[midPoint] config.xml during installation

Colin Thompson cthompson31 at ucmerced.edu
Wed Oct 17 15:55:01 CEST 2018


Admittedly, I haven't tried it with mysql (I'm using postgresql), but the contents of the keystore should contain the one key that midPoint uses to encrypt what it writes to the database.  If I remember correctly, the default password for that key is "midpoint" (but my memory sucks, so you should double check the comments in the default config.xml, where it says what to use).  So when you create the keystore, use whatever password you put in config.xml for the keystore password, but use "midpoint" for the key password, and see if that works.  I'm sure there's a way to change that to something that's not "midpoint", but I haven't looked into how to do that yet.

In the example below, which is what i did to get it to work with posgres, the password <changeit> is what gets put in config.xml, the password <midpoint> is what Midpoint will use to access the key itself, and the /tmp/keystore.jceks file would need to be moved into the midpoint home directory (/opt/midpoint/var/ by default):


colin at delorean:~$ keytool -genseckey -alias default -keystore /tmp/keystore.jceks -storetype jceks -keyalg AES -keysize 128
Enter keystore password:  <changeit>
Re-enter new password:  <changeit>
Enter key password for <default>
(RETURN if same as keystore password):  <midpoint>
Re-enter new password: <midpoint>

Warning:
The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /tmp/keystore.jceks -destkeystore /tmp/keystore.jceks -deststoretype pkcs12".
colin at delorean:~$



--

Colin Thompson
cthompson31 at ucmerced.edu

________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Solberg, Eric <eric at solberg.com>
Sent: Tuesday, October 16, 2018 1:28:59 PM
To: midPoint General Discussion
Subject: Re: [midPoint] config.xml during installation


Thanks Colin. It looks like the keystore that was created when the midpoint started has only one entry:

Your keystore contains 1 entry

default, Oct 16, 2018, SecretKeyEntry,



So if I’m understanding correctly, I’m missing the administrator here. Perhaps the administrator account/password is only created automatically in demo mode? I imagine it’s a simple process to add it. The instructions in the config.xml show how to create a new keystore, but I’m not sure what it should be populated with, or how.



I suspect I can copy the keystore from the demo system to get the admin password in here. I’ll try that next but if I’m going about it wrong let me know. Thanks again.



Eric



From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Colin Thompson <cthompson31 at ucmerced.edu>
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com>
Date: Tuesday, October 16, 2018 at 12:54 PM
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] config.xml during installation



Sounds like a missing/incorrect keystore.jceks issue. I believe the administrator password, among other things, is stored encrypted in the database, and the key by which it is encrypted is stored in the keystore.jceks file in /opt/midpoint/var/.  Ive found that when the administrator password doesn't match (assuming you're typing it correctly), it's usually because you're not using the key/keystore it was created with.

There are instructions in the default config.xml file for how to create the keystore if you want to customize things.

Get Outlook for Android<https://aka.ms/ghei36>



________________________________

From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Solberg, Eric <eric at solberg.com>
Sent: Tuesday, October 16, 2018 1:11:16 PM
To: midPoint General Discussion
Subject: [midPoint] config.xml during installation



I'm installing MySQL drivers for my Midpoint setup, and have updated config.xml. I've got connectivity to the database, but am encountering a problem logging in as administrator. I'm just starting to evaluate this, but I'm not 100% confident I followed the right process for setting up config.xml.

Here's what I did:
- Installed the midpoint demo with embedded database. Made a copy of the generated config.xml.
- Deleted this demo instance
- Setup a MySQL instance, created midpoint user & database, imported mysql-3.8-all.sql
- Modified the config.xml to include <repository> settings for mysql
- Modified the Dockerfile to copy config.xml to ${MP_DIR}/var/
- Also modified the Dockerfile to install the SQL driver
- Built the Docker image and deployed to my VM

This is working and I have connectivity to the database. This setup is pretty slow, but I'm not tuning yet... The problem I'm having is I can't log in as administrator (5ecr3t password).

Here's what I got in midpoint.log:
018-10-16 16:44:02,824 [] [http-nio-8080-exec-4] ERROR (com.evolveum.midpoint.model.impl.sec
urity.AuthenticationEvaluatorImpl): Error dealing with credentials of user "administrator" cr
edentials: No key mapped to key digest FbJhcZYWk/Q3KnAucPQgRSxD/QM= could be found in the key
store. Keys digests must be recomputed during initialization

I'm guessing it's one of 3 things:
- Was I supposed to copy config.xml from the demo? Or should I create a new config.xml with only the repository settings and let midpoint recreate everything else?
- Or should I also copy the other files from the demo /opt/midpoint/var directory?
- Or is there some other step to recompute key digests?

Any suggestions?

Thanks,
Eric


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181017/e91b7e3f/attachment.htm>


More information about the midPoint mailing list