Re: Log-in and security

[Stefan Kühl]

il n'y a pas de quoi ;-)

Am 07.07.2019 18:36, schrieb Xavier M:

> ... and restart! 
> 
> It works, I do not have an error message anymore, even for "lack of 
> security". Exactly what I was looking for! 
> 
> Thank you all, and especially Stefan and Maxim! 
> 
> Xavier 
> 
> Le 07/07/2019 à 16:52, Stefan Kühl a écrit : 
> 
> So, please change the given password into the password you use in the 
> commandlines and the error should be gone. ;-)
> 
> Am 07.07.2019 16:08, schrieb Xavier M: 
> 
> Oops, sorry... No, it is not the password you gave me. 
> 
> But I state that my file looks *very much* like 
> https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75
>  [1] (at least for this "SSL section"). 
> 
> Xavier 
> 
> Le 07/07/2019 à 15:29, Stefan Kühl a écrit : 
> 
> Hey Xavier, 
> 
> but you don't mention the very important answer: Is the keystorePass the the 
> same as we use in the commandlines? 
> 
> Greetz 
> 
> Stefan
> 
> Am 07.07.2019 15:08, schrieb Xavier M: 
> 
> Hi Stefan, 
> 
> Here the result for the SSL part... One can find the _keystorePass_ inside, I 
> just changed the password by "xxx" (bold) since we have a "public" 
> discussion... Even if I'm not sure this is very useful. As you mentioned 
> earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not 
> "keystore.jks". Do you conlude anything? If I have to reinstall the old 
> files, I would be glad if you could provide them. 
> 
> Nota Bene: the second  _Connector port="5443"_ lies between _ _. It is probably normal, I just wonder why. 
> 
> Thank you! 
> 
> Xavier 
> 
> __
> _ protocol="org.apache.coyote.http11.Http11NioProtocol"_
> _   maxThreads="150" SSLEnabled="true"_
> _   keystoreFile="conf/keystore" keystorePass="__XXX__"_
> _   clientAuth="false" sslProtocol="TLS"/>_
> __
> __
> 
> Le 07/07/2019 à 12:32, Stefan Kühl a écrit : sudo cat 
> OM_Folder/conf/server.xml
 

Links:
--
[1]
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75

Re: Log-in and security

[Xavier M]

... and restart!

It works, I do not have an error message anymore, even for "lack of security". 
Exactly what I was looking for!


Thank you all, and especially Stefan and Maxim!

Xavier


Le 07/07/2019 à 16:52, Stefan Kühl a écrit :

So, please change the given password into the password you use in the 
commandlines and the error should be gone. ;-)




Am 07.07.2019 16:08, schrieb Xavier M:

Oops, sorry... No, it is not the password you gave me.

But I state that my file looks *very much* like 
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75
 (at least for this "SSL section").


Xavier


Le 07/07/2019 à 15:29, Stefan Kühl a écrit :

Hey Xavier,

but you don't mention the very important answer: Is the keystorePass the the 
same as we use in the commandlines?

Greetz

Stefan




Am 07.07.2019 15:08, schrieb Xavier M:

Hi Stefan,


Here the result for the SSL part... One can find the keystorePass inside, I 
just changed the password by "xxx" (bold) since we have a "public" 
discussion... Even if I'm not sure this is very useful. As you mentioned 
earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not 
"keystore.jks". Do you conlude anything? If I have to reinstall the old files, 
I would be glad if you could provide them.

Nota Bene: the second  Connector port="5443" lies between . It is 
probably normal, I just wonder why.


Thank you!

Xavier







Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
sudo cat OM_Folder/conf/server.xml

Re: Log-in and security

[Stefan Kühl]

So, please change the given password into the password you use in the
commandlines and the error should be gone. ;-)

Am 07.07.2019 16:08, schrieb Xavier M:

> Oops, sorry... No, it is not the password you gave me. 
> 
> But I state that my file looks *very much* like 
> https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75
>  [1] (at least for this "SSL section"). 
> 
> Xavier 
> 
> Le 07/07/2019 à 15:29, Stefan Kühl a écrit : 
> 
> Hey Xavier, 
> 
> but you don't mention the very important answer: Is the keystorePass the the 
> same as we use in the commandlines? 
> 
> Greetz 
> 
> Stefan
> 
> Am 07.07.2019 15:08, schrieb Xavier M: 
> 
> Hi Stefan, 
> 
> Here the result for the SSL part... One can find the _keystorePass_ inside, I 
> just changed the password by "xxx" (bold) since we have a "public" 
> discussion... Even if I'm not sure this is very useful. As you mentioned 
> earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not 
> "keystore.jks". Do you conlude anything? If I have to reinstall the old 
> files, I would be glad if you could provide them. 
> 
> Nota Bene: the second  _Connector port="5443"_ lies between _ _. It is probably normal, I just wonder why. 
> 
> Thank you! 
> 
> Xavier 
> 
> __
> _ protocol="org.apache.coyote.http11.Http11NioProtocol"_
> _   maxThreads="150" SSLEnabled="true"_
> _   keystoreFile="conf/keystore" keystorePass="__XXX__"_
> _   clientAuth="false" sslProtocol="TLS"/>_
> __
> __
> 
> Le 07/07/2019 à 12:32, Stefan Kühl a écrit : sudo cat 
> OM_Folder/conf/server.xml
 

Links:
--
[1]
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75

Re: Log-in and security

[Xavier M]

Oops, sorry... No, it is not the password you gave me.

But I state that my file looks *very much* like 
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75
 (at least for this "SSL section").


Xavier


Le 07/07/2019 à 15:29, Stefan Kühl a écrit :

Hey Xavier,

but you don't mention the very important answer: Is the keystorePass the the 
same as we use in the commandlines?

Greetz

Stefan




Am 07.07.2019 15:08, schrieb Xavier M:

Hi Stefan,


Here the result for the SSL part... One can find the keystorePass inside, I 
just changed the password by "xxx" (bold) since we have a "public" 
discussion... Even if I'm not sure this is very useful. As you mentioned 
earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not 
"keystore.jks". Do you conlude anything? If I have to reinstall the old files, 
I would be glad if you could provide them.

Nota Bene: the second  Connector port="5443" lies between . It is 
probably normal, I just wonder why.


Thank you!

Xavier







Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
sudo cat OM_Folder/conf/server.xml

Re: Log-in and security

[Stefan Kühl]

Hey Xavier, 

but you don't mention the very important answer: Is the keystorePass the
the same as we use in the commandlines? 

Greetz 

Stefan

Am 07.07.2019 15:08, schrieb Xavier M:

> Hi Stefan, 
> 
> Here the result for the SSL part... One can find the _keystorePass_ inside, I 
> just changed the password by "xxx" (bold) since we have a "public" 
> discussion... Even if I'm not sure this is very useful. As you mentioned 
> earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not 
> "keystore.jks". Do you conlude anything? If I have to reinstall the old 
> files, I would be glad if you could provide them. 
> 
> Nota Bene: the second  _Connector port="5443"_ lies between __. 
> It is probably normal, I just wonder why. 
> 
> Thank you! 
> 
> Xavier 
> 
> __
> _ protocol="org.apache.coyote.http11.Http11NioProtocol"_
> _   maxThreads="150" SSLEnabled="true"_
> _   keystoreFile="conf/keystore" keystorePass="__XXX__"_
> _   clientAuth="false" sslProtocol="TLS"/>_
> __
> __
> Le 07/07/2019 à 12:32, Stefan Kühl a écrit : 
> 
>> sudo cat OM_Folder/conf/server.xml

Re: Log-in and security

[Xavier M]

Hi Stefan,


Here the result for the SSL part... One can find the keystorePass inside, I 
just changed the password by "xxx" (bold) since we have a "public" 
discussion... Even if I'm not sure this is very useful. As you mentioned 
earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not 
"keystore.jks". Do you conlude anything? If I have to reinstall the old files, 
I would be glad if you could provide them.

Nota Bene: the second  Connector port="5443" lies between . It is 
probably normal, I just wonder why.


Thank you!

Xavier








Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
sudo cat OM_Folder/conf/server.xml

Re: Log-in and security

[Stefan Kühl]

