You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Doug Reeder <re...@gmail.com> on 2008/11/16 03:11:26 UTC
Set Keystore Password From GShell?
http://cwiki.apache.org/GMOxDOC21/administering-certificates.html
explains how to configure an HTTPS listener to use SSL, including
setting the keystore and keystore password. However, this requires
the console, which is not installed on my production server, to keep
the memory footprint small.
I can set the keystore used by the HTTPS listener on my production
server in var/config/config.xml, but not the password. Is there a way
to do this from GShell, or bash?
Re: Set Keystore Password From GShell?
Posted by Jason Dillon <ja...@gmail.com>.
I'm not sure that this exists at them moment, but IMO it seems like a
good idea to provide. You may be able to enable the gshell-bsf plugin
and with your favorite scripting language execute a script which would
set the password... though you'd need to peep at the console code to
see how that works to get it functional.
But on this topic, I think it would be very, very, very good (maybe
add more verys) to have gshell equivilents to *ALL* web-console
functions.
* * *
Not everyone wants or needs a web console, and I could argue that more
advanced admins required command-line accessible configuration so they
can effectively automate *ALL* tasks.
--jason
On Nov 16, 2008, at 9:11 AM, Doug Reeder wrote:
> http://cwiki.apache.org/GMOxDOC21/administering-certificates.html
> explains how to configure an HTTPS listener to use SSL, including
> setting the keystore and keystore password. However, this requires
> the console, which is not installed on my production server, to keep
> the memory footprint small.
>
> I can set the keystore used by the HTTPS listener on my production
> server in var/config/config.xml, but not the password. Is there a
> way to do this from GShell, or bash?
>
Re: Set Keystore Password From GShell?
Posted by Donald Woods <dw...@apache.org>.
Yep, the Jetty config is different.
The plugins/jetty/jetty6/src/main/plan/plan.xml contains -
<gbean name="JettySSLConnector"
class="org.apache.geronimo.jetty6.connector.HTTPSSelectChannelConnector">
<attribute name="host">${PlanServerHostname}</attribute>
<attribute name="port">${PlanHTTPSPort}</attribute>
<attribute name="headerBufferSizeBytes">8192</attribute>
<attribute name="keyStore">geronimo-default</attribute>
<attribute name="keyAlias">geronimo</attribute>
<attribute name="trustStore">geronimo-default</attribute>
<attribute name="clientAuthRequired">false</attribute>
<attribute name="algorithm">Default</attribute>
<attribute name="secureProtocol">TLS</attribute>
<attribute name="maxThreads">50</attribute>
<reference name="JettyContainer">
<name>JettyWebContainer</name>
</reference>
<reference name="ThreadPool">
<name>DefaultThreadPool</name>
</reference>
<reference name="KeystoreManager">
<name>KeystoreManager</name>
</reference>
</gbean>
Which means it is using the geronimo-default keystore, which is
created/configured in
framework/configs/server-security-config/src/main/plan/plan.xml -
<gbean name="geronimo-default"
class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
<attribute name="keystoreName">geronimo-default</attribute>
<attribute
name="keystorePath">var/security/keystores/geronimo-default</attribute>
<attribute name="keystorePassword">secret</attribute>
<attribute name="keystoreType">JKS</attribute>
<attribute name="keyPasswords">geronimo=secret</attribute>
<reference name="ServerInfo"><name>ServerInfo</name></reference>
</gbean>
So, you would have to either create a new GBean for your
FileKeystoreInstance (the recommend solution) or reuse the existing one
and override the passwords in config.xml.
-Donald
Doug Reeder wrote:
> I'm using 2.1.3 (Jetty), and the server rejects keystorePass as an
> illegal parameter or some such. I'm not sure what else I'd want to
> check before filing a JIRA.
>
>
> On Tue, Nov 18, 2008 at 11:09 AM, Donald Woods <dwoods@apache.org
> <ma...@apache.org>> wrote:
>
> If you are using the Tomcat assembly (I'm looking at 2.1.x), then
> there is a complete example of a HTTPS connector in config.xml,
> which includes the keystorePass attribute -
>
> <gbean name="TomcatWebSSLConnector">
> <attribute name="host">${ServerHostname}</attribute>
> <attribute name="port">${HTTPSPort + PortOffset}</attribute>
> <attribute name="maxHttpHeaderSize">8192</attribute>
> <attribute name="maxThreads">150</attribute>
> <attribute name="minSpareThreads">25</attribute>
> <attribute name="maxSpareThreads">75</attribute>
> <attribute name="enableLookups">false</attribute>
> <attribute name="acceptCount">100</attribute>
> <attribute name="disableUploadTimeout">false</attribute>
> <attribute name="clientAuth">false</attribute>
> <attribute name="algorithm">Default</attribute>
> <attribute name="sslProtocol">TLS</attribute>
> <attribute
> name="keystoreFile">var/security/keystores/geronimo-defau
> lt</attribute>
> <attribute name="keystorePass">secret</attribute>
> <attribute name="keystoreType">JKS</attribute>
> </gbean>
>
>
> -Donald
>
>
> Doug Reeder wrote:
>
> http://cwiki.apache.org/GMOxDOC21/administering-certificates.html
> explains how to configure an HTTPS listener to use SSL,
> including setting the keystore and keystore password. However,
> this requires the console, which is not installed on my
> production server, to keep the memory footprint small.
