in an Ansible subtask, and then re-used for all environments. In this example, the subtask is named encrypt-properties.yml

Subtask steps:

# Create “enterprise” directory if it does not exist (for the encryption keys)
– name: “Check for existence of enterprise directory”
stat:
path: “{{ CLASSES_DIR }}/alfresco/extension/enterprise”
register: entdir

# Task is skipped if directory exists
– name: “Create Alfresco Enterprise Directory”
file:
     path: “{{ CLASSES_DIR }}/alfresco/extension/enterprise”
     state: directory
     owner: “{{ INSTALL_USER }}”
     group: “{{ INSTALL_GROUP }}”
     mode: “u=rwx,g=r,o=”
when:
     – entdir.stat.isdir is not defined

– name: “create Alfresco asymmetric keys “
shell: “{{ JAVA_EXE }} -jar {{ ENCRYPTOR_JAR }} initkey {{ CLASSES_DIR }}”
args:
     creates: “{{ CLASSES_DIR }}/alfresco/extension/enterprise/alfrescoSpringKey.pri”
register: rc_encryptkeys

– debug:
msg: “Result of Encryption Key creation => {{ rc_encryptkeys.stdout_lines }}”

– name: “Encrypt Sensitive Configuration Values”
     shell: “{{ JAVA_EXE }} -jar {{ ENCRYPTOR_JAR }} encrypt {{ classes_dir }} {{ item.value }}”
     loop: “{{ secure_prop_list }}”
     loop_control:
          label: “Encrypting {{ item.name }}”
     register: encrypted_text

– name: “Add encrypted properties to alfresco-encrypted.properties”
blockinfile:
     path: “{{ CLASSES_DIR }}/alfresco-encrypted.properties”
     block: “{{ item.item.name }}=ENC({{ item.stdout }})”
     state: present
     marker: “# {mark} Ansible Managed Property –> {{ item.item.name }}”
  loop: “{{ encrypted_text.results }}”
  loop_control:
     label: “Adding {{ item.item.name }}”

 

Then in the parent playbook, there is a task which sets up a list of properties to be encrypted, and calls the subtask. In this example our list only has one encrypted property:

# Installs encrypts sensitive properties
     – import_tasks: tasks/encrypt-properties.yml
     Vars:
       INSTALL_USER: alfresco
       INSTALL_GROUP: alfresco
       JAVA_EXE: “{{ INSTALL_FOLDER_PATH }}/java/bin/java”
       ENCRYPTOR_JAR: “{{ INSTALL_FOLDER_PATH }}/bin/alfresco-spring-encryptor.jar”
       CLASSES_DIR: “{{ INSTALL_FOLDER_PATH }}/tomcat/shared/classes”
       secure_prop_list: [
          {name: “db.password.enc”, value: “{{ DB_PASSWORD}}” },
          ]

Typically the DB_PASSWORD value would be stored in an Ansible inventory file, where it could also be encrypted through the Ansible “vault” feature.  While it’s not strictly necessary to encrypt data in the inventory file, doing so provides an extra measure of security. After all, the point of encrypting the Alfresco properties is so they aren’t stored anywhere as plain text.  Because Alfresco uses asymmetric encryption (public-key cryptography) and Ansible uses symmetric encryption, the values are encrypted twice.

This is just one example of more advanced functionality that Ansible is really useful for automating. Stay tuned for future blog posts, where we’ll discuss more examples.

 

Pin It on Pinterest

Sharing is caring

Share this post with your friends!