Hi Dilan, On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne <[email protected]> wrote:
> Hi Niranjan, > > On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham <[email protected] > > wrote: > >> Hi Dilan, >> >> On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne <[email protected]> >> wrote: >> >>> Hi Folks, >>> >>> Following conceptions are still there regarding keystores used in WSO2 >>> products. >>> >>> 1. Primary KeyStore must contain only one private key. There can not >>> be two private keys. (This is due to some issue in WSO2 products which >>> may >>> be fixed in future). >>> 2. Primary KeyStore must contain *same* password as KeyStore >>> password and private key password. (This is due to some issue in WSO2 >>> products which may be fixed in future) >>> >>> Are these conceptions still valid or have these issues been already >>> fixed ? >>> >> >> In WSO2 Carbon there are multiple keystores. I believe the above keystore >> that you have mentioned is only the Keystore [1] in carbon.xml. In 4.4.x, >> this keystore is only used for secure vault only. >> > > Aren't those secure vault configurations for keystores configured in > secret-conf.properties > ? > This file is created by the cipher tool script file. It reads the carbon.xml and creates this file. You can find info on these files in [1]. > > > As you have mentioned, in 4.4.x, if secure vault is enabled, then at the >> server startup, it will ask for a single password which it uses for both >> the Keystore and private key password. >> > > In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption, it > says that "You must have the same password for both keystore and private > key due to a Tomcat limitation" > and therefore, it seems not because of secure vault. > I was referring to the limitation on the same password to be used at the server started which uses the secure vault JKS which is used to decrypt the passwords. With regard to this, you need to check the tomcat documentation and verify this. Anyway here if we have separate JKS for secure vault and tomcat ssl we can have separate passwords for both JKS. Any particular reason as to why you need to have a separate keystore password and private key password for SSL which is in an isolated JKS? > > >> IMO since this is only for secure vault, we can have the same password. >> In-addition AFAIK we can have multiple private key here. In 4.4.x, the JKS >> for ssl has been moved to catalina-server.xml. Therefore a separate >> keystore can be maintained for this. These two configuration are mentioned >> in [2]. >> >>> Thanks. >>> *Dilan U. Ariyaratne* >>> Senior Software Engineer >>> WSO2 Inc. <http://wso2.com/> >>> Mobile: +94766405580 <%2B94766405580> >>> lean . enterprise . middleware >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> [1] - >> <KeyStore> >> <!-- Keystore file location--> >> <Location>${carbon.home}/repository/resources/security/wso2c >> arbon.jks</Location> >> <!-- Keystore type (JKS/PKCS12 etc.)--> >> <Type>JKS</Type> >> <!-- Keystore password--> >> <Password>wso2carbon</Password> >> <!-- Private Key alias--> >> <KeyAlias>wso2carbon</KeyAlias> >> <!-- Private Key password--> >> <KeyPassword>wso2carbon</KeyPassword> >> </KeyStore> >> >> [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor >> es+in+WSO2+Products >> >> Regards, >> Nira >> >> -- >> >> >> *Niranjan Karunanandham* >> Associate Technical Lead - WSO2 Inc. >> WSO2 Inc.: http://www.wso2.com >> >> > [1] - https://docs.wso2.com/display/ADMIN44x/Carbon+Secure+Vault+Implementation Regards, Nira -- *Niranjan Karunanandham* Associate Technical Lead - WSO2 Inc. WSO2 Inc.: http://www.wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
