无法更改 WSO2 API-M 证书,用于在 Docker 中通过 SSL/TLS 验证通信
Cant change WSO2 API-M Certificate for authenticating communication over SSL/TLS in Docker
我是 运行 WSO2 API-M Docker 版本 3.0.0-centos7( link image)
我尝试更改 WSO2 API-M 公开的证书,我遵循了这个 tutorial。
首先,我在 API-M:
的现有密钥库 /wso2am-3.0.0/repository/resources/security/wso2carbon.jks 中生成了密钥对
keytool -genkeypair -dname "cn=wso2carbon.com" -alias wso2apim -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
显示此证书:
[wso2carbon@4ef6e35bf497 security]$ keytool -list -v -alias wso2apim -keystore wso2carbon.jks
Enter keystore password:
Alias name: wso2apim
Creation date: Jan 15, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=wso2carbon.com
Issuer: CN=wso2carbon.com
Serial number: 3ad5ca3b
Valid from: Wed Jan 15 04:13:03 UTC 2020 until: Tue Apr 14 04:13:03 UTC 2020
Certificate fingerprints:
MD5: 99:CF:3B:0F:7D:31:9A:AB:05:E6:79:F7:B3:C7:35:21
SHA1: D9:26:2A:18:C6:31:64:DA:8E:71:61:B7:1D:5E:7E:31:73:A0:4A:4A
SHA256: B0:BE:74:BE:09:5C:48:79:39:B9:9A:B4:38:1F:30:36:ED:9D:5A:2E:01:DE:F5:C9:95:94:BF:33:E1:0F:39:9F
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 01 39 89 99 D0 E3 6D E6 C8 1E CE 3B D3 33 39 EC .9....m....;.39.
0010: 38 E9 40 01 8.@.
]
]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.jks -deststoretype pkcs12".
然后,我更新了 /home/wso2carbon/wso2am-3.0.0/repository/conf/tomcat/catalina-server.xml 中的 SSLHostConfig 部分(将 certificateKeyAlias 从 "wso2carbon" 更改为 "wso2apim"):
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2apim"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>
但是,在我重启容器API-M后,这个配置没有应用(certificateKeyAlias保持稳定"wso2carbon"):
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2carbon"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>
请问,我是不是哪一步都错了?或者这个配置有参考吗?
非常感谢。
WSO2在2019年第四季度发布了新的产品版本,并且有了新的配置模型。不再更改 repository/conf 目录中的 xml 个配置文件,现在只有一个名为 deployment.toml 的文件。所有的配置都应该在这个文件中完成。
配置模板文件位于
wso2am-3.0.0/repository/resources/conf/templates/repository/conf/。当您更新 deployment.toml 中的配置时,这些更改会根据模板应用,并将复制到 wso2am-3.0.0/repository/conf 位置。这就是您的更改被覆盖的原因。
要更新证书的别名,可以在deployment.toml文件中添加如下配置。该文件可以在 repository/conf 位置找到。
[transport.https.sslHostConfig.certificate.properties]
certificateKeyAlias = "wso2apim"
详情请参考https://is.docs.wso2.com/en/next/administer/configuring-keystores-in-wso2-products/
我是 运行 WSO2 API-M Docker 版本 3.0.0-centos7( link image)
我尝试更改 WSO2 API-M 公开的证书,我遵循了这个 tutorial。
首先,我在 API-M:
的现有密钥库 /wso2am-3.0.0/repository/resources/security/wso2carbon.jks 中生成了密钥对keytool -genkeypair -dname "cn=wso2carbon.com" -alias wso2apim -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
显示此证书:
[wso2carbon@4ef6e35bf497 security]$ keytool -list -v -alias wso2apim -keystore wso2carbon.jks
Enter keystore password:
Alias name: wso2apim
Creation date: Jan 15, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=wso2carbon.com
Issuer: CN=wso2carbon.com
Serial number: 3ad5ca3b
Valid from: Wed Jan 15 04:13:03 UTC 2020 until: Tue Apr 14 04:13:03 UTC 2020
Certificate fingerprints:
MD5: 99:CF:3B:0F:7D:31:9A:AB:05:E6:79:F7:B3:C7:35:21
SHA1: D9:26:2A:18:C6:31:64:DA:8E:71:61:B7:1D:5E:7E:31:73:A0:4A:4A
SHA256: B0:BE:74:BE:09:5C:48:79:39:B9:9A:B4:38:1F:30:36:ED:9D:5A:2E:01:DE:F5:C9:95:94:BF:33:E1:0F:39:9F
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 01 39 89 99 D0 E3 6D E6 C8 1E CE 3B D3 33 39 EC .9....m....;.39.
0010: 38 E9 40 01 8.@.
]
]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.jks -deststoretype pkcs12".
然后,我更新了 /home/wso2carbon/wso2am-3.0.0/repository/conf/tomcat/catalina-server.xml 中的 SSLHostConfig 部分(将 certificateKeyAlias 从 "wso2carbon" 更改为 "wso2apim"):
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2apim"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>
但是,在我重启容器API-M后,这个配置没有应用(certificateKeyAlias保持稳定"wso2carbon"):
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2carbon"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>
请问,我是不是哪一步都错了?或者这个配置有参考吗?
非常感谢。
WSO2在2019年第四季度发布了新的产品版本,并且有了新的配置模型。不再更改 repository/conf 目录中的 xml 个配置文件,现在只有一个名为 deployment.toml 的文件。所有的配置都应该在这个文件中完成。
配置模板文件位于 wso2am-3.0.0/repository/resources/conf/templates/repository/conf/。当您更新 deployment.toml 中的配置时,这些更改会根据模板应用,并将复制到 wso2am-3.0.0/repository/conf 位置。这就是您的更改被覆盖的原因。
要更新证书的别名,可以在deployment.toml文件中添加如下配置。该文件可以在 repository/conf 位置找到。
[transport.https.sslHostConfig.certificate.properties]
certificateKeyAlias = "wso2apim"
详情请参考https://is.docs.wso2.com/en/next/administer/configuring-keystores-in-wso2-products/