Identity server 5.3.0. Recently patched. I've replaced the default keystore and keys with my own. Utilizing the ciphertool to remove plain text passwords from various config files. I've successfully replaced the database password inside of repository/conf/datasources files using the ciphertool. Restarted the IS successfully. Was moving on to the keystore values inside of the carbon.xml file and I keep getting the following error:
TID: [-1234] [] [2017-10-16 21:39:44,322] ERROR {org.wso2.carbon.core.deployment.DeploymentInterceptor} - Error while pdating wso2carbon-sts in STSDeploymentInterceptor
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
...
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 53 more
I've confirmed the password is correct. I even re-replaced the ciphertool reference inside of carbon.xml with the clear text value and restart successfully, again. My only guess at this point is that ciphertool is not handling special characters correctly. My pass has an ampersand (#). Any help would be appreciated.
Update: Went through the effort of recreating a brand new key store and key with a simple password... no special characters. Same results. After running ciphertool.bat -Dconfigure my carbon.xml entries looks good (see below). Which indicates the Xpath in cipher-tool.properties is correct. And I've triple checked the password in cipher-text.properties.
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/KeyStore.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password svns:secretAlias="Conf.Carbon.KeyStore.Password">password</Password>
<!-- Private Key alias-->
<KeyAlias>QaCert</KeyAlias>
<!-- Private Key password-->
<KeyPassword svns:secretAlias="Conf.Carbon.KeyPassword">password</KeyPassword>
</KeyStore>
John, I would submit this bug to WSO2's GitHub or JIRA instance:
On a side note, I noticed WSO2's use of encrypted passwords has an issue with special characters. This could be a general problem if WSO2 IS is using CipherTool to automatically encrypt passwords in the WebUI. See my comment at the bottom of this post:
Connection issues after turning off embedded LDAP
Related
is there a way to create a new jks only for synapse secure vault(ciphsertool)?
I configured ciphertool like in this manual https://docs.wso2.com/display/EI660/Working+with+Passwords+in+the+ESB+profile or this https://www.chakray.com/wso2-esb-tutorial-how-to-programmatically-manage-secure-vault-passwords/
I didn't find how to set up another keystore for encryption only
thanks
Yes when encrypting/decrypting passwords the server will be using the following keystore configuration block in carbon.xml
<InternalKeyStore>
<Location>${carbon.home}/repository/resources/security/internal.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyAlias>wso2carbon</KeyAlias>
<KeyPassword>wso2carbon</KeyPassword>
</InternalKeyStore>
So you can create a new keystore and change the configuration here and then change the cipher tool's keystore configurations at secret-conf.properties to point to the newly created keystore. You can read more here.
I am using stream processor 4.3.0 and need to access the H2 Database for it which comes by default in WSO2 SP application.
Can some please help me here to access/browse the database.
Thanks
And need to access the H2 Database for it which comes by default in WSO2 SP application
For WSO2SP DB configuration stored in:
${carbon.home}/conf/worker/deploymment.yaml
${carbon.home}/conf/dashboard/deploymment.yaml
${carbon.home}/conf/..other module../deploymment.yaml
so you can check the database locations
by default check
${carbon.home}/wso2/worker/database
${carbon.home}/wso2/dashboard/database
${carbon.home}/wso2/..other module../database
You can use H2 Shell to access the databases
Please note the embedded H2 databases are not intended to be accessed from multiple processes concurrently, so stop the wso2sp first
please find the answer below.
Open the /repository/conf/carbon.xml file and paste the following configuration.
Do not uncomment the existing element. Just paste the following configuration below it.
<H2DatabaseConfiguration>
<property name="web"/>
<property name="webPort">8082</property>
<property name="webAllowOthers"/>
</H2DatabaseConfiguration>
3.Restart the WSO2 product and access the following URL via your browser: http://localhost:8082
Tip: If you are logged in to the management console, log out before connecting to the database.
4.Enter the following details and click Connect.
