WSO2 Identity Server: How to enter the keystore and private key password in a Dockerized WSO2 identity server

1
votes

After running the ciphertool.bat or ciphertool.sh script in the bin directory of WSO2 Identity server, the next time the server is started up, you are presented with a prompt that asks you for the keystore and private key password used to configure the WSO2 secure vault. Example:

C:\Program Files\WSO2\Identity Server\5.7.0\bin>wso2server.bat --start
JAVA_HOME environment variable is set to C:\Program Files\Java\jdk1.8.0_181
CARBON_HOME environment variable is set to C:\PROGRA~1\WSO2\IDENTI~1\570D0D~1.0\bin\..
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
[Enter KeyStore and Private Key Password :]

I have a WSO2 identity server instance that is running in a Docker container. My passwords are encrypted so I need to provide a keystore/private key password on startup.

This presents an issue though:

I have to run my docker container with the -it flag in order to create an active bash shell in the container that allows me to type in the keystore and private key password. My docker run command looks like this docker run -p 443:443 -it wso2-test .. If I don't include the -it flag, WSO2 IS will never ask for the password and the passwords won't get resolved, causing everything to fail.

I don't want to use the -it flag because it forces user input and I'd like the containers to run independently.

In order to keep things as automated as possible, I want to provide the keystore and private key password right away when I run the wso2server.sh script (which is the entrypoint of my Dockerfile), rather than when the prompt is presented. Is this possible?

Ideally, a solution would have a Dockerfile entrypoint that looks something like this:

ENTRYPOINT ["wso2server.sh", "run", "KEYSTORE_PASSWORD"]

1
wso2wso2is
I tried this using two wso2is-5.7.0 packs. I ran ciphertool.sh -Dconfigure in one pack(say A) and copied secret-conf.properties to the other one(say B). Then tried to start B, it asked for the KeyStore and Private Key Password. Therefore please check again whether you have correctly copied secret-conf.properties to the Dockerized implementation from the other pack which you ran ciphertool.sh -Dconfigure.Sajith
Thanks Sajith. The actual issue was that the docker container wouldn't allow user input unless the -it flag was added. With the -it flag, it works as expected. However, I want to be able to provide the password when I run the docker run command rather than having to give user input after the docker run command is run. I have updated the question to reflect the new issue.stanaka
What about using password-persist.txt or password-tmp.txt as described in below doc? docs.wso2.com/display/Carbon440/Resolving+Encrypted+PasswordsSajith
I don't see a daemon.sh or daemon.bat in my WSO2 bin folder. I am running v5.7.0. Am I missing something? Also, the WSO2 documentation reads daemon. sh wso2server.sh -start I assume that is supposed to be daemon.sh wso2server.sh -start (no space) EDIT: I do see forgetme.sh and forgetme.bin. Is that what I am supposed to be using?stanaka
Nevermind, I see that the "forgetme" scripts are used for something else. I still can't find the daemon.sh script, however.stanaka

1 Answers

5
votes

You should pass the keystore password as an environment variable to the docker run command. 

docker run -e KEY_STORE_PASSWORD=wso2carbon secvault-test:latest

This environment variable should be read by ENTRYPOINT command, and written into a file named password-tmp under the $PRODUCT_HOME directory. Here's a sample Dockerfile with ENTRYPOINT:

$> cat Dockerfile 

FROM ubuntu:16.04

RUN mkdir /opt/wso2is
WORKDIR /opt/wso2is

ENTRYPOINT ["/bin/sh", "-c", "echo $KEY_STORE_PASSWORD > password-tmp && wso2server.sh run"]

Security check:

Since the password is not baked into the docker image, we can safely push the image to a registry. Further, you'll need to enter environment variable whenever you spin a new container. Note that the environment variables of the containers are visible via docker inspect command.