<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Yes, the key password is "midpoint". It cannot be changed in the
current version of midPoint, though: <a
href="https://github.com/Evolveum/midpoint/blob/93b1f3bcde066d65c610f36522dea3b73e8dd200/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java#L84">https://github.com/Evolveum/midpoint/blob/93b1f3bcde066d65c610f36522dea3b73e8dd200/infra/prism/src/main/java/com/evolveum/midpoint/prism/crypto/ProtectorImpl.java#L84</a></p>
<p><br>
</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 17.10.2018 15:55, Colin Thompson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BYAPR06MB4405527592D22D8B950BB5BDD3FF0@BYAPR06MB4405.namprd06.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p style="margin-top:0;margin-bottom:0">Admittedly, I haven't
tried it with mysql (I'm using postgresql), but the contents
of the keystore should contain the one key that midPoint uses
to encrypt what it writes to the database. If I remember
correctly, the default password for that key is "midpoint"
(but my memory sucks, so you should double check the comments
in the default config.xml, where it says what to use). So
when you create the keystore, use whatever password you put in
config.xml for the keystore password, but use "midpoint" for
the key password, and see if that works. I'm sure there's a
way to change that to something that's not "midpoint", but I
haven't looked into how to do that yet.<br>
<br>
In the example below, which is what i did to get it to work
with posgres, the password <changeit> is what gets put
in config.xml, the password <midpoint> is what Midpoint
will use to access the key itself, and the /tmp/keystore.jceks
file would need to be moved into the midpoint home directory
(/opt/midpoint/<span style="font-family: Calibri, Helvetica,
sans-serif, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe UI
Symbol", "Android Emoji", EmojiSymbols;
font-size: 16px;">var/</span> by default):</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<div>colin@delorean:~$ keytool -genseckey -alias default
-keystore /tmp/keystore.jceks -storetype jceks -keyalg AES
-keysize 128</div>
<div>Enter keystore password: <changeit></div>
<div>Re-enter new password: <changeit></div>
<div>Enter key password for <default></div>
<div><span style="white-space:pre"></span>(RETURN if same as
keystore password): <midpoint></div>
<div>Re-enter new password: <midpoint></div>
<div><br>
</div>
<div>Warning:</div>
<div>The JCEKS keystore uses a proprietary format. It is
recommended to migrate to PKCS12 which is an industry standard
format using "keytool -importkeystore -srckeystore
/tmp/keystore.jceks -destkeystore /tmp/keystore.jceks
-deststoretype pkcs12".</div>
<div>colin@delorean:~$</div>
<br>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:
12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica,
sans-serif, EmojiFont, "Apple Color Emoji",
"Segoe UI Emoji", NotoColorEmoji, "Segoe UI
Symbol", "Android Emoji", EmojiSymbols;">
<p style="margin-top:0; margin-bottom:0">--</p>
<p style="margin-top:0; margin-bottom:0">Colin Thompson<br>
<a class="moz-txt-link-abbreviated" href="mailto:cthompson31@ucmerced.edu">cthompson31@ucmerced.edu</a></p>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf
of Solberg, Eric <a class="moz-txt-link-rfc2396E" href="mailto:eric@solberg.com"><eric@solberg.com></a><br>
<b>Sent:</b> Tuesday, October 16, 2018 1:28:59 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> Re: [midPoint] config.xml during installation</font>
<div> </div>
</div>
<meta content="text/html; charset=utf-8">
<meta name="x_Generator" content="Microsoft Word 15 (filtered
medium)">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:x_link, span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
a:x_visited, span.x_MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.x_msonormal0, li.x_msonormal0, div.x_msonormal0
{margin-right:0in;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
p.x_emailquote, li.x_emailquote, div.x_emailquote
{margin-right:0in;
margin-left:1.0pt;
border:none;
padding:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
span.x_EmailStyle19
{font-family:"Calibri",sans-serif}
.x_MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div link="blue" vlink="purple" lang="EN-US">
<div class="x_WordSection1">
<p class="x_MsoNormal">Thanks Colin. It looks like the
keystore that was created when the midpoint started has only
one entry:</p>
<p class="x_MsoNormal">Your keystore contains 1 entry</p>
<p class="x_MsoNormal">default, Oct 16, 2018, SecretKeyEntry,</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">So if I’m understanding correctly, I’m
missing the administrator here. Perhaps the administrator
account/password is only created automatically in demo mode?
I imagine it’s a simple process to add it. The instructions
in the config.xml show how to create a new keystore, but I’m
not sure what it should be populated with, or how.