Hey Xavier, 

thats fine. Normally the keystore.jks file shoukd have the same data as
the keystore file, but that is ald stuff I think and not longer
necessary.
No let us go to the server.xml file in the conf directory. Just type
"sudo cat OM_Folder/conf/server.xml and have a look to the SSL Part. It
should start with " Hi Stefan, 
> 
> No matters, we all have another life (or even some other lives?)... That's 
> the advantage of the e-mails, that we can report to later! 
> 
> First of all: you're right for the usergroup, I didn't take care that I 
> answered to the sender only when I was using Thunderbird (it is not the case 
> when I'm using the webmail). 
> 
> Then, 2 points: 
> 
> 1/ Can you please tell me which is the keystore from the original file from 
> the install source - that is in which folder I should find it? I guess I 
> modified the keystore files with the -import option of the command lines? 
> 
> 1bis/ There is no problem if I have to uninstall / install again OpenMeetings 
> to have it again. Is there any way to uninstall it properly, or do I have to 
> delete /opt/open500/ folder from a shell? 
> 
> 2/ Here the result you asked me (is it a list of files in the folder, with 
> the right for the access, owner and owner-group, and the date of last 
> modification?): 
> 
> _xavier@sd-118950:/opt/open500/conf$ ls -al_
> _total 264_
> _drwxr-xr-x 3 nobody nogroup   4096 juil.  5 14:45 ._
> _drwxr-xr-x 9 nobody nogroup   4096 juil.  3 10:27 .._
> _drwxr-x--- 3 root   root  4096 juil.  3 10:34 Catalina_
> _-rw-r--r-- 1 nobody nogroup  12873 mars  13 22:58 catalina.policy_
> _-rw-r--r-- 1 nobody nogroup   7243 mars  13 22:58 catalina.properties_
> _-rw-r--r-- 1 nobody nogroup   1400 mars  13 22:58 context.xml_
> _-rw-r--r-- 1 nobody nogroup   1149 mars  13 22:58 jaspic-providers.xml_
> _-rw-r--r-- 1 nobody nogroup   2313 mars  13 22:58 jaspic-providers.xsd_
> _-rw-r--r-- 1 root   root  5651 juil.  5 14:45 keystore_
> _-rw-r--r-- 1 root   root  5651 juil.  4 21:43 keystore.jks_
> _-rw-r--r-- 1 nobody nogroup   4144 mars  13 22:58 logging.properties_
> _-rw--- 1 root   root  4222 juil.  4 21:42 red5.p12_
> _-rw-r--r-- 1 nobody nogroup   6433 mars  28 21:01 server.xml_
> _-rw-r--r-- 1 root   root  5651 juil.  5 14:45 trustscore.jks_
> _-rw-r--r-- 1 nobody nogroup 170202 mars  13 22:58 web.xml_
> _xavier@sd-118950:/opt/open500/conf$ _
> 
> Bis bald, 
> 
> Xavier 
> 
> Le 06/07/2019 à 22:36, Stefan Kühl a écrit : 
> 
> Hi Xavier, 
> 
> sorry for being late, I'm a bit busy these days  ;-)
> 
> First: we should keep the usergroup in loop, that's why I'm take the 
> user@openmeetings.apache.org in place. ;-) 
> 
> Second: I totally agree with maxim. Setting the ports in listening state for 
> the apache keep them busy and unusable for openmeetings. Of course the 
> address is reachable then, but only via the apache webserver. The error 
> message means that you want to deliver secure conten via an insecure apache 
> port. 
> 
> Can you please post the result from ls -al of the OM-Folder/conf? It's weird 
> that you get a password error message for the keystore, because we set it to 
> password at the import I think. Any typos in the code-lines? 
> 
> To cancel this lines, just copy the keystore from the original file fromn the 
> install source into the OM-Folder/conf. 
> 
> Greetz 
> 
> Stefan 
> 
> Am 06.07.2019 21:21, schrieb Xavier M: 
> 
> Hi Stefan, 
> 
> I wonder if there is a way to cancel what I did with these command lines? 
> Indeed, I can not connect anymore to OpenMeetings... and I want to check 
> where it comes from. In Catalina log, I can read things like: 
> 
> * Caused by: java.lang.IllegalArgumentException: keystore password was 
> incorrect 
> 
> * Caused by: java.io.IOException: keystore password was incorrect 
> 
> ... so I suppose that something went wrong. 
> 
> Thanks in advance, have a good week-end! 
> 
> Xavier 
> 
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit : 
> 
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct. 
> 
> Just restart it. 
> 
> Greetz 
> 
> Stefan 
> 
> PS: if you want to access to "permission denied" folders you need to switch 
> to root, sudo won't work in this case. But be careful, keep in mind that you 
> change the ownership if you change files as root.
> 
> Bonne soiree 
> 
> Am 04.07.2019 21:57, schrieb Xavier M: 
> 
> Thank you! 
> 
> Each command line worked... But it did not change anything when I want to log 
> in. Maybe shall I restart "a service"? 
> 
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory 
> with a "keystore" file. But I have an "openmeetings" subdirectory too... to 
> which I can not access (Permission denied). 
> 
> Greetings, 
> 
> Xavier 
> 
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit : 
> 
> Yes, I'm sorry. Did this so many times and forgot an important point. First: 
> the password is: password  
> 
> ;-)
> 
> Let's go 

Re: Log-in and security

[Xavier M]

Hi Stefan,


No matters, we all have another life (or even some other lives?)... That's the 
advantage of the e-mails, that we can report to later!

First of all: you're right for the usergroup, I didn't take care that I 
answered to the sender only when I was using Thunderbird (it is not the case 
when I'm using the webmail).