JDBC URL : jdbc:h2:[file path to /repository/database/WSO2CARBON_DB]
username : wso2carbon
password : wso2carbon
When testing the WSO2 identity server rel. 5.1 using the Travelocity tool, I see a number of error messages recorded in the log file, telling:
"Server is not picking up the client certificate. Mutual SSL authentication is notdone"
The message repeats every 3 minutes.
Where is the missing certificate stored that needs to be updated to connect the Travelocity to the WSO2 IdP without writing error logs? In the travelocity.jks store at the client side, I currently see an alias entry for localhost and another entry for the IDP.
I've raised the debug level at the log4j.properties to the values:
log4j.logger.org.wso2.carbon.user=DEBUG
log4j.logger.org.wso2.carbon.identity=DEBUG
log4j.logger.org.wso2.carbon.idp.mgt=DEBUG
This is actually not an error log. This is a debug log. If you removed the following debug level entry from the log4j.properties file you will not see this.
log4j.logger.org.wso2.carbon.identity=DEBUG
MutualSSLAuthenticator is a carbon authenticator which is shipped by default with WSO2 IS 5.1.0. This authenticator is by default enabled from the authenticators.xml file located at
IS_HOME/repository/conf/security/ directory. This is actually not getting invoked by the SAML authentication flow, or OpenID flow which you might be trying with the Travelocity sample application. But, the log gets printed as the framework checks if the authenticator is capable of handling the authentication.
This authenticator is used with the OOTB supported Workflow Management Feature [1], for server to server authentication.
You can also disable this authenticator by commenting out the below configuration at authenticators.xml file, and yet, authentication with Travelocity sample application will work successfully.
<Authenticator name="MutualSSLAuthenticator">
<Priority>5</Priority>
<Config>
<Parameter name="UsernameHeader">UserName</Parameter>
<Parameter name="WhiteListEnabled">false</Parameter>
<Parameter name="WhiteList">
</Config>
</Authenticator>
[1]https://docs.wso2.com/display/IS510/Workflow+Management
Using the wso2 identity server in my on production site I try to access to "dashboard jaggery apps" for manage own user account (change password, etc). But when I try to login in there (using SAML2 in the https production domain) shows the following error,
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We write the keystore path in the auth_config.json inside repository/deployment/server/jaggeryapps/dashboard/authentication, but it does not work.
We have other application using the same fingerprint and/or x.509 hash correctly (with SAML2), but this app we can't configure.
here the complete error http://pastebin.com/tgJenydM
Any suggestions? Thanks.
update:
When I use the backend IP the error is not raised, but when I change to the domain name yes. (This error really make me crazy)
Did you change the default keystore of WSO2IS server ? If, Could you pleas let us know whether you import your new certificate in to the trust store file (client-truststore.jks) of WSO2IS server. If it is not, This can be the issue. Please export the certificate from Keystore and import it in to the trust store of the server. You can use jave keytool command to do it.
When you are working on dashboard (not in localhost), there are some few configuration you need to do . You can find them from here
I have a WSDL for a Web Service and a Public Key Certificate in the shape of a .cer file.
I need to get SoapUI to encrypt the service request with the public key of the certificate.
How do I do this?
In SoapUI, go to the Preferences dialog, under the File menu. There's a tab/section for SSL. There you can specify the path to the .cer file. I don't have it here in front of me, and I've only done .pfx, but it should work the same. With .pfx, you need to enter the password - not sure if you do that for .cer or not. You can also convert the .cer to .pfx if that works better. But anyway, with a .pfx specified here, I was able to use https connections to our server (Cisco ACE gateway actually) which required "client certificate authentication". It was easy to do in SoapUI, proving that the infrastructure was set up right. Our app, written in Delphi2005, took another 3 weeks... But at least we knew what we were trying to do, and had a way to verify the result.
In Preferences fill in the path to your certificate in the KeyStore field and the password underneath.
I use a p12 certificate and it seems to be working fine.
If you can use WCF, just add security to the binding, and the following behavior:
<behaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue= "101010101010101010101010101010000000000"
storeLocation="LocalMachine" storeName="The logic storage"
X509FindType="The cert name"/>
</clientCertificate>
</clientCredentials>
</behavior>
</behaviors>
More info about how to enable security in WCF, see: MSDN