ssl - 我们如何在 wso2 api manager 3.2.0 中引用链密钥证书
问题描述
我创建了一个名为 wso2api.jks 的新证书。我还使用 keytool 将这些证书添加到 client-trustore.jks 中。我的新 wso2carbon.jks 看起来像这样
keytool -list -v -keystore wso2carbon.jks
Enter keystore password: Password@1
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: wso2carbon
Creation date: Apr 23, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=xxxxxx, O=xxxxx, ST=gauteng, C=za
Issuer: CN=localhost, OU=xxxxxx, O=xxxxx, L=jhb, ST=gauteng, C=za
Serial number: xxxxx
Valid from: Fri Apr 23 13:29:39 CAT 2021 until: Thu Jul 22 13:29:39 CAT 2021
Certificate fingerprints:
MD5: 56:0B:2A:0A:7C:97:DF:2E:3B:93:D3:87:C4:74:58:C6
SHA1: 7A:19:FB:5E:AE:A0:92:BF:5E:69:16:CF:75:B7:83:25:71:E3:1F:33
SHA256: 91:FD:67:9D:06:C2:BC:1B:99:72:37:D8:69:8F:65:7E:D3:F2:8E:45:91:3D:9E:13:2F:2E:2C:D8:F5:BC:BF:57
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 69 59 5B D8 6F B7 60 3B 0A 6D 55 51 59 3D 90 5B iY[.o.`;.mUQY=.[
0010: 53 49 1E 2A SI.*
]
]
*******************************************
*******************************************
Alias name: rho
Creation date: Apr 23, 2021
Entry type: trustedCertEntry
Owner: CN=xxxxxx, OU=xxxxxx, O=xxxxxx
Issuer: CN=xxxxxx, O=xxxxxx
Serial number: xxxxxx
Valid from: Fri Jun 06 15:02:24 CAT 2014 until: Mon Jun 03 15:02:24 CAT 2024
Certificate fingerprints:
MD5: 73:7B:95:09:78:B7:BC:9A:6D:2F:A4:BB:E7:14:FC:4B
SHA1: 1E:1B:56:6B:F6:CC:B5:E4:1A:C1:D3:2B:99:A3:C4:A2:9F:D1:79:61
SHA256: 86:45:C2:10:25:2E:09:D9:BA:FB:FE:07:8A:24:9C:53:AB:C7:5F:17:D5:5E
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Alias name: gamma
Creation date: Apr 23, 2021
Entry type: trustedCertEntry
Owner: CN=xxxxxx, OU=xxxxxx, O=xxxxxx, L=xxxxxx, ST=xxxxxx, C=xxxxxx
Issuer: CN=xxxxxx, OU=xxxxxx, O=xxxxxx, L=xxxxxx, ST=xxxxxx, C=xxxxxx
Serial number: xxxxxx
Valid from: Tue Apr 20 00:46:08 CAT 2021 until: Mon Jul 19 00:46:08 CAT 2021
Certificate fingerprints:
MD5: 34:C1:89:6B:4D:1C:56:87:31:6F:B4:36:E4:25:6E:EB
SHA1: 02:42:F8:18:D1:09:53:09:42:F6:42:2C:78:B9:23:F7:C8:6F:03:13
SHA256: 21:7A:A8:5E:2D:D9:63:24:14:22:9C:8B:F6:02:10:17:6F:C6:48:3A:84:DE:C9:37:50:6F:94:47:4B:E5:45:EC
Signature algorithm name: SHA1withDSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AA 46 98 02 DA 3B FD 46 A8 F1 82 1D D3 AF 59 13 .F...;.F......Y.
0010: BE C6 25 61 ..%a
]
]
*******************************************
*******************************************
Alias name: delta
Creation date: Apr 23, 2021
Entry type: trustedCertEntry
Owner: CN=xxxxxx, O=xxxxxx
Issuer: CN=xxxxxx, O=xxxxxx
Serial number: xxxxxx
Valid from: Wed Jul 18 13:27:15 CAT 2007 until: Sat Jul 15 13:27:15 CAT 2017
Certificate fingerprints:
MD5: 86:D3:5B:09:83:CA:C0:A9:69:CE:20:DF:94:6F:A4:DC
SHA1: C2:65:C8:09:36:CA:89:D4:09:31:B0:90:17:D9:43:3E:9F:F6:A4:2F
SHA256: 23:82:82:F2:95:E2:09:09:C8:7A:78:07:09:91:12:7C:97:EC:08:7B:01:E3:1E:FC:2F:8D:11:2B:1D:15:4F:74
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B9 C1 34 70 81 8 09 4A 09 E7 79 1A C0 9E 19 A2 ..4p.&.J..y.....
0010: 6A 14 35 11 j.5.
]
[CN=xxxxxx, O=xxxxxx]
SerialNumber: [ xs1222baas]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B9 C1 34 70 81 26 BD 4A 1B E7 79 1A C0 9E 19 A2 ..4p.&.J..y.....
