[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openidm-commit
Subject: [CommitOpenIDM] [5362] trunk/src/main/docbkx/integrators-guide: CR-7044 (OPENIDM-2870) Emphasis need
From: anonymous () forgerock ! org
Date: 2015-05-26 14:32:42
Message-ID: 20150526143242.94D813F8DD () sources ! internal ! forgerock ! com
[Download RAW message or body]
[Attachment #2 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[5362] trunk/src/main/docbkx/integrators-guide: CR-7044 (OPENIDM-2870) \
Emphasis needed on changing the keystore password</title> </head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: \
verdana,arial,helvetica,sans-serif; font-size: 10pt; } #msg dl a { font-weight: \
bold} #msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: \
bold; } #msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: \
6px; } #logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em \
0; } #logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg \
h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } \
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; \
} #logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: \
-1.5em; padding-left: 1.5em; } #logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em \
1em 0 1em; background: white;} #logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid \
#fa0; border-bottom: 1px solid #fa0; background: #fff; } #logmsg table th { \
text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted \
#fa0; } #logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: \
0.2em 0.5em; } #logmsg table thead th { text-align: center; border-bottom: 1px solid \
#fa0; } #logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: \
6px; } #patch { width: 100%; }
#patch h4 {font-family: \
verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, \
#patch .copfile {border:1px solid #ccc;margin:10px 0;} #patch ins \
{background:#dfd;text-decoration:none;display:block;padding:0 10px;} #patch del \
{background:#fdd;text-decoration:none;display:block;padding:0 10px;} #patch .lines, \
.info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a \
href="http://sources.forgerock.org/changelog/openidm/?cs=5362">5362</a></dd> \
<dt>Author</dt> <dd>lana</dd> <dt>Date</dt> <dd>2015-05-26 15:32:42 +0100 (Tue, 26 \
May 2015)</dd> </dl>
<h3>Log Message</h3>
<pre>CR-7044 (<a href="https://bugster.forgerock.org/jira/browse/OPENIDM-2870">OPENIDM-2870</a>) \
Emphasis needed on changing the keystore password</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcmaindocbkxintegratorsguidechapclixml">trunk/src/main/docbkx/integrators-guide/chap-cli.xml</a></li>
<li><a href="#trunksrcmaindocbkxintegratorsguidechapsecurityxml">trunk/src/main/docbkx/integrators-guide/chap-security.xml</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcmaindocbkxintegratorsguidechapclixml"></a>
<div class="modfile"><h4>Modified: \
trunk/src/main/docbkx/integrators-guide/chap-cli.xml (5361 => 5362)</h4> <pre \
class="diff"><span> <span class="info">--- \
trunk/src/main/docbkx/integrators-guide/chap-cli.xml 2015-05-25 11:01:33 UTC (rev \
5361)
+++ trunk/src/main/docbkx/integrators-guide/chap-cli.xml 2015-05-26 14:32:42 UTC (rev \
5362) </span><span class="lines">@@ -540,8 +540,15 @@
</span><span class="cx"> AES:606d80ae316be58e94439f91ad8ce1c0 \
</computeroutput> </span><span class="cx"> </screen>
</span><span class="cx">
</span><del>- <para>The default keystore password is \
<literal>changeit</literal>. You
- should change this password after installation.</para>
</del><ins>+ <para>
+ The default keystore password is <literal>changeit</literal>. For \
security + reasons, you <emphasis>must</emphasis> change this password \
in a production + environment. For information about changing the keystore \
password, see <link + xlink:show="new"
+ xlink:href="integrators-guide#security-keystore-password"
+ xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Change \
the + Default Keystore Password</citetitle></link>.
+ </para>
</ins><span class="cx">
</span><span class="cx"> <para>To import a new secret key named \
<replaceable>my-new-key</replaceable>, </span><span class="cx"> run \
the following command:</para> </span></span></pre></div>
<a id="trunksrcmaindocbkxintegratorsguidechapsecurityxml"></a>
<div class="modfile"><h4>Modified: \
trunk/src/main/docbkx/integrators-guide/chap-security.xml (5361 => 5362)</h4> <pre \
class="diff"><span> <span class="info">--- \
trunk/src/main/docbkx/integrators-guide/chap-security.xml 2015-05-25 11:01:33 UTC \
(rev 5361)
+++ trunk/src/main/docbkx/integrators-guide/chap-security.xml 2015-05-26 14:32:42 UTC \
(rev 5362) </span><span class="lines">@@ -800,47 +800,130 @@
</span><span class="cx"> <primary>Passwords</primary>
</span><span class="cx"> <secondary>Replacing defaults</secondary>
</span><span class="cx"> </indexterm>
</span><del>- <para>
- The default security settings are adequate for evaluation purposes. In
- production environments, change at least the password of the default
- administrative user (<literal>openidm-admin</literal>).
