Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation regarding configuring of Keystores does not mandate the addition of Primary and Internal Keystores causing errors during startup. #8032

Closed
VinulaUthsara opened this issue Jun 13, 2024 · 2 comments

Comments

@VinulaUthsara
Copy link
Contributor

Hi Team,

When configuring a distributed APIM setup of CP and GW we followed the below mentioned steps:

  1. Change keystore password at "<WSO2APIM_HOME>/repository/resources/security":

keytool -storepasswd -new <newpassword> -keystore wso2carbon.jks -storepass wso2carbon

  1. Change key password

keytool -keypasswd -alias wso2carbon -keystore wso2carbon.jks

  1. Update new password in deployment.toml
  2. Start the server

We followed the above steps along with the documentation [1] and [2] to setup a distributed deployment locally and change the key password and keystore password. But we can observe issues where the APIM gives errors related to the keystores such as when only the keystore password and key password is changed in the keystore.tls configuration:

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

and/or

Caused by: java.security.UnrecoverableKeyException: Password verification failed

We were able to resolve the above mentioned issues after adding the keystore.tls, keystore.primary and keystore.internal configurations to the deployment.toml files in our local testing as follows:

[keystore.tls]
file_name =  "wso2carbon.jks"
type =  "JKS"
password =  "<password1>"
alias =  "wso2carbon"
key_password =  "<password1>"

[keystore.primary]
file_name =  "wso2carbon.jks"
type =  "JKS"
password =  "<password1>"
alias =  "wso2carbon"
key_password =  "<password1>"

[keystore.internal]
file_name =  "wso2carbon.jks"
type =  "JKS"
password =  "<password1>"
alias =  "wso2carbon"
key_password =  "<password1>"

However, the above information/steps on adding all the configurations of keystore.tls, keystore.primary, keystore.internal with the newly changed key password and keystore password as mandatory (to avoid keystore related errors) is not mentioned in the documentation when a change is made to the keystore.

Information regarding this step in documentation [1] or [2] is not available. Due to this users will face this issue and not be aware that the above mentioned configurations cause these errors.

Therefore, it is better to improve the documentation with this information.

Affected Product Version: APIM 4.2.0

Suggested Labels: Type/Docs, Docs/Has Impact, Documentation, Type/Improvement

[1] https://apim.docs.wso2.com/en/4.2.0/install-and-setup/setup/distributed-deployment/deploying-wso2-api-m-in-a-distributed-setup/
[2] https://apim.docs.wso2.com/en/4.2.0/install-and-setup/setup/security/configuring-keystores/configuring-keystores-in-wso2-api-manager/#configuring-keystores-in-wso2-api-manager

Thanks.

@VinulaUthsara
Copy link
Contributor Author

The documentation [1] has now been updated with the important note as in the following screenshot:

Screenshot from 2024-07-03 14-38-50

[1] https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/configuring-keystores/configuring-keystores-in-wso2-api-manager/

@VinulaUthsara
Copy link
Contributor Author

Closing as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant