-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: how to change Java Key Store (JKS) password? #9
Comments
I don't think so for the first time installation. You could mount the keystore file instead and use a secret for the keystore password. That would be the recommended approach to have total control over that password. You could try using a init container to issue the keystore, update the password and then have the container launch. |
I'll try that, thanks |
The EJBCA container does this differently and does not use that setting. A random password is generated and used for the keystore. You can add a secret APPSERVER_KEYSTORE_SECRET for the keystore password. |
Well, |
OK, APPSERVER_KEYSTORE_SECRET only works when providing the keystore. I thought maybe Anton had done something in the helm chart, but that does not appear to be the case from your testing. |
OK, but how is the keystore password used inside the container if its not coming from web.properties? |
the keystore password is used with the JKS that terminates TLS at the container. In Kubernetes you're not doing this unless you used the nodeport option I think. TLS is terminated at Ingress and sent back to EJBCA over the proxy port or if you had HTTPD in the pod that could also terminate TLS as well. |
I'm not sure I can follow you :) We are still discussing the keystore password for Maybe I misunderstand something though |
Whoa I'm way off! Sorry about the confusion. Yes the default cacerts file is in the container. The default should be changeit for that file. There is no way currently to provide a password for that file. There is a feature request for the container to support this, but I don't have an ETA when that will be. What I think you can do is mount the cacerts file and then provide a a JAVA_OPTS_CUSTOM with the password for the file and the JVM settings. I think that would work. e.g. -Xms2048m -Xmx4096m -Xss256k -XX:MetaspaceSize=160m -XX:MaxMetaspaceSize=512m -Djavax.net.ssl.trustStore=usr/lib/jvm/java-11-slim/lib/security/cacerts -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=newpassword |
We deployed the chart with following env variables (some informations are redacted):
However, when accessing the RA web page it says:
¹ Java Key Store (JKS) password is set to 'changeit'.
Executing
keytool -list -keystore cacerts --storepass changeit
in$JAVA_HOME/lib/security
confirms this password.Is there a way to change it during first time installation?
The text was updated successfully, but these errors were encountered: