stackoom
  简体   繁体   中英

WSO2 Identity Server 5.3.0 CipherTool Bug

 原文  2017-10-17 01:52:25       wso2/ wso2is/ wso2carbon

Question

Identity server 5.3.0. Recently patched. I've replaced the default keystore and keys with my own. Utilizing the ciphertool to remove plain text passwords from various config files. I've successfully replaced the database password inside of repository/conf/datasources files using the ciphertool. Restarted the IS successfully. Was moving on to the keystore values inside of the carbon.xml file and I keep getting the following error: 

TID: [-1234] [] [2017-10-16 21:39:44,322] ERROR {org.wso2.carbon.core.deployment.DeploymentInterceptor} -  Error while pdating wso2carbon-sts in STSDeploymentInterceptor 
java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
    at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
    at java.security.KeyStore.load(KeyStore.java:1445)

... 

Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
    ... 53 more

I've confirmed the password is correct. I even re-replaced the ciphertool reference inside of carbon.xml with the clear text value and restart successfully, again. My only guess at this point is that ciphertool is not handling special characters correctly. My pass has an ampersand (@). Any help would be appreciated.

Update: Went through the effort of recreating a brand new key store and key with a simple password... no special characters. Same results. After running ciphertool.bat -Dconfigure my carbon.xml entries looks good (see below). Which indicates the Xpath in cipher-tool.properties is correct. And I've triple checked the password in cipher-text.properties. 

<KeyStore>
    <!-- Keystore file location-->
    <Location>${carbon.home}/repository/resources/security/KeyStore.jks</Location>
    <!-- Keystore type (JKS/PKCS12 etc.)-->
    <Type>JKS</Type>
    <!-- Keystore password-->
    <Password svns:secretAlias="Conf.Carbon.KeyStore.Password">password</Password>
    <!-- Private Key alias-->
    <KeyAlias>QaCert</KeyAlias>
    <!-- Private Key password-->
    <KeyPassword svns:secretAlias="Conf.Carbon.KeyPassword">password</KeyPassword>
</KeyStore>

1 answers

solution1
 0  2017-10-26 15:52:13

John, I would submit this bug to WSO2's GitHub or JIRA instance :

On a side note, I noticed WSO2's use of encrypted passwords has an issue with special characters. This could be a general problem if WSO2 IS is using CipherTool to automatically encrypt passwords in the WebUI. See my comment at the bottom of this post:

Connection issues after turning off embedded LDAP

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WSO2 Identity Server ciphertool.bat script throwing an InvalidPathException Policy not found WSO2 Identity Server 5.3.0 Wso2 Identity server 5.3.0 and fido token How to resolve Email OTP authentication in WSO2 Identity server 5.3.0? WSO2 Identity Server 5.3.0 Single Logout with simpleSAMLphp WSO2 Identity Server 5.3.0 - How to get federated authenticator ID Unable to view Email Template in WSO2 Identity Server 5.3.0 WSO2 Identity Server 5.3.0 & API Manager 2.1.0 same ports? Wso2 Identity Server Version 5.3.0 OAuth Client Key wso2 identity server 5.3.0 users and multi tenancy configuration guidelines with Oauth2 if possible
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM