Hi Dilan, On Tue, May 23, 2017 at 3:44 PM, Dilan Udara Ariyaratne <[email protected]> wrote:
> > Hi Niranjan, > > On Mon, May 22, 2017 at 5:54 PM, Niranjan Karunanandham <[email protected] > > wrote: > >> Hi Dilan, >> >> On Mon, May 22, 2017 at 5:11 PM, Dilan Udara Ariyaratne <[email protected]> >> wrote: >> >>> Hi Niranjan, >>> >>> On Mon, May 22, 2017 at 2:48 PM, Niranjan Karunanandham < >>> [email protected]> wrote: >>> >>>> Hi Dilan, >>>> >>>> On Fri, May 5, 2017 at 7:15 PM, Dilan Udara Ariyaratne <[email protected] >>>> > wrote: >>>> >>>>> Hi Folks, >>>>> >>>>> Following conceptions are still there regarding keystores used in WSO2 >>>>> products. >>>>> >>>>> 1. Primary KeyStore must contain only one private key. There can >>>>> not be two private keys. (This is due to some issue in WSO2 products >>>>> which >>>>> may be fixed in future). >>>>> 2. Primary KeyStore must contain *same* password as KeyStore >>>>> password and private key password. (This is due to some issue in WSO2 >>>>> products which may be fixed in future) >>>>> >>>>> Are these conceptions still valid or have these issues been already >>>>> fixed ? >>>>> >>>> >>>> In WSO2 Carbon there are multiple keystores. I believe the above >>>> keystore that you have mentioned is only the Keystore [1] in carbon.xml. In >>>> 4.4.x, this keystore is only used for secure vault only. >>>> >>> >>> Aren't those secure vault configurations for keystores configured in >>> secret-conf.properties >>> ? >>> >> >> This file is created by the cipher tool script file. It reads the >> carbon.xml and creates this file. You can find info on these files in [1]. >> > > Yes, it's true that secret-conf.properties file is created once you run > cipher tool. But from a user's point of view, if someone wants to configure > a keystore for secure-vault, file to configure that is secret-conf.properties, > right ? > The secret-conf.properties is for configuring the keystore in a wso2 product. When you execute the cipher-tool script, it creates the secret-conf.properties, with some configuration such as callback handler, etc... The customer can write custom components for that and then configure the secret-conf.properties to that component. Also in the code, it checks if the secret-conf.properties is there and the values are there. Based on this information, it figures out whether secure vault is enabled or not. Also cipher-tool script can be used standalone, i.e., in non wso2 products. in which case it create the keystore which can be modified. You can find about this in [1]. > > >> >> >>> >>> >>> As you have mentioned, in 4.4.x, if secure vault is enabled, then at the >>>> server startup, it will ask for a single password which it uses for both >>>> the Keystore and private key password. >>>> >>> >>> In https://docs.wso2.com/display/ADMIN44x/Using+Asymmetric+Encryption, >>> it says that "You must have the same password for both keystore and >>> private key due to a Tomcat limitation" >>> and therefore, it seems not because of secure vault. >>> >> >> I was referring to the limitation on the same password to be used at the >> server started which uses the secure vault JKS which is used to decrypt the >> passwords. With regard to this, you need to check the tomcat documentation >> and verify this. Anyway here if we have separate JKS for secure vault and >> tomcat ssl we can have separate passwords for both JKS. Any particular >> reason as to why you need to have a separate keystore password and private >> key password for SSL which is in an isolated JKS? >> >> >>> >>> >>>> IMO since this is only for secure vault, we can have the same password. >>>> In-addition AFAIK we can have multiple private key here. In 4.4.x, the JKS >>>> for ssl has been moved to catalina-server.xml. Therefore a separate >>>> keystore can be maintained for this. These two configuration are mentioned >>>> in [2]. >>>> >>>>> Thanks. >>>>> *Dilan U. Ariyaratne* >>>>> Senior Software Engineer >>>>> WSO2 Inc. <http://wso2.com/> >>>>> Mobile: +94766405580 <%2B94766405580> >>>>> lean . enterprise . middleware >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> [1] - >>>> <KeyStore> >>>> <!-- Keystore file location--> >>>> <Location>${carbon.home}/repos >>>> itory/resources/security/wso2carbon.jks</Location> >>>> <!-- Keystore type (JKS/PKCS12 etc.)--> >>>> <Type>JKS</Type> >>>> <!-- Keystore password--> >>>> <Password>wso2carbon</Password> >>>> <!-- Private Key alias--> >>>> <KeyAlias>wso2carbon</KeyAlias> >>>> <!-- Private Key password--> >>>> <KeyPassword>wso2carbon</KeyPassword> >>>> </KeyStore> >>>> >>>> [2] - https://docs.wso2.com/display/ADMIN44x/Configuring+Keystor >>>> es+in+WSO2+Products >>>> >>>> Regards, >>>> Nira >>>> >>>> -- >>>> >>>> >>>> *Niranjan Karunanandham* >>>> Associate Technical Lead - WSO2 Inc. >>>> WSO2 Inc.: http://www.wso2.com >>>> >>>> >>> >> [1] - https://docs.wso2.com/display/ADMIN44x/Carbon+Secure+ >> Vault+Implementation >> >> Regards, >> Nira >> >> -- >> >> >> *Niranjan Karunanandham* >> Associate Technical Lead - WSO2 Inc. >> WSO2 Inc.: http://www.wso2.com >> >> > [1] - https://docs.wso2.com/display/Carbon4411/Enabling+Cipher+Tool+for+Password+Encryption Regards, Nira -- *Niranjan Karunanandham* Associate Technical Lead - WSO2 Inc. WSO2 Inc.: http://www.wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
