[midPoint] config.xml during installation

Pavol Mederly mederly at evolveum.com
Wed Oct 17 16:15:06 CEST 2018 

Yes, the key password is "midpoint". It cannot be changed in the current 
version of midPoint, though: 
https://github.com/Evolveum/midpoint/blob/93b1f3bcde066d65c610f36522dea3b73e8dd200/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java#L84


Best regards,

Pavol Mederly
Software developer
evolveum.com

On 17.10.2018 15:55, Colin Thompson wrote:
>
> Admittedly, I haven't tried it with mysql (I'm using postgresql), but 
> the contents of the keystore should contain the one key that midPoint 
> uses to encrypt what it writes to the database.  If I remember 
> correctly, the default password for that key is "midpoint" (but my 
> memory sucks, so you should double check the comments in the default 
> config.xml, where it says what to use).  So when you create the 
> keystore, use whatever password you put in config.xml for the keystore 
> password, but use "midpoint" for the key password, and see if that 
> works.  I'm sure there's a way to change that to something that's not 
> "midpoint", but I haven't looked into how to do that yet.
>
> In the example below, which is what i did to get it to work with 
> posgres, the password <changeit> is what gets put in config.xml, the 
> password <midpoint> is what Midpoint will use to access the key 
> itself, and the /tmp/keystore.jceks file would need to be moved into 
> the midpoint home directory (/opt/midpoint/var/ by default):
>
>
> colin at delorean:~$ keytool -genseckey -alias default -keystore 
> /tmp/keystore.jceks -storetype jceks -keyalg AES -keysize 128
> Enter keystore password:  <changeit>
> Re-enter new password:  <changeit>
> Enter key password for <default>
> (RETURN if same as keystore password):  <midpoint>
> Re-enter new password: <midpoint>
>
> Warning:
> The JCEKS keystore uses a proprietary format. It is recommended to 
> migrate to PKCS12 which is an industry standard format using "keytool 
> -importkeystore -srckeystore /tmp/keystore.jceks -destkeystore 
> /tmp/keystore.jceks -deststoretype pkcs12".
> colin at delorean:~$
>
>
> --
>
> Colin Thompson
> cthompson31 at ucmerced.edu
>
> ------------------------------------------------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
> Solberg, Eric <eric at solberg.com>
> *Sent:* Tuesday, October 16, 2018 1:28:59 PM
> *To:* midPoint General Discussion
> *Subject:* Re: [midPoint] config.xml during installation
>
> Thanks Colin. It looks like the keystore that was created when the 
> midpoint started has only one entry:
>
> Your keystore contains 1 entry
>
> default, Oct 16, 2018, SecretKeyEntry,
>
> So if I’m understanding correctly, I’m missing the administrator here. 
> Perhaps the administrator account/password is only created 
> automatically in demo mode? I imagine it’s a simple process to add it. 
> The instructions in the config.xml show how to create a new keystore, 
> but I’m not sure what it should be populated with, or how.
>
> I suspect I can copy the keystore from the demo system to get the 
> admin password in here. I’ll try that next but if I’m going about it 
> wrong let me know. Thanks again.
>
> Eric
>
> *From: *midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
> Colin Thompson <cthompson31 at ucmerced.edu>
> *Reply-To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Date: *Tuesday, October 16, 2018 at 12:54 PM
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] config.xml during installation
>
> Sounds like a missing/incorrect keystore.jceks issue. I believe the 
> administrator password, among other things, is stored encrypted in the 
> database, and the key by which it is encrypted is stored in the 
> keystore.jceks file in /opt/midpoint/var/.  Ive found that when the 
> administrator password doesn't match (assuming you're typing it 
> correctly), it's usually because you're not using the key/keystore it 
> was created with.
>
> There are instructions in the default config.xml file for how to 
> create the keystore if you want to customize things.
>
> Get Outlook for Android <https://aka.ms/ghei36>
>
> ------------------------------------------------------------------------
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
> Solberg, Eric <eric at solberg.com>
> *Sent:* Tuesday, October 16, 2018 1:11:16 PM
> *To:* midPoint General Discussion
> *Subject:* [midPoint] config.xml during installation
>
> I'm installing MySQL drivers for my Midpoint setup, and have updated 
> config.xml. I've got connectivity to the database, but am encountering 
> a problem logging in as administrator. I'm just starting to evaluate 
> this, but I'm not 100% confident I followed the right process for 
> setting up config.xml.
>
> Here's what I did:
> - Installed the midpoint demo with embedded database. Made a copy of 
> the generated config.xml.
> - Deleted this demo instance
> - Setup a MySQL instance, created midpoint user & database, imported 
> mysql-3.8-all.sql
> - Modified the config.xml to include <repository> settings for mysql
> - Modified the Dockerfile to copy config.xml to ${MP_DIR}/var/
> - Also modified the Dockerfile to install the SQL driver
> - Built the Docker image and deployed to my VM
>
> This is working and I have connectivity to the database. This setup is 
> pretty slow, but I'm not tuning yet... The problem I'm having is I 
> can't log in as administrator (5ecr3t password).
>
> Here's what I got in midpoint.log:
> 018-10-16 16:44:02,824 [] [http-nio-8080-exec-4] ERROR 
> (com.evolveum.midpoint.model.impl.sec
> urity.AuthenticationEvaluatorImpl): Error dealing with credentials of 
> user "administrator" cr
> edentials: No key mapped to key digest FbJhcZYWk/Q3KnAucPQgRSxD/QM= 
> could be found in the key
> store. Keys digests must be recomputed during initialization
>
> I'm guessing it's one of 3 things:
> - Was I supposed to copy config.xml from the demo? Or should I create 
> a new config.xml with only the repository settings and let midpoint 
> recreate everything else?
> - Or should I also copy the other files from the demo 
> /opt/midpoint/var directory?
> - Or is there some other step to recompute key digests?
>
> Any suggestions?
>
> Thanks,
> Eric
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________ midPoint mailing list 
> midPoint at lists.evolveum.com 
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181017/1d9d7b04/attachment.htm>

More information about the midPoint mailing list