Storing keyStorePassword value encrypted in SSL configuration XML - ssl

Do I have a way to store keyStorePassword and trustStorePassword values encrypted in Ignite SSL configuration XML instead of plain text?
<property name="sslContextFactory">
<bean class="org.apache.ignite.ssl.SslContextFactory">
<property name="keyStoreFilePath" value="keystore/node.jks"/>
<property name="keyStorePassword" value="123456"/>
<property name="trustStoreFilePath" value="keystore/trust.jks"/>
<property name="trustStorePassword" value="123456"/>
<property name="protocol" value="TLSv1.3"/>
</bean>
</property>
Thanks
Stanislav

The simplest way is probably to use property palceholders (Ignite’s XML file is just Spring).
You can also configure it to pull passwords from secret stores. Blog here.

Related

Ignite: Configuring persistence to a custom directory

I want to provide a custom directory to persist the data. My persistence configuration is:
<property name="dataStorageConfiguration">
<bean class="org.apache.ignite.configuration.DataStorageConfiguration">
<property name="defaultDataRegionConfiguration">
<bean class="org.apache.ignite.configuration.DataRegionConfiguration">
<property name="persistenceEnabled" value="true"/>
</bean>
</property>
</bean>
</property>
As mentioned in the documentation, by default it persists under ${IGNITE_HOME}/work/db directory on each node. I can change the directory by calling setStoragePath() method. But how do I configure it through xml.
I have searched but couldn't find in the documentation. Please help to find the right xml key for modifying this configuration.
Thanks!!
The correct one would be the property of DataStorageConfiguration:
<property name="storagePath" value="$ENV_VAR/relative/path"/>
Javadoc link: https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/configuration/DataStorageConfiguration.html#getStoragePath--

wso2 is secondary user store authentication

I have a wso2 is 5.1.0 server runign on Debian. I have a simple servlet that is authenticating using Oauth2 and works perfectly with the users in the primary store.
I have created a secondary store pointing to an openldap server. I have some users and groups and are seen correctly from the IS. I see that when I try to see the User Profile i get the following error:
Error while loading user profile metadata
But when I try to authenticate using the users in the ldap server i get a Login Failed error. I have tried to use both username, DOMAIN/username and username#DOMAIN but none of the worked.
I am starting to think that it could be related to the Calim configuration as the users in the different stores have different values but I don't know how to solve it.
Any ideas on what I am doing wrong?
UPDATED:
This is how I have defined the secondary store.
<?xml version="1.0" encoding="UTF-8"?><UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="ConnectionURL">ldap://xxxx:389</Property>
<Property name="ConnectionName">cn=admin,dc=xx,dc=xx</Property>
<Property encrypted="true" name="ConnectionPassword">xxxx</Property>
<Property name="UserSearchBase">ou=users,dc=nextel,dc=es</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)cn=?))</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserDNPattern"/>
<Property name="DisplayNameAttribute"/>
<Property name="Disabled">false</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="GroupSearchBase">ou=groups,dc=xx,dc=xx</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="RoleDNPattern"/>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute"/>
<Property name="BackLinksEnabled">false</Property>
<Property name="UserNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UserNameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated.</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password pattern policy violated.</Property>
<Property name="RoleNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RoleNameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="BulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="ReadTimeout">5000</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="RetryAttempts">0</Property>
<Property name="DomainName">incloudLDAP</Property>
<Property name="Description"/>
</UserStoreManager>
I can see the users in the list and even create a new one on the LDAP through WSO2 Is, but i cannot see the parameters.
UPDATED:
THe user structure in the LDAP is quite simple.
For the authentication issue, you need to verify "UserNameSearchFilter" attribute is correctly configured. It must mapped to the user name attribute in your ladp server.
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
Also you can map attibutes from different user stores to a same wso2 claim. In the mapped attibute section use something like follows,
PRIMARY/attribute1;FOO/attribute2;BAR/attribute3
Also refer - https://docs.wso2.com/display/IS510/Adding+Claim+Mapping

Connecting WSO2 Identity Server to an External LDAP source using startTLS

We have recently migrated our internal ApacheDS embedded LDAP service over to an external OpenLDAP server in our WSO2 Identity Server (4.6.0). That has been working well for last month.
In an effort to secure the environment further, I have created a new OpenLDAP cluster which enforces the use of TLS (startTLS). Below is my user-mgt.xml file. I have also imported the cacert.pem from the OpenLDAP server into the ./resources/security/client-truststore.jks on both of our IS nodes.
At startup I receive the follow errors:
Cannot create connection to LDAP server. Error message Error obtaining connection. [LDAP: error code 13 - TLS confidentiality required]
Below is my user-mgt.xml
<UserManager>
<Realm>
<Configuration>
<AddAdmin>true</AddAdmin>
<AdminRole>admin</AdminRole>
<AdminUser>
<UserName>admin</UserName>
<Password>SECRET</Password>
</AdminUser>
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/bpsdbq</Property>
</Configuration>
<!-- If product is using an external LDAP as the user store in read/write mode, use following user manager
In case if user core cache domain is needed to identify uniquely set property <Property name="UserCoreCacheIdentifier">domain</Property>
-->
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="ConnectionURL">ldap://ourldap.server.com</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionName">cn=admin,dc=wso2,dc=org</Property>
<Property name="ConnectionPassword">SECRET</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">inetOrgPerson</Property>
<Property name="UserSearchBase">ou=users,dc=wso2,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(cn=?))</Property>
<Property name="UserNameAttribute">cn</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">false</Property>
<Property name="GroupSearchBase">ou=groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
<Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
Any help would be appreciated!
Thanks!
WSO2IS does not support to connect with startTLS. You can find an open jira for this. However, you can connect with normal SSL/TLS. Yes..then you need to import the openLDAP certificate in to resources/security/client-truststore.jks and connect to the SSL LDAPS port of the openLDAP