0010: 6A 14 35 11 j.5.
]
]
这就是我的 deployment.tml 的样子
[server]
hostname = "localhost"
node_ip = "127.0.0.1"
#offset=0
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
#discard_empty_caches = false
server_role = "default"
[super_admin]
username = "admin"
password = "admin"
create_admin_account = true
[user_store]
type = "database_unique_id"
[database.apim_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2AM_DB;AUTO_SERVER=TRUE;DB_CLOSE_ON_EXIT=FALSE"
username = "wso2carbon"
password = "wso2carbon"
[database.shared_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE"
username = "wso2carbon"
password = "wso2carbon"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "Password@1"
alias = "rho"
key_password = "Password@1"
#[keystore.primary]
#file_name = "wso2carbon.jks"
#type = "JKS"
#password = "Passsword@1"
#alias = "gamma"
#key_password = "Password@1"
#[keystore.internal]
#file_name = "wso2carbon.jks"
#type = "JKS"
#password = "Password@1"
#alias = "delta"
#key_password = "Password@1"
[[apim.gateway.environment]]
name = "Production and Sandbox"
type = "hybrid"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "https://localhost:${mgt.transport.https.port}/services/"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
http_endpoint = "http://localhost:${http.nio.port}"
https_endpoint = "https://localhost:${https.nio.port}"
#[apim.cache.gateway_token]
#enable = true
#expiry_time = "900s"
#[apim.cache.resource]
#enable = true
#expiry_time = "900s"
#[apim.cache.km_token]
#enable = false
#expiry_time = "15m"
#[apim.cache.recent_apis]
#enable = false
#[apim.cache.scopes]
#enable = true
#[apim.cache.publisher_roles]
#enable = true
#[apim.cache.jwt_claim]
#enable = true
#expiry_time = "15m"
#[apim.cache.tags]
#expiry_time = "2m"
#[apim.analytics]
#enable = false
#store_api_url = "https://localhost:7444"
#username = "$ref{super_admin.username}"
#password = "$ref{super_admin.password}"
#event_publisher_type = "default"
#event_publisher_impl = "org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher"
#publish_response_size = true
#[[apim.analytics.url_group]]
#analytics_url =["tcp://analytics1:7611","tcp://analytics2:7611"]
#analytics_auth_url =["ssl://analytics1:7711","ssl://analytics2:7711"]
#type = "loadbalance"
#[[apim.analytics.url_group]]
#analytics_url =["tcp://analytics1:7612","tcp://analytics2:7612"]
#analytics_auth_url =["ssl://analytics1:7712","ssl://analytics2:7712"]
#type = "failover"
#[apim.key_manager]
#service_url = "https://localhost:${mgt.transport.https.port}/services/"
#username = "$ref{super_admin.username}"
#password = "$ref{super_admin.password}"
#pool.init_idle_capacity = 50
#pool.max_idle = 100
#key_validation_handler_type = "default"
#key_validation_handler_type = "custom"
#key_validation_handler_impl = "org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler"
#[apim.idp]
#server_url = "https://localhost:${mgt.transport.https.port}"
#authorize_endpoint = "https://localhost:${mgt.transport.https.port}/oauth2/authorize"
#oidc_logout_endpoint = "https://localhost:${mgt.transport.https.port}/oidc/logout"
#oidc_check_session_endpoint = "https://localhost:${mgt.transport.https.port}/oidc/checksession"
#[apim.jwt]
#enable = true
#encoding = "base64" # base64,base64url
#generator_impl = "org.wso2.carbon.apimgt.keymgt.token.JWTGenerator"
#claim_dialect = "http://wso2.org/claims"
#convert_dialect = false
#header = "X-JWT-Assertion"
#signing_algorithm = "SHA256withRSA"
#enable_user_claims = true
#claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever"
#[apim.oauth_config]
#enable_outbound_auth_header = false
#auth_header = "Authorization"
#revoke_endpoint = "https://localhost:${https.nio.port}/revoke"
#enable_token_encryption = false
#enable_token_hashing = false
#[apim.devportal]
#url = "https://localhost:${mgt.transport.https.port}/devportal"
#enable_application_sharing = false
#if application_sharing_type, application_sharing_impl both defined priority goes to application_sharing_impl
#application_sharing_type = "default" #changed type, saml, default #todo: check the new config for rest api
