Menu
▾
▴
Re: [Ejbca-develop] Problem migrating EJBCA
|
From: Duarte S. <dua...@se...> - 2013-04-17 05:25:00
|
No the problem was that it wasn't the default password (foo123), atleast not for the root CA and sub CA used to sign the certificates. The conf directory only had the sample files (remember that the system was installed as a PoC but in the end was used in production pffffff). For the more curious, the password used was 05813... I don't even know where that comes from :P Later I figured out that I was lucky that the CA's were in auto activation, otherwise when I restarted JBoss the password would have been lost. I could also have checked the database for the pin'ed password (I don't know where it is saved though) but in the end, I still would have to deobfuscate it. I will purpose to management that in the new system, the administration CA is the only that will use the password on file, the signing CA and sub CA will use a different password each that will be stored in a vault, they wont be in auto activation mode. If by some reason the physical server or JBoss gets restarted a recovery process will have to be followed where access to the password's/CA's needs to be approved. If the server gets owned they will still have to use it to create fake certs (unless they know what to search for in the process memory) instead of just extracting the CA's and using them externally. It's about time to harden up things :) On 17 Apr 2013 00:41, "Tomas Gustavsson" <to...@pr...> wrote: > > An impressive demonstration of java skills! > > You were probably using the default keystore password. > So the other, even simpler option, would have been to look in the file > conf/ejbca.properties, where is is configured :-) > > If you require non-configured passwords in the future you can use CA > passwords that are not configured in any file, so you have to activate > your CAs manually with a password if you restart JBoss. > > I hope you will consider contributing to EJBCA in the future, people > with debugging skills are always needed :-) > > Cheers, > Tomas > > On 04/17/2013 12:46 AM, Duarte Silva wrote: > > I was able to recover the CA keystore password > > > > I downloaded the source code for EJBCA version 3.8.0 and after grep'ing > around > > I found the function loadKeystore(..., String keystorepass) in the class > > SoftCAToken. > > > > Then I decided to import the code into Eclipse, start JBoss in debug > mode with > > the Eclipse debugger attached, a breakpoint in that function and bam, > instant > > password recovery!! > > > > In the end the password itself would be easly cracked by a brute-force > attack, > > but the way I did it as so much more style eheheh :P > > > > Best regards, > > Duarte Silva > > > > > > On Tuesday 16 April 2013 08:41:00 Tomas Gustavsson wrote: > >> There are always alternatives... > >> > >> I think you have many options depending on how much you know about > >> databases, or java programming etc. And how much time/money you want to > >> spend. > >> > >> If you want to migrate to another database: > >> > >> You can write a program to export database contents and import into > >> another database. You can find HSQLDB tools (don't know if there is > >> any?) to SQL dump the database contents to import into another database. > >> Or you can export the CAs and individual certificates to file (of not > >> too many) and import it all in a new installation using the EJBCA CLI. > >> > >> PrimeKey has some tools for the common criteria certified version of > >> EJBCA, EJBCA 5, that can be used to migrate between databases. > >> > >> Cheers, > >> Tomas > >> > >> On 04/15/2013 09:28 PM, Duarte Silva wrote: > >>> Hi David, > >>> > >>> the answer I was afraid of, specially because the older version > >>> installation is using a HSQLDB. There aren't any passwords defined in > the > >>> config files and it's been a long time, I don't even remember what I > have > >>> hate yesterday :| > >>> > >>> Is there an alternative way of exporting every CA and bulk export the > >>> entities to then re-import them in the new installation? > >>> > >>> > >>> Best regards, > >>> Duarte Silva > >>> > >>> On Monday 15 April 2013 14:51:00 David CARELLA wrote: > >>>> Hi Duarte, > >>>> > >>>> You can see the documentation in EJBCA_HOME/doc/RELEASE_NOTES and > >>>> UPGRADE for information about upgrading from an earlier version of > EJBCA. > >>>> > >>>> To upgrade from 3.8.0, you will need to upgrade from 3.8.0 to 3.11.x, > >>>> then from 3.11.x to 4.0.14. > >>>> > >>>> Cheers, > >>>> David Carella > >>>> > >>>> On 04/15/2013 01:48 PM, Duarte Silva wrote: > >>>>> Hi all, > >>>>> > >>>>> I have been using EJBCA since 2008, it is a old version (3.8.0) and > at > >>>>> the > >>>>> time the way the installation was done, wasn't the smartest. Now I'm > >>>>> trying to migrate the old system to the new version of EJBCA. > >>>>> > >>>>> I have installed the new version in a proper manner (with an actual > >>>>> database and so on) in a different machine and I'm now trying to > migrate > >>>>> the CA's and Entities to the newly created system. > >>>>> > >>>>> Whats the best approach to do this migration? > >>>>> > >>>>> Thanks in advance, > >>>>> Duarte Silva > >>>>> > >>>>> > ------------------------------------------------------------------------ > >>>>> -- > >>>>> ---- Precog is a next-generation analytics platform capable of > advanced > >>>>> analytics on semi-structured data. The platform includes APIs for > >>>>> building apps and a phenomenal toolset for data science. Developers > can > >>>>> use our toolset for easy data analysis & visualization. Get a free > >>>>> account! http://www2.precog.com/precogplatform/slashdotnewsletter > >>>>> _______________________________________________ > >>>>> Ejbca-develop mailing list > >>>>> Ejb...@li... > >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >>> > >>> > -------------------------------------------------------------------------- > >>> ---- Precog is a next-generation analytics platform capable of advanced > >>> analytics on semi-structured data. The platform includes APIs for > >>> building apps and a phenomenal toolset for data science. Developers can > >>> use our toolset for easy data analysis & visualization. Get a free > >>> account! http://www2.precog.com/precogplatform/slashdotnewsletter > >>> _______________________________________________ > >>> Ejbca-develop mailing list > >>> Ejb...@li... > >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > >> > ---------------------------------------------------------------------------- > >> -- Precog is a next-generation analytics platform capable of advanced > >> analytics on semi-structured data. The platform includes APIs for > building > >> apps and a phenomenal toolset for data science. Developers can use our > >> toolset for easy data analysis & visualization. Get a free account! > >> http://www2.precog.com/precogplatform/slashdotnewsletter > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for > building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
