<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p>>> - when midPoint starts for the very first time and there is no keystore.jceks, it will be created with a random key<br>>> So the issue should be caused by the password in the database encrypted by a different key.<o:p></o:p></p><p class=MsoNormal>Thanks Ivan. This clearly is the issue I was encountering. There’s a dependency between the keystore, the database (after first run) and config.xml. I did at one point try creating my docker image by copying in both the config.xml and keystore, but they must have already been versions (of the keystore at least) that were out of sync with the database. I need to move on to other things now, but I’ll probably work this out later so that I can easily redploy instancesl, and have them properly connected to the database.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I do recommend describing the process below and the dependency in the documentation. Thanks!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>midPoint <midpoint-bounces@lists.evolveum.com> on behalf of Ivan Noris <ivan.noris@evolveum.com><br><b>Organization: </b>Evolveum, s.r.o.<br><b>Reply-To: </b>midPoint General Discussion <midpoint@lists.evolveum.com><br><b>Date: </b>Tuesday, October 16, 2018 at 11:42 PM<br><b>To: </b><midpoint@lists.evolveum.com><br><b>Subject: </b>Re: [midPoint] config.xml during installation<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p>Hi Eric,<o:p></o:p></p><p>just to explain as I have not much midPoint+docker experience (nor using MySQL that often):<o:p></o:p></p><p>- when midPoint starts for the very first time and there is no keystore.jceks, it will be created with a random key<o:p></o:p></p><p>- when midPoint starts, it will populate the repository with the initial objects (such as administrator) if such objects don't already exist (it will NOT overwrite). Any password (such as administrator) will be encrypted using the keystore key that is set as default<o:p></o:p></p><p>- by default there is only one key entry in the keystore.jceks and the key is referenced in the config.xml ("default)"<o:p></o:p></p><p>So the issue should be caused by the password in the database encrypted by a different key. Or using different midpoint.home directory. I've had similar error only when I installed midPoint correctly and then removed the keystore...<o:p></o:p></p><p>Sorry but I don't have time to replicate the process via docker.<o:p></o:p></p><p>Best regards,<o:p></o:p></p><p>Ivan<o:p></o:p></p><div><p class=MsoNormal>On 16. 10. 2018 22:28, Solberg, Eric wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Thanks Colin. It looks like the keystore that was created when the midpoint started has only one entry:<o:p></o:p></p><p class=MsoNormal>Your keystore contains 1 entry<o:p></o:p></p><p class=MsoNormal>default, Oct 16, 2018, SecretKeyEntry,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>So if I’m understanding correctly, I’m missing the administrator here. Perhaps the administrator account/password is only created automatically in demo mode? I imagine it’s a simple process to add it. The instructions in the config.xml show how to create a new keystore, but I’m not sure what it should be populated with, or how. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I suspect I can copy the keystore from the demo system to get the admin password in here. I’ll try that next but if I’m going about it wrong let me know. Thanks again.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Eric<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>midPoint <a href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf of Colin Thompson <a href="mailto:cthompson31@ucmerced.edu"><cthompson31@ucmerced.edu></a><br><b>Reply-To: </b>midPoint General Discussion <a href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br><b>Date: </b>Tuesday, October 16, 2018 at 12:54 PM<br><b>To: </b>midPoint General Discussion <a href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br><b>Subject: </b>Re: [midPoint] config.xml during installation</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Arial",sans-serif;color:black'>Sounds like a missing/incorrect keystore.jceks issue. I believe the administrator password, among other things, is stored encrypted in the database, and the key by which it is encrypted is stored in the keystore.jceks file in /opt/midpoint/var/. Ive found that when the administrator password doesn't match (assuming you're typing it correctly), it's usually because you're not using the key/keystore it was created with.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Arial",sans-serif;color:black'>There are instructions in the default config.xml file for how to create the keystore if you want to customize things.</span><o:p></o:p></p></div><div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'>Get <a href="https://aka.ms/ghei36">Outlook for Android</a></span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:black'> </span><o:p></o:p></p></div><div class=MsoNormal align=center style='text-align:center'><hr size=0 width="100%" align=center></div><div id="x_divRplyFwdMsg"><p class=MsoNormal><b><span style='color:black'>From:</span></b><span style='color:black'> midPoint <a href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf of Solberg, Eric <a href="mailto:eric@solberg.com"><eric@solberg.com></a><br><b>Sent:</b> Tuesday, October 16, 2018 1:11:16 PM<br><b>To:</b> midPoint General Discussion<br><b>Subject:</b> [midPoint] config.xml during installation</span> <o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div></div></div><div><p class=MsoNormal>I'm installing MySQL drivers for my Midpoint setup, and have updated config.xml. I've got connectivity to the database, but am encountering a problem logging in as administrator. I'm just starting to evaluate this, but I'm not 100% confident I followed the right process for setting up config.xml.<br><br>Here's what I did:<br>- Installed the midpoint demo with embedded database. Made a copy of the generated config.xml.<br>- Deleted this demo instance<br>- Setup a MySQL instance, created midpoint user & database, imported mysql-3.8-all.sql<br>- Modified the config.xml to include <repository> settings for mysql<br>- Modified the Dockerfile to copy config.xml to ${MP_DIR}/var/<br>- Also modified the Dockerfile to install the SQL driver<br>- Built the Docker image and deployed to my VM<br><br>This is working and I have connectivity to the database. This setup is pretty slow, but I'm not tuning yet... The problem I'm having is I can't log in as administrator (5ecr3t password).<br><br>Here's what I got in midpoint.log:<br>018-10-16 16:44:02,824 [] [http-nio-8080-exec-4] ERROR (com.evolveum.midpoint.model.impl.sec<br>urity.AuthenticationEvaluatorImpl): Error dealing with credentials of user "administrator" cr<br>edentials: No key mapped to key digest FbJhcZYWk/Q3KnAucPQgRSxD/QM= could be found in the key<br>store. Keys digests must be recomputed during initialization<br><br>I'm guessing it's one of 3 things:<br>- Was I supposed to copy config.xml from the demo? Or should I create a new config.xml with only the repository settings and let midpoint recreate everything else?<br>- Or should I also copy the other files from the demo /opt/midpoint/var directory?<br>- Or is there some other step to recompute key digests?<br><br>Any suggestions?<br><br>Thanks,<br>Eric<br><br><br>_______________________________________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p></div><p class=MsoNormal>_______________________________________________ midPoint mailing list <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a> <o:p></o:p></p><p class=MsoNormal><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>midPoint mailing list<o:p></o:p></pre><pre><a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre><pre><a href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre></blockquote><pre>-- <o:p></o:p></pre><pre>Ivan Noris<o:p></o:p></pre><pre>Senior Identity Engineer<o:p></o:p></pre><pre>evolveum.com<o:p></o:p></pre><p class=MsoNormal>_______________________________________________ midPoint mailing list midPoint@lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint <o:p></o:p></p></div></body></html>