Separate Keystore for Spring-WS SSL handshake and Message Encryption

I have a question in regards to
SSLHandshakeException talking to a https Web service using Spring WebServiceTemplate
answerd by borodark
"No need to import keys into keystore."
If we dont provide a keystore then what will Httpclient use for sending the Client certificate for SSL handshake ?
I have a requirement to invoke web services on a bussiness partner -
a) Authenticate using SSL using a public key certificate X
b) Encrypt and Sign SOAP messages using public key certificate Y
I guess I will need to specify certificate Y to the following :
<bean class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="securementActions" value="Signature"/>
<property name="securementSignatureKeyIdentifier" value="DirectReference"/>
<property name="securementUsername" value="mycert"/>
<property name="securementPassword" value="certpass"/>
<property name="securementSignatureCrypto">
<bean class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
<property name="keyStorePassword" value="123456"/>
<property name="keyStoreLocation" value="classpath:/keystore.jks"/>
</bean>
</property>
</bean>
I am not sure how/where to specify certificate X for SSL handshake. I think its the HttpClient but I dont see it in the XML posted by borodark.
Please help !
in the xml file where you have configured the keystore you should have something like this:
<beans>
<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
<property name="keyStore" ref="keyStore"/>
<property name="privateKeyPassword" value="changeit"/>
</bean>
<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="location" value="classpath:keystore.jks"/>
<property name="password" value="changeit"/>
</bean>
</beans>
the cue here is
<property name="location" value="classpath:keystore.jks"/>
that is the path to the keystore.. now, possibly you can use a certain alias inside the keystore for ssl handhshake (and that's what you configure here), additionally the security policy leverages on the same file, but then again in the securitypolicy file you can specify a different alias.. and that should do the trick..
Consider that while
<property name="location" value="classpath:keystore.jks"/>
indicates classpath you can use other form to reference resources outside the war itself, and that lets you change the certificate without touching the war at all..

How to change primary LDAP domain of WSO2 IS 4.5.0

I would like modify the domain of the primary user storage (based on LDAP), but i can not get successfully.
The current domain in user-mgt.xml is dc=wso2,dc=org and I would like to change to dc=foobar,dc=com
My modified user-mgt.xml is:
...
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">FOOBAR.COM</Property>
<Property name="kdcEnabled">false</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=foobar,dc=com</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
<Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=foobar,dc=com</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=foobar,dc=com</Property>
<Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="UserDNPattern">uid={0},ou=Users,dc=foobar,dc=com</Property>
<Property name="RoleDNPattern">cn={0},ou=Groups,dc=foobar,dc=com</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
</UserStoreManager>
...
The error when starting WSO2 IS is:
Caused by: org.wso2.carbon.user.core.UserStoreException: [LDAP: error code 32 - NO_SUCH_OBJECT: failed for SearchRequest
baseDn : 'ou=Groups,dc=foobar,dc=com'
filter : '(&(2.5.4.0=groupofnames)(2.5.4.3=*))'
scope : whole subtree
typesOnly : false
Size Limit : 100
Time Limit : 11
Deref Aliases : deref Always
attributes : 'cn'
: ERR_268 Cannot find a partition for ou=Groups,dc=foobar,dc=com]
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getLDAPRoleNames(ReadOnlyLDAPUserStoreManager.java:1024)
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doGetRoleNames(ReadOnlyLDAPUserStoreManager.java:1134)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2485)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2382)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleNames(AbstractUserStoreManager.java:2375)
at org.wso2.carbon.event.core.internal.subscription.registry.RegistrySubscriptionManager.<init>(RegistrySubscriptionManager.java:91)
... 65 more
What should I be missing?
Solved !
I have replaced older domain and defaultRealmName in the following files:
IS_HOME/repository/conf/user-mgt.xml
IS_HOME/repository/conf/tenant-mgt.xml
IS_HOME/repository/conf/embedded-ldap.xml
I have replaced dc=wso2,dc=org for dc=foobar,dc=com and defaultRealmName=WSO2.ORG for FOOBAR.COM, then I deleted the directory named root located in the IS_HOME/repository/data/org.wso2.carbon.directory
.. so a fresh default partition will be created again at the restart.
Now, if you connect to WSO2IS' embedded LDAP (10389 port) using any LDAP client, you will see the new domain FOOBAR.COM instead of WSO2.ORG.
I hope that be useful.
I guess, you are trying to change the "dc=wso2,dc=org" value. You can not change it using user-mgt.xml file. user-mgt.xml file is used to connect WSO2IS with LDAP or AD or JDBC user stores. It means there can be LDAP running externally and you need to configure user-mgt.xml file to connect that LDAP using proper configurations. By default WSO2IS is shipped with embedded LDAP server and by default user-mgt.xml file has been configured to point to that embedded LDAP server. This embedded LDAP is created with "dc=wso2,dc=org" value. You can find the configurations of this embedded LDAP in the "embedded-ldap.xml" file. But there is no parameter to configure the domain ""dc=wso2,dc=org". It means, we can not configure it. But you can still create your own LDAP server using ApacheDS, OpenDJ and OpenLDAP and can point it to WSO2 Identity Server.