Hi Niranjan, On Mon, May 22, 2017 at 5:54 PM, Niranjan Karunanandham <[email protected]> wrote:
> Hi Dilan, > > On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne <[email protected]> > wrote: > >> Hi Niranjan, >> >> On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham < >> [email protected]> wrote: >> >>> Hi Dilan, >>> >>> On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne <[email protected]> >>> wrote: >>> >>>> Hi Folks, >>>> >>>> Following conceptions are still there regarding keystores used in WSO2 >>>> products. >>>> >>>> 1. Primary KeyStore must contain only one private key. There can >>>> not be two private keys. (This is due to some issue in WSO2 products >>>> which >>>> may be fixed in future). >>>> 2. Primary KeyStore must contain *same* password as KeyStore >>>> password and private key password. (This is due to some issue in WSO2 >>>> products which may be fixed in future) >>>> >>>> Are these conceptions still valid or have these issues been already >>>> fixed ? >>>> >>> >>> In WSO2 Carbon there are multiple keystores. I believe the above >>> keystore that you have mentioned is only the Keystore [1] in carbon.xml. In >>> 4.4.x, this keystore is only used for secure vault only. >>> >> >> Aren't those secure vault configurations for keystores configured in >> secret-conf.properties >> ? >> > > This file is created by the cipher tool script file. It reads the > carbon.xml and creates this file. You can find info on these files in [1]. > Yes, it's true that secret-conf.properties file is created once you run cipher tool. But from a user's point of view, if someone wants to configure a keystore for secure-vault, file to configure that is secret-conf.properties, right ? > > >> >> >> As you have mentioned, in 4.4.x, if secure vault is enabled, then at the >>> server startup, it will ask for a single password which it uses for both >>> the Keystore and private key password. >>> >> >> In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption, >> it says that "You must have the same password for both keystore and >> private key due to a Tomcat limitation" >> and therefore, it seems not because of secure vault. >> > > I was referring to the limitation on the same password to be used at the > server started which uses the secure vault JKS which is used to decrypt the > passwords. With regard to this, you need to check the tomcat documentation > and verify this. Anyway here if we have separate JKS for secure vault and > tomcat ssl we can have separate passwords for both JKS. Any particular > reason as to why you need to have a separate keystore password and private > key password for SSL which is in an isolated JKS? > > >> >> >>> IMO since this is only for secure vault, we can have the same password. >>> In-addition AFAIK we can have multiple private key here. In 4.4.x, the JKS >>> for ssl has been moved to catalina-server.xml. Therefore a separate >>> keystore can be maintained for this. These two configuration are mentioned >>> in [2]. >>> >>>> Thanks. >>>> *Dilan U. Ariyaratne* >>>> Senior Software Engineer >>>> WSO2 Inc. <http://wso2.com/> >>>> Mobile: +94766405580 <%2B94766405580> >>>> lean . enterprise . middleware >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> [1] - >>> <KeyStore> >>> <!-- Keystore file location--> >>> <Location>${carbon.home}/repository/resources/security/wso2c >>> arbon.jks</Location> >>> <!-- Keystore type (JKS/PKCS12 etc.)--> >>> <Type>JKS</Type> >>> <!-- Keystore password--> >>> <Password>wso2carbon</Password> >>> <!-- Private Key alias--> >>> <KeyAlias>wso2carbon</KeyAlias> >>> <!-- Private Key password--> >>> <KeyPassword>wso2carbon</KeyPassword> >>> </KeyStore> >>> >>> [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor >>> es+in+WSO2+Products >>> >>> Regards, >>> Nira >>> >>> -- >>> >>> >>> *Niranjan Karunanandham* >>> Associate Technical Lead - WSO2 Inc. >>> WSO2 Inc.: http://www.wso2.com >>> >>> >> > [1] - https://docs.wso2.com/display/ADMIN44x/Carbon+ > Secure+Vault+Implementation > > Regards, > Nira > > -- > > > *Niranjan Karunanandham* > Associate Technical Lead - WSO2 Inc. > WSO2 Inc.: http://www.wso2.com > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
