无法在Docker中更改用于验证通过WSO2 /TLS M进行的通信的SSL M证书
我在Docker3.0.0-centos7( link image)版本中运行WSO2 API-M。
我尝试更改由WSO2应用编程接口-M公开的证书,我遵循此tutorial。
首先,我在API-M的现有keystore /wso2am-3.0.0/repository/resources/security/wso2carbon.jks中生成了密钥对:
keytool -genkeypair -dname "cn=wso2carbon.com" -alias wso2apim -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon显示此证书:
[wso2carbon@4ef6e35bf497 security]$ keytool -list -v -alias wso2apim -keystore wso2carbon.jks
Enter keystore password:
Alias name: wso2apim
Creation date: Jan 15, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=wso2carbon.com
Issuer: CN=wso2carbon.com
Serial number: 3ad5ca3b
Valid from: Wed Jan 15 04:13:03 UTC 2020 until: Tue Apr 14 04:13:03 UTC 2020
Certificate fingerprints:
MD5: 99:CF:3B:0F:7D:31:9A:AB:05:E6:79:F7:B3:C7:35:21
SHA1: D9:26:2A:18:C6:31:64:DA:8E:71:61:B7:1D:5E:7E:31:73:A0:4A:4A
SHA256: B0:BE:74:BE:09:5C:48:79:39:B9:9A:B4:38:1F:30:36:ED:9D:5A:2E:01:DE:F5:C9:95:94:BF:33:E1:0F:39:9F
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 01 39 89 99 D0 E3 6D E6 C8 1E CE 3B D3 33 39 EC .9....m....;.39.
0010: 38 E9 40 01 8.@.
]
]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.jks -deststoretype pkcs12".然后,我更新了/home/wso2carbon/wso2am-3.0.0/repository/conf/tomcat/catalina-server.xml中的SSLHostConfig部分(将certificateKeyAlias从"wso2carbon“改为"wso2apim"):
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2apim"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>但是,在我重启容器API-M之后,这个配置没有被应用( certificateKeyAlias保持稳定的"wso2carbon"):
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2carbon"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>所以,我有没有做错什么呢?或者有一些关于这个配置的参考?
非常感谢。
回答 1
Stack Overflow用户
发布于 2020-01-15 14:51:56
WSO2在2019年发布了新的产品版本Q4,他们有一个新的配置模型。现在只有一个名为deployment.toml的文件,而不是更改repository/conf目录中的xml配置文件。所有的配置都应该在这个文件中完成。
配置模板文件驻留在wso2am-3.0.0/repository/resources/conf/templates/repository/conf/.中当您更新deployment.toml中的配置时,将根据模板应用这些更改,并将这些更改复制到wso2am-3.0.0/repository/conf位置。这就是为什么您的更改被覆盖的原因。
要更新证书的别名,可以在deployment.toml文件中添加以下配置。可以在repository/conf位置找到该文件。
[transport.https.sslHostConfig.certificate.properties]
certificateKeyAlias = "wso2apim"欲了解更多信息,请访问https://is.docs.wso2.com/en/next/administer/configuring-keystores-in-wso2-products/。
https://stackoverflow.com/questions/59745116
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号