</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">I suspect I can copy the keystore from
the demo system to get the admin password in here. I’ll try
that next but if I’m going about it wrong let me know.
Thanks again.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Eric</p>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-top:solid #B5C4DF 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"><b><span style="font-size:12.0pt;
color:black">From: </span>
</b><span style="font-size:12.0pt; color:black">midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf of
Colin Thompson <a class="moz-txt-link-rfc2396E" href="mailto:cthompson31@ucmerced.edu"><cthompson31@ucmerced.edu></a><br>
<b>Reply-To: </b>midPoint General Discussion
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Date: </b>Tuesday, October 16, 2018 at 12:54 PM<br>
<b>To: </b>midPoint General Discussion
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Subject: </b>Re: [midPoint] config.xml during
installation</span></p>
</div>
<div>
<p class="x_MsoNormal"> </p>
</div>
<div>
<div>
<p class="x_MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Arial",sans-serif;
color:black">Sounds like a missing/incorrect
keystore.jceks issue. I believe the administrator
password, among other things, is stored encrypted in
the database, and the key by which it is encrypted is
stored in the keystore.jceks file in
/opt/midpoint/var/. Ive found that when the
administrator password doesn't match (assuming you're
typing it correctly), it's usually because you're not
using the key/keystore it was created with.</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Arial",sans-serif;
color:black">There are instructions in the default
config.xml file for how to create the keystore if you
want to customize things.</span></p>
</div>
<div>
<div>
<p class="x_MsoNormal"><span
style="font-family:"Arial",sans-serif;
color:black">Get
<a href="https://aka.ms/ghei36"
moz-do-not-send="true">Outlook for Android</a></span></p>
</div>
<p class="x_MsoNormal"><span
style="font-family:"Arial",sans-serif;
color:black"> </span></p>
</div>
<div class="x_MsoNormal" style="text-align:center"
align="center">
<hr size="2" align="center" width="98%">
</div>
<div id="x_x_divRplyFwdMsg">
<p class="x_MsoNormal"><b><span style="color:black">From:</span></b><span
style="color:black"> midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf
of Solberg, Eric <a class="moz-txt-link-rfc2396E" href="mailto:eric@solberg.com"><eric@solberg.com></a><br>
<b>Sent:</b> Tuesday, October 16, 2018 1:11:16 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> [midPoint] config.xml during
installation</span> </p>
<div>
<p class="x_MsoNormal"> </p>
</div>
</div>
</div>
<div>
<p class="x_MsoNormal">I'm installing MySQL drivers for my
Midpoint setup, and have updated config.xml. I've got
connectivity to the database, but am encountering a
problem logging in as administrator. I'm just starting to
evaluate this, but I'm not 100% confident I followed the
right process for setting up config.xml.<br>
<br>
Here's what I did:<br>
- Installed the midpoint demo with embedded database. Made
a copy of the generated config.xml.<br>
- Deleted this demo instance<br>
- Setup a MySQL instance, created midpoint user &
database, imported mysql-3.8-all.sql<br>
- Modified the config.xml to include <repository>
settings for mysql<br>
- Modified the Dockerfile to copy config.xml to
${MP_DIR}/var/<br>
- Also modified the Dockerfile to install the SQL driver<br>
- Built the Docker image and deployed to my VM<br>
<br>
This is working and I have connectivity to the database.
This setup is pretty slow, but I'm not tuning yet... The
problem I'm having is I can't log in as administrator
(5ecr3t password).<br>
<br>
Here's what I got in midpoint.log:<br>
018-10-16 16:44:02,824 [] [http-nio-8080-exec-4] ERROR
(com.evolveum.midpoint.model.impl.sec<br>
urity.AuthenticationEvaluatorImpl): Error dealing with
credentials of user "administrator" cr<br>
edentials: No key mapped to key digest
FbJhcZYWk/Q3KnAucPQgRSxD/QM= could be found in the key<br>
store. Keys digests must be recomputed during
initialization<br>
<br>
I'm guessing it's one of 3 things:<br>
- Was I supposed to copy config.xml from the demo? Or
should I create a new config.xml with only the repository
settings and let midpoint recreate everything else?<br>
- Or should I also copy the other files from the demo
/opt/midpoint/var directory?<br>
- Or is there some other step to recompute key digests?<br>
<br>
Any suggestions?<br>
<br>
Thanks,<br>
Eric<br>
<br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a></p>
</div>
<p class="x_MsoNormal">_______________________________________________
midPoint mailing list <a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>