is there a way to create a new jks only for synapse secure vault(ciphsertool)?
I configured ciphertool like in this manual https://docs.wso2.com/display/EI660/Working+with+Passwords+in+the+ESB+profile or this https://www.chakray.com/wso2-esb-tutorial-how-to-programmatically-manage-secure-vault-passwords/
I didn't find how to set up another keystore for encryption only
thanks
Yes when encrypting/decrypting passwords the server will be using the following keystore configuration block in carbon.xml
<InternalKeyStore>
<Location>${carbon.home}/repository/resources/security/internal.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyAlias>wso2carbon</KeyAlias>
<KeyPassword>wso2carbon</KeyPassword>
</InternalKeyStore>
So you can create a new keystore and change the configuration here and then change the cipher tool's keystore configurations at secret-conf.properties to point to the newly created keystore. You can read more here.
Related
How to configure the wso2/repository/conf/synapse.properties files in wso2? I need to change the synapse.global_timeout_interval value but updates to the synapse.properties seems to be overridden when the server restart.
Assuming you are using API manager product and a version that use deployment.toml for configurations, you can add following config in wso2/repository/conf/deployment.toml.
[synapse_properties]
"synapse.global_timeout_interval"=value
I am trying to setup a Kafka cluster with mTLS authentication using certificates signed by GCP's CAS (Certificate Authority Service). I have three Kafka nodes: a master and two workers. Each node has a PEM truststore containing the CA Root certificate from the authority on CAS and a PEM keystore containing a signed certificate from CAS and the private key. I followed this webpage for the setup.
This is the server.properties file for the master node. Other nodes have a similar config except the ssl.keystore.location property.
listeners=INTERNAL://:port,EXTERNAL://:port
advertised.listeners=INTERNAL://:port,EXTERNAL://:port
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=
producer.ssl.endpoint.identification.algorithm=
consumer.ssl.endpoint.identification.algorithm=
ssl.client.auth=required
ssl.truststore.type=PEM
ssl.truststore.location=/path/ca.crt
ssl.keystore.type=PEM
ssl.key.password=<password>
ssl.keystore.location=/path/master.pem
The truststore is the ca.crt (Root CA certificate) file and the keystore has the private key and the signed certificate. There are no intermediate certificates, the certificates in the keystore are directly signed by the root certificate.
When I try to start the server on any nodes I am getting the following error. I am not sure why.
ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
P.S. I have already tried using the truststore and keystore in JKS and PKCS12 format. I keep getting the same error.
From what you shared, it doesn't seem that you've created valid keystores for the cert and CA.
ssl.truststore.location=/path/ca.crt
...
ssl.keystore.location=/path/master.pem
You're merely pointing to the original files. You need to create two valid java keystores with a JDK's keytool tool and import the files into each one. Depending on your certificate format you might need to convert them with openssl.
See https://stackoverflow.com/a/11954816/50114 for an example.
You mentioned earlier that you got the same error with JKS keystore and truststore. From the error message, it sounds like the keystore may not contain the whole chain. Can you first try with a JKS truststore containing the root cert and a JKS keystore containing the private key and the whole certificate chain (i.e. including root cert)?
If that run gives the same error, you could enable "javax.net.debug=ssl". If using Kafka scripts to start the broker, you can first export KAFKA_OPTS=javax.net.debug=ssl. Broker performs extra validation by attempting handshake using the provided keystore and truststore for the inter-broker listener. It looks like that validation is failing in your case. The extra debug may help to understand why.
Once you have the broker running with JKS, you can switch to PEM if required.
What does your keystore PEM file look like?
Does it have clear separate sections (with BEGIN and END)? See https://docs.progress.com/en-US/bundle/datadirect-hybrid-data-pipeline-installation-46/page/PEM-file-format.html
Can you try adding the Root CA in the PEM file too, after the signed certificate?
Identity server 5.3.0. Recently patched. I've replaced the default keystore and keys with my own. Utilizing the ciphertool to remove plain text passwords from various config files. I've successfully replaced the database password inside of repository/conf/datasources files using the ciphertool. Restarted the IS successfully. Was moving on to the keystore values inside of the carbon.xml file and I keep getting the following error:
TID: [-1234] [] [2017-10-16 21:39:44,322] ERROR {org.wso2.carbon.core.deployment.DeploymentInterceptor} - Error while pdating wso2carbon-sts in STSDeploymentInterceptor
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
...
