Dear list members, I am looking for way to make automatic changes of the master password (aka root password). We deploy GeoServer automatically in our infrastructure and since GeoServer 2.4 we have to change the now static master password manually after each deploy - this happens quite often.
To make automatic deploys fun again, I tried to figure out how to change the master password via CLI tools, but was not successful yet. These are current steps: 1. Create new master password provider * create folder <data_dir>/security/masterpw/new_provider * create file <data_dir>/security/masterpw/new_provider/masterpw.xml with proper content (no encryption activated) * create file <data_dir>/security/masterpw/new_provider/passwd containing the new password in plaintext * Change default master password provider in <data_dir>/security/masterpw.xml 2. Change keystore passwd * keytool -storepasswd -new new_password -keystore geoserver.jceks -storetype JCEKS 3. Create new masterpw.digest http://www.jasypt.org/cli.html * digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000 input="new_password" * Put the result in masterpw.digest, format: digest1:<new_hash> 4. Restart GeoServer After doing this, it seems like GeoServer is not able to open the keystore anymore: org.springframework.beans.factory.BeanCreationException: Error occured reading security configuration; nested exception is java.io.IOException: Keystore was tampered with, or password was incorrect So maybe the way how the masterpw.digest gets generated is wrong? Base64 is used in the source code, but encoding the hash has not worked either. Can anybody maybe give me a hint? This would be great! [OT] In my opinion the static master password is a step backwards in terms of security. Compared to the risk of the plain text password file with a randomly generated password, the static master password is much more dangerous. Especially since this fact is not mentioned or even highlighted in the current documentation, a lot of users are maybe not aware on how important this change is. (There is already issue on this topic: GEOS-6136 [1]) [/OT] Best regards, Patric [1] http://jira.codehaus.org/browse/GEOS-6136 -- web www.geops.de rss www.geops.de/blog/feed follow www.twitter.com/geops ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
