无法更改WSO2 API-M证书,以便在Docker中通过SSL/TLS验证通信
我正在Docker版本3.0.0-centos7()中运行WSO2 API-m 我尝试更改WSO2 API-M公开的证书,我遵循了以下步骤 首先,我在API-M的现有keystore/wso2am-3.0.0/repository/resources/security/wso2carbon.jks中生成了密钥对:无法更改WSO2 API-M证书,以便在Docker中通过SSL/TLS验证通信,wso2,wso2-am,Wso2,Wso2 Am,我正在Docker版本3.0.0-centos7()中运行WSO2 API-m 我尝试更改WSO2 API-M公开的证书,我遵循了以下步骤 首先,我在API-M的现有keystore/wso2am-3.0.0/repository/resources/security/wso2carbon.jks中生成了密钥对: keytool -genkeypair -dname "cn=wso2carbon.com" -alias wso2apim -keypass wso2carbon -keystore
keytool -genkeypair -dname "cn=wso2carbon.com" -alias wso2apim -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
[wso2carbon@4ef6e35bf497 security]$ keytool -list -v -alias wso2apim -keystore wso2carbon.jks
Enter keystore password:
Alias name: wso2apim
Creation date: Jan 15, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=wso2carbon.com
Issuer: CN=wso2carbon.com
Serial number: 3ad5ca3b
Valid from: Wed Jan 15 04:13:03 UTC 2020 until: Tue Apr 14 04:13:03 UTC 2020
Certificate fingerprints:
MD5: 99:CF:3B:0F:7D:31:9A:AB:05:E6:79:F7:B3:C7:35:21
SHA1: D9:26:2A:18:C6:31:64:DA:8E:71:61:B7:1D:5E:7E:31:73:A0:4A:4A
SHA256: B0:BE:74:BE:09:5C:48:79:39:B9:9A:B4:38:1F:30:36:ED:9D:5A:2E:01:DE:F5:C9:95:94:BF:33:E1:0F:39:9F
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 01 39 89 99 D0 E3 6D E6 C8 1E CE 3B D3 33 39 EC .9....m....;.39.
0010: 38 E9 40 01 8.@.
]
]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.jks -deststoretype pkcs12".
非常感谢。WSO2在2019年第4季度发布了新的产品版本,并且有了新的配置模型。现在有一个名为deployment.toml的文件,而不是更改repository/conf目录中的xml配置文件。所有的配置都应该在这个文件中完成 存在驻留在中的配置模板文件 wso2am-3.0.0/repository/resources/conf/templates/repository/conf/。在deployment.toml中更新配置时,这些更改将基于模板应用,并将复制到wso2am-3.0.0/repository/conf位置。这就是您的更改被覆盖的原因 要更新证书的别名,可以在deployment.toml文件中添加以下配置。该文件位于repository/conf位置
[transport.https.sslHostConfig.certificate.properties]
certificateKeyAlias = "wso2apim"
有关更多信息,请参考不幸的是,wso2am-3.0.0/repository/resources/conf/templates/repository/conf/中没有deployment.toml。所有文件都是:api-manager.xml.j2、axis2、carbon.properties.j2、carbon.xml.j2、approvement-mgt-config.xml.j2、数据桥、数据源等、event-processor.xml.j2、hazelcast.properties.j2、,health-check-config.xml.j2、identity、jndi.properties.j2、listenerprofiles.xml.j2、output-event-adapters.xml.j2、passthru-http.properties.j2、registry.xml.j2、registry_TM.xml.j2、security、sslprofiles.xml.j2、synapse-handlers.xml.j2、synapse.properties.j2、tomcat、user-mgt.xml.j2、,wso2-log-masking.properties.j2因为如果我需要更改密钥库,那么我需要在deployment.toml文件中配置哪些属性,您可以在repository/conf位置找到deployment.toml文件。更好的解决方案是使用default deployment.toml:alias=“yourAlias”的[keystore.tls]部分
<SSLHostConfig
protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
truststorePassword="wso2carbon"
truststoreType="JKS"
truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
certificateVerification="false"
sslProtocol="TLS"
>
<Certificate
certificateKeystorePassword="wso2carbon"
certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
certificateKeyAlias="wso2carbon"
certificateKeystoreType="JKS"
certificateKeyPassword="wso2carbon"
/>
</SSLHostConfig>
[transport.https.sslHostConfig.certificate.properties]
certificateKeyAlias = "wso2apim"