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 53 more
I've confirmed the password is correct. I even re-replaced the ciphertool reference inside of carbon.xml with the clear text value and restart successfully, again. My only guess at this point is that ciphertool is not handling special characters correctly. My pass has an ampersand (#). Any help would be appreciated.
Update: Went through the effort of recreating a brand new key store and key with a simple password... no special characters. Same results. After running ciphertool.bat -Dconfigure my carbon.xml entries looks good (see below). Which indicates the Xpath in cipher-tool.properties is correct. And I've triple checked the password in cipher-text.properties.
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/KeyStore.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password svns:secretAlias="Conf.Carbon.KeyStore.Password">password</Password>
<!-- Private Key alias-->
<KeyAlias>QaCert</KeyAlias>
<!-- Private Key password-->
<KeyPassword svns:secretAlias="Conf.Carbon.KeyPassword">password</KeyPassword>
</KeyStore>
John, I would submit this bug to WSO2's GitHub or JIRA instance:
On a side note, I noticed WSO2's use of encrypted passwords has an issue with special characters. This could be a general problem if WSO2 IS is using CipherTool to automatically encrypt passwords in the WebUI. See my comment at the bottom of this post:
Connection issues after turning off embedded LDAP
What would be the URL for the newly set up SAML SSO's metadata URL, or how could I download this in XML format from WSO2 Identity Server (version 4.6.0) acting as IdP?
Thanks,
Tamas
WSO2 Identity server now hosts IDPSSODesriptor metadata file on this URL.
https://localhost:9443/identity/metadata/saml2
This feature is available from Identity Server version 5.3 onward.
AFAIK there is no option to auto-generate metadata files for IS. You have to manually write the metadata file. An example is as follows, taken from this blog post.
<md:entitydescriptor entityid="https://localhost:9443/samlsso" validuntil="2023-09-23T06:57:15.396Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:keydescriptor use="signing">
<ds:keyinfo>
<ds:x509data>
<ds:x509certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</md:keydescriptor>
<md:singlelogoutservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso" responselocation="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso">
</md:singlesignonservice></md:singlesignonservice></md:singlelogoutservice></md:idpssodescriptor>
</md:entitydescriptor>
Yes.. Identity Server does not support to generate a IDP information as metadata file. You may need to create it manually. But I guess it would be available with a future release. There is an open public jira for this. You can find a generated SAML2 metadata file from here. However you may need to configure it according to your configurations. If you have changed your keystore, you need to change the X509 certificate data. And also urls of the samlsso endpoint. By default saml sso end point is located at https://localhost:9443/samlsso. In your service provider config, you need to configure this url as IDP url (both login and logout). You must provide the wso2carbon certificate in to service provider for validating the signature.
I have a WSDL for a Web Service and a Public Key Certificate in the shape of a .cer file.
I need to get SoapUI to encrypt the service request with the public key of the certificate.
How do I do this?
In SoapUI, go to the Preferences dialog, under the File menu. There's a tab/section for SSL. There you can specify the path to the .cer file. I don't have it here in front of me, and I've only done .pfx, but it should work the same. With .pfx, you need to enter the password - not sure if you do that for .cer or not. You can also convert the .cer to .pfx if that works better. But anyway, with a .pfx specified here, I was able to use https connections to our server (Cisco ACE gateway actually) which required "client certificate authentication". It was easy to do in SoapUI, proving that the infrastructure was set up right. Our app, written in Delphi2005, took another 3 weeks... But at least we knew what we were trying to do, and had a way to verify the result.
In Preferences fill in the path to your certificate in the KeyStore field and the password underneath.
I use a p12 certificate and it seems to be working fine.
If you can use WCF, just add security to the binding, and the following behavior:
<behaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue= "101010101010101010101010101010000000000"
storeLocation="LocalMachine" storeName="The logic storage"
X509FindType="The cert name"/>
</clientCertificate>
</clientCredentials>
</behavior>
</behaviors>
More info about how to enable security in WCF, see: MSDN