A really newbie question:
under glassfish->domains->domain1->config folder, there's a file named "keyfile", what is that file for? I know cacert.jks and keystore.jks are used to store certificates. But what's keyfile? does it contain all the certificate private keys?
I am using Glassfish 3.1.
thanks
It stores username and (hashed) passwords for Glassfish's FileRealm.
See this document for more information on Glassfish authentication realms.
Users can be added/removed via asadmin or the GF administration console.
Related
I am currently struggeling with the following tasks. I don't want to include my TLS certificates in my templates because
I don't want to check in credentials in code management while still checking in the templates
I am using multiple Applications with the same Certificate and I don't want to update repos just because I might distribute another certificate
Now my approach is this. I am using Jenkins for my build pipelines. I have a Repo that is used just for certificate management. It will run when updated and distribute the certificate and private key to Openshift Secrets on various clusters.
When running the Template of an application I am retrieving the Information from the secret and setting the values in the route. And here's where things get tricky. I can only use single line values because
Openshift templates will not accept multiline parameters with oc process
Secrets will not store multiline values
So the solution seemed to be easy. Just store the Certificate with \n and set it in the Route like this. However Openshift will not accept single line certificates resulting in the error
spec.tls.key: Invalid value: "redacted key data": tls: found a certificate rather than a key in the PEM for the private key
Now the solution could be to insert the Certificate as multiple lines directly in the template file before processing and applying it to the cluster but that seems a little bit hacky to me. So my Question is
How can you centrally manage TLS Certificates for your applications and set them correclty in the Templates you're applying?
Secrets can be multiple lines. You can create a secret using a certificate file, and mount that secret as a file into your containers. See here for how to create secrets from files:
https://kubernetes.io/docs/concepts/configuration/secret/
Use the openshift command line tool instead of kubectl.
For certificates, there is something called cert-manager:
https://docs.cert-manager.io/en/latest/
This will generate certs as needed. You might want to take a look.
In order to centrally manage TLS Certificates for the applications, you can create a general secret and use it via volume mounting.
Our application server (Apache Tomcat Plume) that use jta-managed data source through tomee.xml file should access database server just in secure (HTTPS) mode with two way ssl or client authentication.
So we have to put keystore and truststore plain passwords into setenv.sh or other places in row format. (I m not sure that is the first and last method to do that?) and what happens is tomcat logging mechanism log all these secret information in plain format into log files like catalina.out.
That what (locating raw passwords in config files) is we do not want. Actually we must ( although it s not appear a big threaten while user have access to files, could find real password atleast), encrypt password and use it in environment variables.
Central Question
In other word, how can we set jvm properties and environment variables in encrypted mode?
Re: Hide or disable Tomcat command line arguments logging (the title of this question)
This logging is done by VersionLoggerListener it is possible to configure it, or just remove it from configuration (server.xml).
Re: plaintext passwords handling
This is covered in Tomcat FAQ.
A Vault can be used to store secrets.
I'm using a private Artifactory repo that I'd like to use for various builds running on OCP.
Artifactory authentication is requiring CA with username and password.
The only option that I see is to either mount the CA file via config map or to extend my current s2i build by another docker build to inject the CA into the pod's file system. Both options are pretty ugly.
Is there anybody having a more elegant approach to this problem?
Thanks so much in advance!
I am trying to use Spring Security to authenticate users against Active Directory. So far I was using LDAP protocol, but now I would like to use LDAPS.
I followed this article http://blogs.oracle.com/gc/entry/unable_to_find_valid_certification and it works. I was able to bind user against AD successfully using LDAPS.
But after a while (15 - 30min), when I try to log in, I get this exception again:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
and then I am no longer able to use LDAPS.
I tried to:
restart tomcat
add certificate directly to cacerts
starting tomcat with path to trustStore by using env property -Djavax.net.ssl.trustStore
Only thing that works is to recreate jssecacerts completely. It is not enough just copy existing jssecacerts to jre/lib/security, it MUST be new file. I just do not understand...
My enviroment is: java 1.6.0_26, tomcat 7.0.20, spring 3.0.5, spring security 3.1RC2
Am I doing something wrong?
Thanks
Ok, so I probably found solution. I did not know that behind one Active Directory URL are many physical machine :) When I used InstallCert it rewrote and generated new keystore with only one current certificate. That was reason why it sometimes worked and sometimes did not. I also found that all certificates are signed by one CA. After adding CA's certificate to trustStore it started finally work.
I am developing a WCF service on my local computer using Visual Studios built in ASP.NET development sever and I'm having issues creating and using temporary Certificates.
I have created a cert call TempCA and added it to the Trusted Root Certificate folder and I have created another called SignedByCA which has been added to the personal folder.
The service config file has been set up to use SignedByCA but when I run the service I get the following error.
The certificate 'CN=SignedByCA' must have a private key that is capable of key exchange. The process must have access rights for the private key.
I have tried using WinHttpCertCfg.exe to give other users access to the key but I have since found out that WinHttpCertCfg.exe has be deprecated in windows Vista.
Has anyone had this issue before in a similar circumstance??
Try certmgr. But I suppose you used the makecert to generate the certificate, you don't need to use WinHttpCertCfg to install it. It should be installed automatically.
Also, if you are hosting the service in IIS, the private key is normally generated in
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
You can try granting read-only security of the MachineKeys for the user "NETWORK SERVICE" (user for IIS6).