WSO-AM 1.5.0: Change keystore - axis

I have changed the carbon.xml file and axis2.xml to point to my own key-store. But when I start the wso2-am, the log says:
WARN - ValidationResultPrinter The default keystore (wso2carbon.jks)
is currently being used. To maximize security when deploying to a
production environment, configure a new keystore with a unique
password in the production server profile.
Exmaple from axis2.xml
<KeyStore>
<Location>/data/wso2/certs/ibridge.jks</Location>
<Type>JKS</Type>
<Password>****</Password>
<KeyPassword>****</KeyPassword>
</KeyStore>

There will be 2 main reasons you to change keystore default password which is "wso2carbon".
When moving to production environments keystore should be altered
from the default of 'wso2carbon'.
When changing the default keystore.
You can learn how to do this by following this blog post.

Did you point your jks file in the secret-conf.properties file (AM_HOME\repository\conf\security)?

Did you specify wso2carbon as the alias when creating the KeyStore? When the server starts up it'll search for KeyStores having wso2carbon alias, and if it finds any, it'll assume the default keystore is being used. If this is the case try giving a different alias.

Related

Rundeck Windows SSL

Has anyone configured SSL for a windows node in rundeck? I've configured the framework properties:
framework.server.name = myservername.domain.com
framework.server.hostname = myservername.domain.com
framework.server.port = 4443
framework.server.url = https://myservername.domain.com:4443
and the rundeck-config properties:
server.address=myservername.domain.com
server.port=4443
grails.serverURL=https://myservername.domain.com:4443
What I am missing is I assume I need to import a cert into the keystore? Next steps are a bit vague since they are nix specific.
You need to create the keystore/truststore using java keytool command (check how to do that here, on the generating keystore step), add your cert to the keystore, copy your Keystore as Truststore, then edit the ssl.properties file to aim the keystore/truststore Windows path location.
With your config posted above, you can start Rundeck indicating the ssl.properties file location with the -Drundeck.ssl.config=c:\rundeck\server\config\ssl.properties and -Dserver.https.port=4443 attributes in your .bat startup script (check the start_rundeck.bat file model here).

Vault Mismatch Error in Jboss/Wildfly

We are getting the below error in Wildfly/Jboss when we are trying to encrypt the DB password using Vault. Can you provide a solution for this?
Caused by: org.jboss.security.vault.SecurityVaultException: PB00027: Vault Mismatch:Shared Key does not match for vault block:bea_interface and attributeName:password
There are three possible causes:
1). There is just a mismatch between the passwords. Check what you used when setting up the vault.
2). The encrypted password files are missing:
Aside of the keystore, you should not forget to put the two other files that vault.sh generates
vault.keystore
ENC.dat
Shared.dat
You need to copy all three files to the desired location, for example to the "standalone/configuration/" directory.
In the vault definition, these are the two paramaters that will tell JBoss where to find them:
<vault-option name="KEYSTORE_URL" value="${jboss.server.config.dir}/vault.keystore"/>
<vault-option name="ENC_FILE_DIR" value="${jboss.server.config.dir}/"/>
3). You are using a keystore alias name longer then 10 characters.

Play Framework 2 ignores https configuration

I've been trying to configure play framework 2.5.8 to use keystore on custom location with custom purchased certificate. Configuration is as follows (under play section):
"server":{
"https":{
"keyStore": {
"path": "/Users/...some_path.../keystore.jks",
"type": "JKS",
"password": "some_pass"
}
}
Everything is local, path reachable, keystore in place.
However, I constantly get debug message:
[warn] p.c.s.s.DefaultSSLEngineProvider - Using generated key with self signed certificate for HTTPS. This should not be used in production.
Keystore is prepared properly since everything works just fine if I supply keystore and password params as JVM arguments.
Is there anything else that needs to be configured? I even C/P-ed with slight modifications
def createSSLContext(applicationProvider: ApplicationProvider): SSLContext
method from DefaultSSLEngineProvider for testing purposes into one of my controllers to see if execution will reach line 44 (logger.debug("Using HTTPS keystore at " + file.getAbsolutePath)) which shouldn't happen in case of wrong configuration, weird keystore file, etc. To my surprise, everything worked properly. However, why Play isn't taking into account configuration from application.conf is beyond me. Unfortunately, supplying keystore params through JVM params is not an option for me in this particular scenario.