Then, 2 points:

 1/ Can you please tell me which is the keystore from the original file from 
the install source - that is in which folder I should find it? I guess I 
modified the keystore files with the -import option of the command lines?

 1bis/ There is no problem if I have to uninstall / install again OpenMeetings 
to have it again. Is there any way to uninstall it properly, or do I have to 
delete /opt/open500/ folder from a shell?

 2/ Here the result you asked me (is it a list of files in the folder, with the 
right for the access, owner and owner-group, and the date of last 
modification?):

xavier@sd-118950:/opt/open500/conf$ ls -al
total 264
drwxr-xr-x 3 nobody nogroup   4096 juil.  5 14:45 .
drwxr-xr-x 9 nobody nogroup   4096 juil.  3 10:27 ..
drwxr-x--- 3 root   root  4096 juil.  3 10:34 Catalina
-rw-r--r-- 1 nobody nogroup  12873 mars  13 22:58 catalina.policy
-rw-r--r-- 1 nobody nogroup   7243 mars  13 22:58 catalina.properties
-rw-r--r-- 1 nobody nogroup   1400 mars  13 22:58 context.xml
-rw-r--r-- 1 nobody nogroup   1149 mars  13 22:58 jaspic-providers.xml
-rw-r--r-- 1 nobody nogroup   2313 mars  13 22:58 jaspic-providers.xsd
-rw-r--r-- 1 root   root  5651 juil.  5 14:45 keystore
-rw-r--r-- 1 root   root  5651 juil.  4 21:43 keystore.jks
-rw-r--r-- 1 nobody nogroup   4144 mars  13 22:58 logging.properties
-rw--- 1 root   root  4222 juil.  4 21:42 red5.p12
-rw-r--r-- 1 nobody nogroup   6433 mars  28 21:01 server.xml
-rw-r--r-- 1 root   root  5651 juil.  5 14:45 trustscore.jks
-rw-r--r-- 1 nobody nogroup 170202 mars  13 22:58 web.xml
xavier@sd-118950:/opt/open500/conf$


Bis bald,

Xavier


Le 06/07/2019 à 22:36, Stefan Kühl a écrit :

Hi Xavier,

sorry for being late, I'm a bit busy these days  ;-)



First: we should keep the usergroup in loop, that's why I'm take the 
user@openmeetings.apache.org in place. ;-)

Second: I totally agree with maxim. Setting the ports in listening state for 
the apache keep them busy and unusable for openmeetings. Of course the address 
is reachable then, but only via the apache webserver. The error message means 
that you want to deliver secure conten via an insecure apache port.

Can you please post the result from ls -al of the OM-Folder/conf? It's weird 
that you get a password error message for the keystore, because we set it to 
password at the import I think. Any typos in the code-lines?

To cancel this lines, just copy the keystore from the original file fromn the 
install source into the OM-Folder/conf.

Greetz

Stefan

Am 06.07.2019 21:21, schrieb Xavier M:

Hi Stefan,


I wonder if there is a way to cancel what I did with these command lines? 
Indeed, I can not connect anymore to OpenMeetings... and I want to check where 
it comes from. In Catalina log, I can read things like:

 * Caused by: java.lang.IllegalArgumentException: keystore password was 
incorrect

 * Caused by: java.io.IOException: keystore password was incorrect

... so I suppose that something went wrong.


Thanks in advance, have a good week-end!

Xavier


Le 04/07/2019 à 22:05, Stefan Kühl a écrit :

Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.

Just restart it.

Greetz

Stefan

PS: if you want to access to "permission denied" folders you need to switch to 
root, sudo won't work in this case. But be careful, keep in mind that you 
change the ownership if you change files as root.



Bonne soiree

Am 04.07.2019 21:57, schrieb Xavier M:

Thank you!


Each command line worked... But it did not change anything when I want to log 
in. Maybe shall I restart "a service"?

NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with 
a "keystore" file. But I have an "openmeetings" subdirectory too... to which I 
can not access (Permission denied).


Greetings,

Xavier


Le 04/07/2019 à 21:35, Stefan Kühl a écrit :

Yes, I'm sorry. Did this so many times and forgot an important point. First: 
the password is: password

;-)



Let's go through the lines:

"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem 
-inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out 
/opt/OM_Folder/conf/red5.p12 -name red5 -certfile 
/etc/letsencrypt/live/domain.eu/chain.pem"

Here you use the openssl library to export the the key from the letsencrypt 
certificate into the red5.p12 file and store it in youtr OM Folder (red5 is 
just an name - you could also use any other name)

"sudo keytool -importkeystore -srcstorepass password -srckeystore 
/opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password 
-destkeystore