geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: Set Keystore Password From GShell?
Date Tue, 18 Nov 2008 19:03:07 GMT
Yep, the Jetty config is different.
The plugins/jetty/jetty6/src/main/plan/plan.xml contains -
     <gbean name="JettySSLConnector" 
class="org.apache.geronimo.jetty6.connector.HTTPSSelectChannelConnector">
         <attribute name="host">${PlanServerHostname}</attribute>
         <attribute name="port">${PlanHTTPSPort}</attribute>
         <attribute name="headerBufferSizeBytes">8192</attribute>
         <attribute name="keyStore">geronimo-default</attribute>
         <attribute name="keyAlias">geronimo</attribute>
         <attribute name="trustStore">geronimo-default</attribute>
         <attribute name="clientAuthRequired">false</attribute>
         <attribute name="algorithm">Default</attribute>
         <attribute name="secureProtocol">TLS</attribute>
         <attribute name="maxThreads">50</attribute>
         <reference name="JettyContainer">
             <name>JettyWebContainer</name>
         </reference>
         <reference name="ThreadPool">
             <name>DefaultThreadPool</name>
         </reference>
         <reference name="KeystoreManager">
             <name>KeystoreManager</name>
         </reference>
     </gbean>

Which means it is using the geronimo-default keystore, which is 
created/configured in 
framework/configs/server-security-config/src/main/plan/plan.xml -

     <gbean name="geronimo-default" 
class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
         <attribute name="keystoreName">geronimo-default</attribute>
         <attribute 
name="keystorePath">var/security/keystores/geronimo-default</attribute>
         <attribute name="keystorePassword">secret</attribute>
         <attribute name="keystoreType">JKS</attribute>
         <attribute name="keyPasswords">geronimo=secret</attribute>
         <reference name="ServerInfo"><name>ServerInfo</name></reference>
     </gbean>

So, you would have to either create a new GBean for your 
FileKeystoreInstance (the recommend solution) or reuse the existing one 
and override the passwords in config.xml.


-Donald


Doug Reeder wrote:
> I'm using 2.1.3 (Jetty), and the server rejects keystorePass as an 
> illegal parameter or some such.   I'm not sure what else I'd want to 
> check before filing a JIRA.
> 
> 
> On Tue, Nov 18, 2008 at 11:09 AM, Donald Woods <dwoods@apache.org 
> <mailto:dwoods@apache.org>> wrote:
> 
>     If you are using the Tomcat assembly (I'm looking at 2.1.x), then
>     there is a complete example of a HTTPS connector in config.xml,
>     which includes the keystorePass attribute -
> 
>            <gbean name="TomcatWebSSLConnector">
>                <attribute name="host">${ServerHostname}</attribute>
>                <attribute name="port">${HTTPSPort + PortOffset}</attribute>
>                <attribute name="maxHttpHeaderSize">8192</attribute>
>                <attribute name="maxThreads">150</attribute>
>                <attribute name="minSpareThreads">25</attribute>
>      <attribute name="maxSpareThreads">75</attribute>
>                <attribute name="enableLookups">false</attribute>
>                <attribute name="acceptCount">100</attribute>
>                <attribute name="disableUploadTimeout">false</attribute>
>                <attribute name="clientAuth">false</attribute>
>                <attribute name="algorithm">Default</attribute>
>                <attribute name="sslProtocol">TLS</attribute>
>                <attribute
>     name="keystoreFile">var/security/keystores/geronimo-defau
>     lt</attribute>
>                <attribute name="keystorePass">secret</attribute>
>                <attribute name="keystoreType">JKS</attribute>
>            </gbean>
> 
> 
>     -Donald
> 
> 
>     Doug Reeder wrote:
> 
>         http://cwiki.apache.org/GMOxDOC21/administering-certificates.html
>         explains how to configure an HTTPS listener to use SSL,
>         including setting the keystore and keystore password.  However,
>         this requires the console, which is not installed on my
>         production server, to keep the memory footprint small.
> 
>         I can set the keystore used by the HTTPS listener on my
>         production server in var/config/config.xml, but not the
>         password.  Is there a way to do this from GShell, or bash?
> 
> 
> 

Mime
View raw message