- </para>
- <para>
- To change the password of the default administrative user, send a PUT
- request to the user object. The following example changes the password of
- the <literal>openidm-admin</literal> user to \
<literal>Passw0rd</literal>:
- </para>
- <screen><userinput>$ curl \
- --cacert self-signed.crt \
- --header "Content-Type: application/json" \
- --header "X-OpenIDM-Username: openidm-admin" \
- --header "X-OpenIDM-Password: openidm-admin" \
- --request PUT \
- --data '{
- "password": "Passw0rd",
- "userName": "openidm-admin",
- "roles": "openidm-admin,openidm-authorized",
- "_id": "openidm-admin"
- }' \
- "https://localhost:8443/openidm/repo/internal/user/openidm-admin"</userinput>
-<computeroutput>{
- "roles": "openidm-admin,openidm-authorized",
- "password": {
- "$crypto": {
</del><ins>+ <itemizedlist>
+ <para>
+ The default security settings are adequate for evaluation purposes. In
+ production environments, change at least the following settings:
+ </para>
+ <listitem>
+ <para>
+ The password of the default administrative user
+ (<literal>openidm-admin</literal>)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The default keystore password
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <procedure xml:id="change-default-admin-pwd">
+ <title>Change the Default Administrator Password</title>
+ <step>
+ <para>
+ To change the password of the default administrative user, send a PUT
+ request to the user object.
+ </para>
+ <para>
+ The following example changes the password of the
+ <literal>openidm-admin</literal> user to \
<literal>Passw0rd</literal>: + </para>
+ <screen>$<userinput> curl \
+ --cacert self-signed.crt \
+ --header "Content-Type: application/json" \
+ --header "X-OpenIDM-Username: openidm-admin" \
+ --header "X-OpenIDM-Password: openidm-admin" \
+ --request PUT \
+ --data '{
+ "password": "Passw0rd",
+ "userName": "openidm-admin",
+ "roles": "openidm-admin,openidm-authorized",
+ "_id": "openidm-admin"
+ }' \
+ "https://localhost:8443/openidm/repo/internal/user/openidm-admin"</userinput>
+ <computeroutput>{
+ "roles": "openidm-admin,openidm-authorized",
+ "password": {
+ "$crypto": {
</ins><span class="cx"> "value": {
</span><del>- "key": "openidm-sym-default",
- "iv": "USfN9kARk4QjoyjGa/r8WA==",
- "cipher": "AES/CBC/PKCS5Padding",
- "data": "27tDQg49z8nWqvIOEh7VAg=="
</del><ins>+ "key": "openidm-sym-default",
+ "iv": "USfN9kARk4QjoyjGa/r8WA==",
+ "cipher": "AES/CBC/PKCS5Padding",
+ "data": "27tDQg49z8nWqvIOEh7VAg=="
</ins><span class="cx"> },
</span><span class="cx"> "type": "x-simple-encryption"
</span><del>- }
- },
- "_id": "openidm-admin",
- "userName": "openidm-admin",
- "_rev": "2"
-}</computeroutput>
- </screen>
</del><ins>+ }
+ },
+ "_id": "openidm-admin",
+ "userName": "openidm-admin",
+ "_rev": "2"
+ }</computeroutput>
+ </screen>
+ </step>
+ </procedure>
+
+ <procedure xml:id="security-keystore-password">
+ <title>Change the Default Keystore Password</title>
+ <para>
+ OpenIDM uses the information in \
<filename>conf/boot/boot.properties</filename>, + including the \
keystore password, to start up. The keystore password is + \
<literal>changeit</literal> by default, and is stored in clear text in \
the + <filename>boot.properties</filename> file.
+ </para>
+ <para>
+ You <emphasis>must</emphasis> set a strong keystore password in any
+ production deployment, but especially in cluster deployments. In a cluster
+ deployment, the keystore is distributed through the repository. The strength
+ of the keystore password is therefore the only thing that protects your
+ deployment against exposure of the keystore.
+ </para>
+ <para>
+ To set an obfuscated version of the keystore password in the
+ <filename>boot.properties</filename> file, follow these steps.
