OpenAM 5 keystore.jks issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OpenAM 5 keystore.jks issues

Brad Tarisznyas
Hi All,

On a new OpenAM 5 installation the password for the keystore.jks seems to not be “changeit” anymore:

[root@am am]# keytool -list -v -keystore keystore.jks -alias test
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:896)
at sun.security.tools.keytool.Main.run(Main.java:345)
at sun.security.tools.keytool.Main.main(Main.java:338)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 7 more
[root@am am]#


Also, the .keypass has “changeit” in clear text and not encrypted (.storepass has an encrypted password). Confirmed on multiple installs.

For a sanity check, on OpenAM 13.0 changeit works fine, and both .storepass and .keypass contain encrypted passwords (assuming this is “changeit”)

# keytool -list -v -keystore keystore.jks -alias test
Enter keystore password:  
Alias name: test
Creation date: Jul 16, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
Issuer: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
Serial number: 478d074b
Valid from: Tue Jan 15 19:19:39 UTC 2008 until: Fri Jan 12 19:19:39 UTC 2018
Certificate fingerprints:
MD5:  8D:89:26:BA:5C:04:D8:CC:D0:1B:85:50:2E:38:14:EF
SHA1: DE:F1:8D:BE:D5:47:CD:F3:D5:2B:62:7F:41:63:7C:44:30:45:FE:33
SHA256: 39:DD:8A:4B:0F:47:4A:15:CD:EF:7A:41:C5:98:A2:10:FA:90:5F:4B:8F:F4:08:04:CE:A5:52:9F:47:E7:CF:29
Signature algorithm name: MD5withRSA
Version: 1
[/opt/openam/am] 

This would seems like a bug, but thought I’d throw it out to the community to confirm.

Regards
Brad

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenAM 5 keystore.jks issues

Vincent Koldenhof-2
Hi Brad,

I have just looked at my own AM5 deployment and see the same issue. However, I can read the keystore.jks and keystore.jceks fine when I use the encrypted password from the .storepass instead of changeit.

Kind regards,
Vincent

2017-05-12 10:31 GMT+02:00 Brad Tarisznyas <[hidden email]>:
Hi All,

On a new OpenAM 5 installation the password for the keystore.jks seems to not be “changeit” anymore:

[root@am am]# keytool -list -v -keystore keystore.jks -alias test
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:896)
at sun.security.tools.keytool.Main.run(Main.java:345)
at sun.security.tools.keytool.Main.main(Main.java:338)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 7 more
[root@am am]#


Also, the .keypass has “changeit” in clear text and not encrypted (.storepass has an encrypted password). Confirmed on multiple installs.

For a sanity check, on OpenAM 13.0 changeit works fine, and both .storepass and .keypass contain encrypted passwords (assuming this is “changeit”)

# keytool -list -v -keystore keystore.jks -alias test
Enter keystore password:  
Alias name: test
Creation date: Jul 16, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
Issuer: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
Serial number: 478d074b
Valid from: Tue Jan 15 19:19:39 UTC 2008 until: Fri Jan 12 19:19:39 UTC 2018
Certificate fingerprints:
MD5:  8D:89:26:BA:5C:04:D8:CC:D0:1B:85:50:2E:38:14:EF
SHA1: DE:F1:8D:BE:D5:47:CD:F3:D5:2B:62:7F:41:63:7C:44:30:45:FE:33
SHA256: 39:DD:8A:4B:0F:47:4A:15:CD:EF:7A:41:C5:98:A2:10:FA:90:5F:4B:8F:F4:08:04:CE:A5:52:9F:47:E7:CF:29
Signature algorithm name: MD5withRSA
Version: 1
[/opt/openam/am] 

This would seems like a bug, but thought I’d throw it out to the community to confirm.

Regards
Brad

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--
m.v.g.
Vincent Koldenhof
e-mail: [hidden email]

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenAM 5 keystore.jks issues

Bernhard Thalmayr
In reply to this post by Brad Tarisznyas
the password files not beein encrpyted is expected (personally I
consider this as a security issue).

There is also a bug that the content of the password files is nnot
trimmed ...

-Bernhard

Am 12/05/17 um 10:31 schrieb Brad Tarisznyas:

> Hi All,
>
> On a new OpenAM 5 installation the password for the keystore.jks seems
> to not be “changeit” anymore:
>
> [root@am am]# keytool -list -v -keystore keystore.jks -alias test
> Enter keystore password:
> keytool error: java.io.IOException: Keystore was tampered with, or
> password was incorrect
> java.io.IOException: Keystore was tampered with, or password was incorrect
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
> at
> sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
> at
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at sun.security.tools.keytool.Main.doCommands(Main.java:896)
> at sun.security.tools.keytool.Main.run(Main.java:345)
> at sun.security.tools.keytool.Main.main(Main.java:338)
> Caused by: java.security.UnrecoverableKeyException: Password
> verification failed
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
> ... 7 more
> [root@am am]#
>
>
> Also, the .keypass has “changeit” in clear text and not encrypted
> (.storepass has an encrypted password). Confirmed on multiple installs.
>
> For a sanity check, on OpenAM 13.0 changeit works fine, and both
> .storepass and .keypass contain encrypted passwords (assuming this is
> “changeit”)
>
> # keytool -list -v -keystore keystore.jks -alias test
> Enter keystore password:  
> Alias name: test
> Creation date: Jul 16, 2008
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
> Issuer: CN=test, OU=OpenSSO, O=Sun, L=Santa Clara, ST=California, C=US
> Serial number: 478d074b
> Valid from: Tue Jan 15 19:19:39 UTC 2008 until: Fri Jan 12 19:19:39 UTC 2018
> Certificate fingerprints:
> MD5:  8D:89:26:BA:5C:04:D8:CC:D0:1B:85:50:2E:38:14:EF
> SHA1: DE:F1:8D:BE:D5:47:CD:F3:D5:2B:62:7F:41:63:7C:44:30:45:FE:33
> SHA256:
> 39:DD:8A:4B:0F:47:4A:15:CD:EF:7A:41:C5:98:A2:10:FA:90:5F:4B:8F:F4:08:04:CE:A5:52:9F:47:E7:CF:29
> Signature algorithm name: MD5withRSA
> Version: 1
> [/opt/openam/am]
>
> This would seems like a bug, but thought I’d throw it out to the
> community to confirm.
>
> Regards
> Brad
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...