I got a problem when I try to deploy the WSO2 EMM server.
In the doc https://docs.wso2.org/display/EMM101/iOS+Server+Configurations, step 7.b, when I try to execute this command:
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks
I got this error message:
"keytool error: java.io.IOException: Invalid keystore format"
looks like the wso2mobilemdm.jks is corrupt? I copy the wso2mobilemdm.jks from the binary package
"wso2mobileserver-1.0.1\repository\resources\security\wso2mobilemdm.jks"
Anything wrong?
This problem happened with me also. Reason in my case was "Keystore" was created using different jdk i.e. oracle jdk, And I was trying to open it with keytool command available in IBM's jdk. Once I tried with oracle jdk it worked.
That is because you are entering a wrong password. Just delete that file and execute this command again. It will create a new wso2mobilemdm.jks. Enter your passwords there. Also import the ra.p12 to the same keystore file you just created. There is no harm doing this since wso2mobilemdm.jks only will contain ca and ra entries.
Related
I am trying to run the ciphertool.bat script to encrypt strings in my WSO2 server. I am running the script with the -Dconfigure flag and receiving a InvalidPathException
I have not edited the ciphertool.bat script, the cipher-text.properties or the ciper-tool.properties files.
I am running version 5.7.0 of WSO2 Identity Server on a Windows machine.
Command I am running and the console output
C:\Program Files\WSO2\Identity Server\5.7.0\bin>ciphertool.bat -Dconfigure
BUILD SUCCESSFUL
Total time: 7 seconds
Using CARBON_HOME: C:\Program Files\WSO2\Identity Server\5.7.0
Using JAVA_HOME: C:\Program Files\Java\jdk1.8.0_181
Exception in thread "main" java.nio.file.InvalidPathException: Illegal char
<:> at index 45: C:\Program Files\WSO2\Identity Server\5.7.0\C:\Program
Files\WSO2\Identity Server\5.7.0\/repository/resources/security/wso2carbon.jks
at sun.nio.fs.WindowsPathParser.normalize(WindowsPathParser.java:182)
at sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:153)
at sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:77)
at sun.nio.fs.WindowsPath.parse(WindowsPath.java:94)
at sun.nio.fs.WindowsFileSystem.getPath(WindowsFileSystem.java:255)
at java.nio.file.Paths.get(Paths.java:84)
at org.wso2.ciphertool.utils.Utils.getConfigFilePath(Utils.java:98)
at org.wso2.ciphertool.utils.Utils.setSystemProperties(Utils.java:289)
at org.wso2.ciphertool.CipherTool.initialize(CipherTool.java:93)
at org.wso2.ciphertool.CipherTool.main(CipherTool.java:52)
I expect that script would run without errors, especially if I haven't edited anything, but it's throwing this exception. Any thoughts?
This issue has been identified and a PR has been sent here. Unfortunately, it's not merged yet.
As a quick fix, you can follow the steps below.
clone the repo
checkout to the branch "v1.0.0-wso2v8"
locally make the suggested fix in the PR
build the JAR
overwrite the <IS_HOME>/lib/org.wso2.ciphertool-1.0.0-wso2v8.jar with new JAR
try the ciphertool command
You can give the location of the keystore file as below in <PRODUCT_HOME>/repository/conf/carbon.xml file
<Location>${carbon.home}\repository\resources\security\wso2carbon.jks</Location>
(Please note the backslashes)
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}\repository\resources\security\wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password svns:secretAlias="Carbon.Security.KeyStore.Password">password</Password>
<!-- Private Key alias-->
<KeyAlias>wso2carbon</KeyAlias>
<!-- Private Key password-->
<KeyPassword svns:secretAlias="Carbon.Security.KeyStore.KeyPassword">password</KeyPassword>
</KeyStore>
I've been trying for ages to deploy a library to clojars without having to specify username and password using lein deploy clojars. But I end up with the following error message:
gpg: gpg-agent is not available in this session
gpg: can't query passphrase in batch mode
gpg: Invalid passphrase; please try again ...
gpg: can't query passphrase in batch mode
gpg: Invalid passphrase; please try again ...
gpg: can't query passphrase in batch mode
gpg: decryption failed: secret key not available
Could not decrypt credentials from /Users/johan/.lein/credentials.clj.gpg
nil
See `lein help gpg` for how to install gpg.
No credentials found for clojars
See `lein help deploying` for how to configure credentials to avoid prompts.
My ~./lein/credentials.clj.gpg looks like this (unencrypted):
{ #"https://clojars.org/repo"
{:username "<username>" :password "<password>"}}}
I know that the username and password are correct (they are just copied from 1password).
Running gpg --list-keys gives me:
/Users/myname/.gnupg/pubring.gpg
-------------------------------
pub 2048R/0486A2C5 2010-10-12
uid My Name <myname#somemail.com>
sub 2048R/0617110A 2010-10-12
I've tried specifiying both 0486A2C5 and 0617110A in ~/.lein/profiles.clj (:signing {:gpg-key "<key>"}) but it doesn't make any difference.
I've also made sure that use-agent is uncommented in ~/.gnupg/gpg.conf and I've also made sure that gpg-agent is installed on my machine (brew install gpg-agent).
Update 1
Running gpg --list-secret-keys gives me:
/Users/myname/.gnupg/secring.gpg
-------------------------------
sec 2048R/0486A2C5 2010-10-12
uid My Name <myname#somemail.com>
ssb 2048R/0617110A 2010-10-12
Running gpg --quiet --batch --decrypt ~/.lein/credentials.clj.gpg prompts me for my password and then yields the unencrypted results.
Update 2
I'm using gpg 1.4.20 and gpg-agent 2.0.29 (both installed using brew) on Mac OS X El Capitan.
What am I missing!?
I solved this by uninstalling gpg from brew (brew uninstall gpg) and then install the binaries from gpgtools. I then opened the terminal and created a symbolic link from gpg2 to gpg:
$ ln -s /usr/local/MacGPG2/bin/gpg2 /usr/local/MacGPG2/bin/gpg
Then I added /usr/local/MacGPG2/bin to the PATH in my ~/.profile. When running lein clojars deploy I now get a graphical user interface where I enter the password and afterwards it successfully signs the release and publish the artifacts.
The easiest way to address this issue is to attempt to decrypt a file using gpg with the --batch flag. I think you'll find that your agent is installed but has not been started, or is perhaps improperly configured. If you can get gpg to work with --batch, then the deploy command will work.
My experience has been that naming the jar file you want to deploy with -SNAPSHOT on the end means that you do not have to set up public/private keys.
When setting in the sample app: Travelocity.properties
#Specify if SAM LAssertion element is encrypted
SAML.EnableAssertionEncryption=true
And also tick the Identity server configuration option:
Enable Assertion Encryption [ticked]
Certificate Alias: wso2carbon
I receive the following error at the server log:
Error at Log: 2015-05-05 15:56:10,282 Error encrypting XMLObject
Without the encryption feature enabled, the SAML authentication flow with the Travelocity sample code starts working.
Hints are welcome how to fix this issue.
Regards,
Claude
It seems like you are working on the installed java runtime for the first time. I am using ubuntu 14. The same problem came to me. For me it worked in the following way.
1. Download the respective files according to your runtime from here.
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
2. Extract the folder you downloaded. There will be two .jar files.
3. For ubuntu you can run echo $JAVA_HOME to find the java home. Copy above jar files into {JAVA_HOME}/jre/lib/security. You may need sudo access depending on you JAVA_HOME location. If so run the following from the location you extracted the zip file.
cp local_policy.jar /{JAVA_HOME}/jre/lib/security
cp US_export_policy.jar /{JAVA_HOME}/jre/lib/security
There should be only one slash (/) at /{JAVA_HOME}.
4. Restart wso2 identity server again and retry the procedure to login to travelocity.com
Hope this will fix your issue.
For my ColdFusion 8 server, I can see the cacerts file in the
following path: C:\ColdFusion8\runtime\jre\bin
However, the cacert file is not present on my ColdFusion 9 server at the same location.
I am trying to install a cert into the ColdFusion truststore by following the
following steps:
1) Run the command prompt as administrator on the ColdFusion server
2) Make a backup of the original cacerts file in case you run into issues
3) Change the directory to your truststore’s location (where cacerts file is located).
In our case: C:\ColdFusion8\runtime\jre\bin
4) Type this command (use current JVM and use current JVM’s keytool):
C:\ColdFusion8\runtime\jre\bin>keytool -import -v -alias exported -file C:\ColdF
usion8\runtime\jre\lib\security\exported.cer -keystore cacerts -storepass changeit
5) Type yes at the prompt to “Trust this certificate?”
6) Restart the ColdFusion service It will not read the updated cacerts file until you do this.
Is there something new for ColdFusion 9? I have successfully installed the certificate for ColdFusion 8 following the above steps? Please advise
The default truststore is the JRE's cacerts file. This file is typically located in the following places:
Server Configuration:
cf_root/runtime/jre/lib/security/cacerts
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/lib/security/cacerts
Sun JDK installation:
jdk_root/jre/lib/security/cacerts
You can verify the JRE that ColdFusion is using from the administrator under the 'System Information' page. Look for the Java Home line.
Trying to do a certificate import into the cacerts story in ColdFusion10. I am able to run these commands and get the .cer file to import using these commands.
Manually import a certificate
Go to a page on the SSL server in question.
Double-click the lock icon. Click the Details tab.Click Copy To
File. Select the base64 option and save the file. Copy the CER file
into C:\ColdFusion9\runtime\jre\lib\security (or whichever JRE
ColdFusion is using). Run the following command in the same
directory
keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer
But when I try and do a cfhttp call it fails. I suspect that I am saving the certificate in the wrong format.
I am using X.509 .der which is the recommended format. Is this the same base64? Does anyone know the documentation for this on CF10? I did this successfully on CF9 but it does not seem to work on CF10.
I would suggest using Certman from riaforge just to ensure that everything is being imported correctly
http://certman.riaforge.org/
Are you sure that the import worked? Whenever I have imported certificates in the past (using CF9) I needed to supply the password for the cacerts keystore. I do not see that in your posted example. The command to import should be something like this:
keytool -import -v -alias giveUniqueName -file filename.cer -keystore cacerts -storepass thePassword
Here is the command line to verify an imported certificate:
keytool -list -v -keystore cacerts -alias giveUniqueName -storepass thePassword
I did not include the password here but am pretty sure you can Google it. If not, send me a message and I can give it to you.
And yes, I always export the certificate in DER format as well. That should work.
Also, you may need to supply pathing information depending on where you run the keytool commands from and where your certificate file resides.
Another note, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
Oh - and you have to restart ColdFusion after making the import.
UPDATE FOR CF10
I found a forum discussion (here) talking about installing certificates on CF10. The keytool commands appear to be slightly different in their example. In case it is a bit different than CF9, here is what they said:
keytool -importcert -alias giveUniqueName -trustcacerts -file filename.cer -keystore cacerts -storepass thePassword
Trust this certificate? [no]: y
It looks like the verification command line has not changed.