+ </para>
+ <step>
+ <para>
+ Generate an obfuscated version of the password, by using the crypto bundle
+ provided with OpenIDM:
+ </para>
+ <screen>$ <userinput>$ java -jar \
/path/to/openidm/bundle/openidm-crypto-${project.version}.jar</userinput> \
+<computeroutput>This utility helps obfuscate passwords to prevent casual \
observation. +It is not securely encrypted and needs further measures to prevent \
disclosure. +Please enter the password:
+OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+CRYPT:a8b5a01ba48a306f300b62a1541734c7
+</computeroutput></screen>
+ </step>
+ <step>
+ <para>
+ Paste either the obfuscated password \
(<literal>OBF:xxxxxxx</literal>) or + the encrypted password \
(<literal>CRYPT:xxxxxxx</literal>) into the + \
<filename>conf/boot/boot.properties</filename> file. + </para>
+ <para>
+ Comment out the regular keystore password and remove the comment tag,
+ either from the line that contains the obfuscated password or from the line
+ that contains the encrypted password:
+ </para>
+ <screen>$ <userinput>more \
conf/boot/boot.properties</userinput> +<computeroutput>...
+# Keystore password, adjust to match your keystore and protect this file
+# openidm.keystore.password=changeit
+openidm.truststore.password=changeit
+
+# Optionally use the crypto bundle to obfuscate the password and set one of these:
+openidm.keystore.password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+# openidm.keystore.password=CRYPT:a8b5a01ba48a306f300b62a1541734c7
+... </computeroutput></screen>
+ </step>
+ <step>
+ <para>
+ Restart OpenIDM.
+ </para>
+ <screen>$ <userinput>./startup.sh</userinput></screen>
+ </step>
+ </procedure>
</ins><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="security-jetty">
</span><span class="lines">@@ -1029,68 +1112,6 @@
</span><span class="cx"> </procedure>
</span><span class="cx"> </section>
</span><span class="cx">
</span><del>- <section xml:id="security-bootstrap">
- <title>Obfuscate Bootstrap Information</title>
-
- <para>
- OpenIDM uses the information in \
<filename>conf/boot/boot.properties</filename>,
- including the keystore password, to start up. The keystore password is
- <literal>changeit</literal> by default, and is stored in clear text \
in the
- <filename>boot.properties</filename> file. To set an obfuscated \
version of
- the keystore password in the <filename>boot.properties</filename> \
file,
- follow these steps.
- </para>
-
- <orderedlist>
- <listitem>
- <para>
- Generate an obfuscated version of the password, by using the crypto bundle
- provided with OpenIDM:
- </para>
- <screen>$ <userinput>$ java -jar \
/path/to/openidm/bundle/openidm-crypto-<?eval \
${project.version}?>.jar
- </userinput>
- <computeroutput>
-This utility helps obfuscate passwords to prevent casual observation.
-It is not securely encrypted and needs further measures to prevent disclosure.
-Please enter the password:
-OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-CRYPT:a8b5a01ba48a306f300b62a1541734c7
- </computeroutput>
- </screen>
- </listitem>
- <listitem>
- <para>
- Paste either the obfuscated password \
(<literal>OBF:xxxxxxx</literal>) or
- the encrypted password (<literal>CRYPT:xxxxxxx</literal>) into the
- <filename>conf/boot/boot.properties</filename> file. Comment out \
the
- regular keystore password and remove the comment tag, either from the line
- that contains the obfuscated password or from the line that contains the
- encrypted password:
- </para>
- <screen>
-$ <userinput>more conf/boot/boot.properties</userinput>
- <computeroutput>
-...
-# Keystore password, adjust to match your keystore and protect this file
-# openidm.keystore.password=changeit
-openidm.truststore.password=changeit
-
-# Optionally use the crypto bundle to obfuscate the password and set one of these:
-openidm.keystore.password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-# openidm.keystore.password=CRYPT:a8b5a01ba48a306f300b62a1541734c7
-... </computeroutput>
- </screen>
- </listitem>
- <listitem>
- <para>
- Restart OpenIDM.
- </para>
- <screen>$ ./startup.sh</screen>
- </listitem>
- </orderedlist>
-
- </section>
-
</del><span class="cx"> <section xml:id="security-remove-dev-tools">
</span><span class="cx"> <title>Remove or Protect Development &amp; Debug \
Tools</title> </span><span class="cx"> <para>
</span></span></pre>
</div>
</div>
<div id="footer">Copyright (c) by ForgeRock. All rights reserved.</div>
</body>
</html>
_______________________________________________
CommitOpenIDM mailing list
CommitOpenIDM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/commitopenidm
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic