[midPoint] config.xml during installation
Pavol Mederly
mederly at evolveum.com
Wed Oct 17 16:15:06 CEST 2018
Yes, the key password is "midpoint". It cannot be changed in the current
version of midPoint, though:
https://github.com/Evolveum/midpoint/blob/93b1f3bcde066d65c610f36522dea3b73e8dd200/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java#L84
Best regards,
Pavol Mederly
Software developer
evolveum.com
On 17.10.2018 15:55, Colin Thompson wrote:
>
> Admittedly, I haven't tried it with mysql (I'm using postgresql), but
> the contents of the keystore should contain the one key that midPoint
> uses to encrypt what it writes to the database. If I remember
> correctly, the default password for that key is "midpoint" (but my
> memory sucks, so you should double check the comments in the default
> config.xml, where it says what to use). So when you create the
> keystore, use whatever password you put in config.xml for the keystore
> password, but use "midpoint" for the key password, and see if that
> works. I'm sure there's a way to change that to something that's not
> "midpoint", but I haven't looked into how to do that yet.
>
> In the example below, which is what i did to get it to work with
> posgres, the password <changeit> is what gets put in config.xml, the
> password <midpoint> is what Midpoint will use to access the key
> itself, and the /tmp/keystore.jceks file would need to be moved into
> the midpoint home directory (/opt/midpoint/var/ by default):
>
>
> colin at delorean:~$ keytool -genseckey -alias default -keystore
> /tmp/keystore.jceks -storetype jceks -keyalg AES -keysize 128
> Enter keystore password: <changeit>
> Re-enter new password: <changeit>
> Enter key password for <default>
> (RETURN if same as keystore password): <midpoint>
> Re-enter new password: <midpoint>
>
> Warning:
> The JCEKS keystore uses a proprietary format. It is recommended to
> migrate to PKCS12 which is an industry standard format using "keytool
> -importkeystore -srckeystore /tmp/keystore.jceks -destkeystore
> /tmp/keystore.jceks -deststoretype pkcs12".
> colin at delorean:~$
>
>
> --
>
> Colin Thompson
> cthompson31 at ucmerced.edu
>
> ------------------------------------------------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Solberg, Eric <eric at solberg.com>
> *Sent:* Tuesday, October 16, 2018 1:28:59 PM
> *To:* midPoint General Discussion
> *Subject:* Re: [midPoint] config.xml during installation
>
> Thanks Colin. It looks like the keystore that was created when the
> midpoint started has only one entry:
>
> Your keystore contains 1 entry
>
> default, Oct 16, 2018, SecretKeyEntry,
>
> So if I’m understanding correctly, I’m missing the administrator here.
> Perhaps the administrator account/password is only created
> automatically in demo mode? I imagine it’s a simple process to add it.
> The instructions in the config.xml show how to create a new keystore,
> but I’m not sure what it should be populated with, or how.
>
> I suspect I can copy the keystore from the demo system to get the
> admin password in here. I’ll try that next but if I’m going about it
> wrong let me know. Thanks again.
>
> Eric
>
> *From: *midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Colin Thompson <cthompson31 at ucmerced.edu>
> *Reply-To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Date: *Tuesday, October 16, 2018 at 12:54 PM
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] config.xml during installation
>
> Sounds like a missing/incorrect keystore.jceks issue. I believe the
> administrator password, among other things, is stored encrypted in the
> database, and the key by which it is encrypted is stored in the
> keystore.jceks file in /opt/midpoint/var/. Ive found that when the
> administrator password doesn't match (assuming you're typing it
> correctly), it's usually because you're not using the key/keystore it
> was created with.
>
> There are instructions in the default config.xml file for how to
> create the keystore if you want to customize things.
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> ------------------------------------------------------------------------
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Solberg, Eric <eric at solberg.com>
> *Sent:* Tuesday, October 16, 2018 1:11:16 PM
> *To:* midPoint General Discussion
> *Subject:* [midPoint] config.xml during installation
>
> I'm installing MySQL drivers for my Midpoint setup, and have updated
> config.xml. I've got connectivity to the database, but am encountering
> a problem logging in as administrator. I'm just starting to evaluate
> this, but I'm not 100% confident I followed the right process for
> setting up config.xml.
>
> Here's what I did:
> - Installed the midpoint demo with embedded database. Made a copy of
> the generated config.xml.
> - Deleted this demo instance
> - Setup a MySQL instance, created midpoint user & database, imported
> mysql-3.8-all.sql
> - Modified the config.xml to include <repository> settings for mysql
> - Modified the Dockerfile to copy config.xml to ${MP_DIR}/var/
> - Also modified the Dockerfile to install the SQL driver
> - Built the Docker image and deployed to my VM
>
> This is working and I have connectivity to the database. This setup is
> pretty slow, but I'm not tuning yet... The problem I'm having is I
> can't log in as administrator (5ecr3t password).
>
> Here's what I got in midpoint.log:
> 018-10-16 16:44:02,824 [] [http-nio-8080-exec-4] ERROR
> (com.evolveum.midpoint.model.impl.sec
> urity.AuthenticationEvaluatorImpl): Error dealing with credentials of
> user "administrator" cr
> edentials: No key mapped to key digest FbJhcZYWk/Q3KnAucPQgRSxD/QM=
> could be found in the key
> store. Keys digests must be recomputed during initialization
>
> I'm guessing it's one of 3 things:
> - Was I supposed to copy config.xml from the demo? Or should I create
> a new config.xml with only the repository settings and let midpoint
> recreate everything else?
> - Or should I also copy the other files from the demo
> /opt/midpoint/var directory?
> - Or is there some other step to recompute key digests?
>
> Any suggestions?
>
> Thanks,
> Eric
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________ midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181017/1d9d7b04/attachment.htm>
More information about the midPoint
mailing list