Hi Jagath, On Thu, Jul 30, 2015 at 9:03 PM, Jagath Sisirakumara Ariyarathne < [email protected]> wrote:
> Hi Niranjan, > > I followed below steps to secure passwords in axis2.xml keystores with ESB > 4.9.0-BETA-SNAPSHOT built with cipher tool 1.0.0-wso2v3. > > 1. Added axis2 configuration entries to cipher-tool.properties file. > > > Axis2.Https.Listener.TrustStore.Password=repository/conf/axis2/axis2.xml//axisconfig/transportReceiver[@name='https']/parameter[@name='truststore']/TrustStore/Password,false > > Axis2.Https.Listener.KeyStore.Password=repository/conf/axis2/axis2.xml//axisconfig/transportReceiver[@name='https']/parameter[@name='keystore']/KeyStore/Password,false > > 2. Executed cipher text configuration command ./ciphertool.sh -Dconfigure. > It updated axis2.xml with given aliases. > > <parameter locked="false" name="truststore"> > > <TrustStore> > > > <Location>repository/resources/security/client-truststore.jks</Location> > > <Type>JKS</Type> > > <Password > svns:secretAlias="Axis2.Https.Listener.TrustStore.Password">password</Password> > > </TrustStore> > </parameter> > > 3. But encrypted keys updated in cipher-text.properties file only for > existing entries. Not for the new axis2 entries configured above. > You need to add the alias followed by the password in square brackets into the cipher-text.properties file and then run ./ciphertool.sh -Dconfigure. Only then it will encrypt the password entered inside square brackets in the cipher-text.properties. > 4. Also ESB gives error "java.io.IOException: Keystore was tampered with, > or password was incorrect" at startup. > > Is there any missing in my procedure? > > Also I experienced below error when running integration tests in ESB 4.9.0 > with kernel 4.4.1 RC1. It did not occur with kernel 4.4.0. Would it be due > to any missing information in catalina-server.xml? > > INFO > [org.wso2.carbon.integration.common.extensions.utils.ServerLogReader] - > org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a > node in a context where it does not exist. > INFO > [org.wso2.carbon.integration.common.extensions.utils.ServerLogReader] - at > org.apache.xerces.dom.AttributeMap.internalRemoveNamedItem(Unknown Source) > INFO > [org.wso2.carbon.integration.common.extensions.utils.ServerLogReader] - at > org.apache.xerces.dom.AttributeMap.removeNamedItem(Unknown Source) > INFO > [org.wso2.carbon.integration.common.extensions.utils.ServerLogReader] - at > org.wso2.carbon.tomcat.internal.ServerManager.init(ServerManager.java:85) > > > In the Carbon 4.2.0, the certificate in the Primary Keystore (in carbon.xml) was used as the SSL certificate, but in Carbon 4.4.0 this has been moved to the catalina-server.xml. Therefore you will need to encrypt the password of the JKS in catalina-server.xml also when you run the cipher-tool. In-order to do that you need to add the following values [1] and [2] into cipher-tool.properties and cipher-text.properties of the product respectively. This issue is happening since after running the ciphertool, this value is not encrypted as the keys are not added to cipher-text.properties and cipher-tool.properties. Can you please add a JIRA in kernel this, .i.e., issue after running the ciphertool without encrypting the Keystore password in catalina-server.xml. This is not a blocker for you since the recommended approach when you run the ciphertool is to encrypt the JKS password in catalina-server.xml [1] - https://github.com/wso2/cipher-tool/blob/master/features/org.wso2.ciphertool.feature/resources/conf/cipher-tool.properties#L12 [2] - https://github.com/wso2/cipher-tool/blob/master/features/org.wso2.ciphertool.feature/resources/conf/cipher-text.properties#L9 > Thanks. > -- > Jagath Ariyarathne > Technical Lead > WSO2 Inc. http://wso2.com/ > Email: [email protected] > Mob : +94 77 386 7048 > > Regards, Nira -- *Niranjan Karunanandham* Senior Software Engineer - WSO2 Inc. WSO2 Inc.: http://www.wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