>
> I can set the keystore used by the HTTPS listener on my
> production server in var/config/config.xml, but not the
> password. Is there a way to do this from GShell, or bash?
>
>
>
Re: Set Keystore Password From GShell?
Posted by Doug Reeder <re...@gmail.com>.
I'm using 2.1.3 (Jetty), and the server rejects keystorePass as an illegal
parameter or some such. I'm not sure what else I'd want to check before
filing a JIRA.
On Tue, Nov 18, 2008 at 11:09 AM, Donald Woods <dw...@apache.org> wrote:
> If you are using the Tomcat assembly (I'm looking at 2.1.x), then there is
> a complete example of a HTTPS connector in config.xml, which includes the
> keystorePass attribute -
>
> <gbean name="TomcatWebSSLConnector">
> <attribute name="host">${ServerHostname}</attribute>
> <attribute name="port">${HTTPSPort + PortOffset}</attribute>
> <attribute name="maxHttpHeaderSize">8192</attribute>
> <attribute name="maxThreads">150</attribute>
> <attribute name="minSpareThreads">25</attribute> <attribute
> name="maxSpareThreads">75</attribute>
> <attribute name="enableLookups">false</attribute>
> <attribute name="acceptCount">100</attribute>
> <attribute name="disableUploadTimeout">false</attribute>
> <attribute name="clientAuth">false</attribute>
> <attribute name="algorithm">Default</attribute>
> <attribute name="sslProtocol">TLS</attribute>
> <attribute
> name="keystoreFile">var/security/keystores/geronimo-defau
> lt</attribute>
> <attribute name="keystorePass">secret</attribute>
> <attribute name="keystoreType">JKS</attribute>
> </gbean>
>
>
> -Donald
>
>
> Doug Reeder wrote:
>
>> http://cwiki.apache.org/GMOxDOC21/administering-certificates.html
>> explains how to configure an HTTPS listener to use SSL, including setting
>> the keystore and keystore password. However, this requires the console,
>> which is not installed on my production server, to keep the memory footprint
>> small.
>>
>> I can set the keystore used by the HTTPS listener on my production server
>> in var/config/config.xml, but not the password. Is there a way to do this
>> from GShell, or bash?
>>
>>
>>
Re: Set Keystore Password From GShell?
Posted by Donald Woods <dw...@apache.org>.
If you are using the Tomcat assembly (I'm looking at 2.1.x), then there
is a complete example of a HTTPS connector in config.xml, which includes
the keystorePass attribute -
<gbean name="TomcatWebSSLConnector">
<attribute name="host">${ServerHostname}</attribute>
<attribute name="port">${HTTPSPort + PortOffset}</attribute>
<attribute name="maxHttpHeaderSize">8192</attribute>
<attribute name="maxThreads">150</attribute>
<attribute name="minSpareThreads">25</attribute>
<attribute name="maxSpareThreads">75</attribute>
<attribute name="enableLookups">false</attribute>
<attribute name="acceptCount">100</attribute>
<attribute name="disableUploadTimeout">false</attribute>
<attribute name="clientAuth">false</attribute>
<attribute name="algorithm">Default</attribute>
<attribute name="sslProtocol">TLS</attribute>
<attribute
name="keystoreFile">var/security/keystores/geronimo-defau
lt</attribute>
<attribute name="keystorePass">secret</attribute>
<attribute name="keystoreType">JKS</attribute>
</gbean>
-Donald
Doug Reeder wrote:
> http://cwiki.apache.org/GMOxDOC21/administering-certificates.html
> explains how to configure an HTTPS listener to use SSL, including
> setting the keystore and keystore password. However, this requires the
> console, which is not installed on my production server, to keep the
> memory footprint small.
>
> I can set the keystore used by the HTTPS listener on my production
> server in var/config/config.xml, but not the password. Is there a way
> to do this from GShell, or bash?
>
>