#application_sharing_impl = "org.wso2.carbon.apimgt.impl.SAMLGroupIDExtractorImpl"
#display_multiple_versions = false
#display_deprecated_apis = false
#enable_comments = true
#enable_ratings = true
#enable_forum = true
#enable_anonymous_mode=true
[apim.cors]
allow_origins = "*"
allow_methods = ["GET","PUT","POST","DELETE","PATCH","OPTIONS"]
allow_headers = ["authorization","Access-Control-Allow-Origin","Content-Type","SOAPAction","apikey", "testKey"]
allow_credentials = false
#[apim.throttling]
#enable_data_publishing = true
#enable_policy_deploy = true
#enable_blacklist_condition = true
#enable_persistence = true
#throttle_decision_endpoints = ["tcp://localhost:5672","tcp://localhost:5672"]
#[apim.throttling.blacklist_condition]
#start_delay = "5m"
#period = "1h"
#[apim.throttling.jms]
#start_delay = "5m"
#[apim.throttling.event_sync]
#hostName = "0.0.0.0"
#port = 11224
#[apim.throttling.event_management]
#hostName = "0.0.0.0"
#port = 10005
[[apim.throttling.url_group]]
traffic_manager_urls = ["tcp://localhost:9611","tcp://localhost:9611"]
traffic_manager_auth_urls = ["ssl://localhost:9711","ssl://localhost:9711"]
type = "loadbalance"
#[[apim.throttling.url_group]]
#traffic_manager_urls = ["tcp://localhost:9611","tcp://localhost:9611"]
#traffic_manager_auth_urls = ["ssl://localhost:9711","ssl://localhost:9711"]
#type = "failover"
#[apim.workflow]
#enable = false
#service_url = "https://localhost:9445/bpmn"
#username = "$ref{super_admin.username}"
#password = "$ref{super_admin.password}"
#callback_endpoint = "https://localhost:${mgt.transport.https.port}/api/am/admin/v0.17/workflows/update-workflow-status"
#token_endpoint = "https://localhost:${https.nio.port}/token"
#client_registration_endpoint = "https://localhost:${mgt.transport.https.port}/client-registration/v0.17/register"
#client_registration_username = "$ref{super_admin.username}"
#client_registration_password = "$ref{super_admin.password}"
#data bridge config
#[transport.receiver]
#type = "binary"
#worker_threads = 10
#session_timeout = "30m"
#keystore.file_name = "$ref{keystore.tls.file_name}"
#keystore.password = "$ref{keystore.tls.password}"
#tcp_port = 9611
#ssl_port = 9711
#ssl_receiver_thread_pool_size = 100
#tcp_receiver_thread_pool_size = 100
#ssl_enabled_protocols = ["TLSv1","TLSv1.1","TLSv1.2"]
#ciphers = ["SSL_RSA_WITH_RC4_128_MD5","SSL_RSA_WITH_RC4_128_SHA"]
#[apim.notification]
#from_address = "APIM.com"
#username = "APIM"
#password = "APIM+123"
#hostname = "localhost"
#port = 3025
#enable_start_tls = false
#enable_authentication = true
#[apim.token.revocation]
#notifier_impl = "org.wso2.carbon.apimgt.keymgt.events.TokenRevocationNotifierImpl"
#enable_realtime_notifier = true
#realtime_notifier.ttl = 5000
#enable_persistent_notifier = true
#persistent_notifier.hostname = "https://localhost:2379/v2/keys/jti/"
#persistent_notifier.ttl = 5000
#persistent_notifier.username = "root"
#persistent_notifier.password = "root"
[[event_handler]]
name="userPostSelfRegistration"
subscriptions=["POST_ADD_USER"]
[service_provider]
sp_name_regex = "^[\\sa-zA-Z0-9._-]*$"
[database.local]
url = "jdbc:h2:./repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE"
[[event_listener]]
id = "token_revocation"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "org.wso2.is.notification.ApimOauthEventInterceptor"
order = 1
[event_listener.properties]
notification_endpoint = "https://localhost:${mgt.transport.https.port}/internal/data/v1/notify"
username = "${admin.username}"
password = "${admin.password}"
'header.X-WSO2-KEY-MANAGER' = "default"
根据我阅读的信息,我需要在 deployment.tml 文件中引用 wso2carbon.jks 的新链证书,但问题是我不知道该怎么做。有什么建议吗??
解决方案
推荐阅读
- c# - 在 C# 单元测试中模拟另一个类中的一个类
- javascript - Puppeteer 页面评估
- python-requests - Python - 在已经有花括号 '{ }' 的 JSON 字符串上使用 .format()
- python - 加快修改数组的numpy数组的循环
- azure-web-app-service - 使用一个专用链接连接到各种 Azure PaaS 服务
- java - 使用 CPLEX 六维变量时出现异常
- bq-load - 解析从以下位置开始的行时检测到错误:1830577。错误:关闭双引号 (") 和字段分隔符之间的数据
- python - 在 cpanel 上部署 Django 应用程序时,应用程序未连接到静态文件
- python - 我正在尝试解码一个带有十六进制的txt文件。我不断收到 ValueError: non-hexadecimal number found in fromhex() arg at position 2 错误
- html - 发现 1 个严重的严重漏洞运行`npm audit fix` 来修复它们,或`npm audit` 了解详细信息