ClickOnce VSTO solution signed with mage.exe - certificate not trusted error

I'm trying to deploy a VSTO solution, which are 2 addins for Word and for Outlook, using ClickOnce. Due to our deployment infrastructure/practices, I cannot publish it using Visual Studio, it is instead built on a build server and deployed via a deployment server.
For local development, a self-signed certificate is used. The deployment worked with this self-signed certificate (if the the self-signed certificate was installed on the machine), but now I want to add a real company certificate so that the application can be deployed to the users.
During deployment, after the configuration files are poked, they are updated and re-signed with the real certificate. However, this produces the following error during installation:
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for <app name> or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA1Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer
The only lead I have is that, after re-signing, the values in publisherIdentity element are not changed (both .vsto and .manifest), only the Signature element has values corresponding to the new certificate.
Following commands are used to sign the .vsto and .manifest files (as far as I can see from the deployment scripts):
mage.exe -Update "[path to .vsto/.manifest]"
mage.exe -Sign "[path to .vsto/.manifest]" -CertHash [certificateHash]
where [certificateHash] is the thumbprint of the real certificate and is used to look up the certificate in certificates stores. I'm told this is security measure so that the certificate file doesn't have to be distributed along with the deployment package.
After signing, the files have their Signature values changed, but the publisherIdentity still has the name and issuerKeyHash of the self-signed certificate.
I tried poking these two values prior to re-signing, but I'm don't know how to calculate the issuerKeyHash.
Any advise on how to proceed would be much appreciated!
Edit:
I was trying out other mage.exe parameters, like '-TrustLevel FullTrust' (which didn't have any effect) or '-UseManifestForTrust True' along with Name and Publisher parameters, which yielded this error message (which is different than the one mentioned above).
************** Exception Text **************
System.InvalidOperationException: You cannot specify a <useManifestForTrust> element for a ClickOnce application that specifies a custom host.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
.
The certificate that the app is signed with isn't trusted by Windows. As a work around,
Right click on setup.exe,
Select properties then the Digital Signatures tab
Select Vellaichamy/user then click Details
Click View Certificate and Click Install Certificate.
Do not let it automatically choose where to store the sert, install the certificate in the Trusted Root Certification Authorities Store. Once the cert is installed the app should install...
Take a look at the Granting Trust to Office Solutions article which states the following:
If you sign the solution with a known and trusted certificate, the solution will automatically be installed without prompting the end user to make a trust decision. After a certificate is obtained, the certificate must be explicitly trusted by adding it to the Trusted Publishers list.
For more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.
Also you may find the Deploying an Office Solution by Using ClickOnce article helpful.
We have found what the problem was. We used a version of mage.exe tool from Windows SDK from a folder named 7A (I don't remember the full paths, sorry). A colleague then found another folder with versions 7A, 8 and 8A. Once we took the .exe from 8A folder, the installation works as expected.
Try copying all the necessary files to the client computer then install. If you can avoid installing from the network drive you might be able to avoid this exception.

Manually create Debug Token for BB10 fails

i want to create a debug token for my dev device with the native SDK (momentics), but it fails without any error message (just: "error creating debug token).
Now i use the command line tools.
But:
1. If i want to request a token:
./blackberry-debugtokenrequest -storepass xxxxx -devicepin xxxxx -csjpin xxxxx client-RDK-00000.csj
i get:
Error: Not yet registered to request debug tokens
2. So i want to register (i'm already registered, but ok...):
./blackberry-debugtokenrequest -register -storepass xxxxx -csjpin xxxxx client-PBDT-00000.csj
Error: Error: Unable to register client '00000' because there are no
more registration attempts. If you have already registered with this
server, then you should restore your signing keys from backup. If you
don't have a backup of the keys, then you can order a new set of keys
at www.blackberry.com/go/codesignin
I have a backup, but what should i do with it?
I want to create a debug token, but the message says: not yet registered.
So i want to register, and it says: already registered...
First things first, you only need the CSJ files to register with RIM, which you only need to do once. You can then safely delete them and your CSJ PIN.
If you have a backup file it means you have already registered which means you shouldn't be using the -register flag when attempting to create a debug token.
To restore your backup code signing key follow these instructions: http://supportforums.blackberry.com/t5/Testing-and-Deployment/Backup-and-Restore-BlackBerry-Code-Signing-Keys/ta-p/837925
Once you have restored your code signing key you can create a debug token using the following command:
blackberry-debugtokenrequest -storepass developercertpass -devicepin 50F2D211 dt.bar
You can use the CSJ files to register only one time. After that it cannot be used. Can you try getting new set of CSJ Files from blackberry server? I think it might solve the issue.
If you know Spanish I recommended this post.
In the pdf, in page 9, you´ll found a bat to get a debug token of blackberry 10. This is the code:
set LOCAL_DATA_PATH="c:\Users\<user>\AppData\Local\Research In Motion"
set CSK_PASSWORD=Pass of CA
set CERT_STORE_PASSWORD=Pass of web key
set DEVICE_PIN=PIN of device
E:
cd "eclipse\plugins\net.rim.ajde_1.5.2.201302260701\blackberry.tools.SDK\bin"
blackberry-debugtokenrequest -cskpass %CSK_PASSWORD% -keystore %LOCAL_DATA_PATH%\author.p12 -storepass %CERT_STORE_PASSWORD% -devicepin %DEVICE_PIN% %LOCAL_DATA_PATH%\debugtoken.bar
pause