Author: lmccay
Date: Mon Dec 8 16:58:43 2014
New Revision: 1643865
URL: http://svn.apache.org/r1643865
Log:
KNOX-477 - better docs for certificate management
Modified:
knox/site/books/knox-0-4-0/deployment-overview.png
knox/site/books/knox-0-4-0/deployment-provider.png
knox/site/books/knox-0-4-0/deployment-service.png
knox/site/books/knox-0-4-0/runtime-overview.png
knox/site/books/knox-0-4-0/runtime-request-processing.png
knox/site/books/knox-0-5-0/deployment-overview.png
knox/site/books/knox-0-5-0/deployment-provider.png
knox/site/books/knox-0-5-0/deployment-service.png
knox/site/books/knox-0-5-0/knox-0-5-0.html
knox/site/books/knox-0-5-0/runtime-overview.png
knox/site/books/knox-0-5-0/runtime-request-processing.png
knox/site/books/knox-0-6-0/deployment-overview.png
knox/site/books/knox-0-6-0/deployment-provider.png
knox/site/books/knox-0-6-0/deployment-service.png
knox/site/books/knox-0-6-0/runtime-overview.png
knox/site/books/knox-0-6-0/runtime-request-processing.png
knox/site/books/knox-0-6-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.5.0/config.md
knox/trunk/books/0.6.0/config.md
Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/knox-0-5-0.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/knox-0-5-0.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/books/knox-0-5-0/knox-0-5-0.html (original)
+++ knox/site/books/knox-0-5-0/knox-0-5-0.html Mon Dec 8 16:58:43 2014
@@ -448,16 +448,18 @@ ip-10-39-107-209.ec2.internal
<li>Using a single gateway instance as a master instance the artifacts can
be generated or placed into the expected location and then replicated across
all of the slave instances before startup.</li>
<li>Using an NFS mount as a central location for the artifacts would provide
a single source of truth without the need to replicate them over the network.
Of course, NFS mounts have their own challenges.</li>
<li>Using the KnoxCLI to create and manage the security artifacts.</li>
-</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a
id="Keystores"></a>Keystores</h4><p>In order to provide your own certificate
for use by the gateway, you will need to either import an existing key pair
into a Java keystore or generate a self-signed cert using the Java
keytool.</p><h5><a id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing
a key pair into a Java keystore</h5><p>One way to accomplish this is to start
with a PKCS12 store for your key pair and then convert it to a Java keystore or
JKS.</p>
+</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a
id="Keystores"></a>Keystores</h4><p>In order to provide your own certificate
for use by the gateway, you will need to either import an existing key pair
into a Java keystore or generate a self-signed cert using the Java
keytool.</p><h5><a id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing
a key pair into a Java keystore</h5><p>One way to accomplish this is to start
with a PKCS12 store for your key pair and then convert it to a Java keystore or
JKS.</p><p>The following example uses openssl to create a PKCS12 encoded store
from your provided certificate and private key that are in PEM format.</p>
<pre><code>openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
-</code></pre><p>The above example uses openssl to create a PKCS12 encoded
store for your provided certificate private key.</p>
+</code></pre><p>The next example converts the PKCS12 store into a Java
keystore (JKS). It should prompt you for the keystore and key passwords for the
destination keystore. You must use the master-secret for the keystore password
and keep track of the password that you use for the key passphrase.</p>
<pre><code>keytool -importkeystore -srckeystore {server.p12} -destkeystore
gateway.jks -srcstoretype pkcs12
-</code></pre><p>This example converts the PKCS12 store into a Java keystore
(JKS). It should prompt you for the keystore and key passwords for the
destination keystore. You must use the master-secret for both.</p><p>While
using this approach a couple of important things to be aware of:</p>
+</code></pre><p>While using this approach a couple of important things to be
aware of:</p>
<ol>
- <li>the alias MUST be “gateway-identity”</li>
- <li>the name of the expected identity keystore for the gateway MUST be
gateway.jks</li>
- <li>the passwords for the keystore and the imported key may both be set to
the master secret for the gateway install</li>
-</ol><p>NOTE: The password for the keystore as well as that of the imported
key may be the master secret for the gateway instance or you may set the
gateway-identity-passphrase alias using the Knox CLI to the actual key
passphrase. See the Knox CLI section for details.</p><h5><a
id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
+ <li><p>the alias MUST be “gateway-identity”. You may need to
change it using keytool after the import of the PKCS12 store. You can use
keytool to do this - for example:</p><p>keytool -changealias -alias
“1” -destalias “gateway-identity” -keystore gateway.jks
-storepass {knoxpw}</p></li>
+ <li><p>the name of the expected identity keystore for the gateway MUST be
gateway.jks</p></li>
+ <li><p>the passwords for the keystore and the imported key may both be set
to the master secret for the gateway install. You can change the key passphrase
after import using keytool as well. You may need to do this in order to
provision the password in the credential store as described later in this
section. For example:</p><p>keytool -keypasswd -alias gateway-identity
-keystore gateway.jks</p></li>
+</ol><p>NOTE: The password for the keystore as well as that of the imported
key may be the master secret for the gateway instance or you may set the
gateway-identity-passphrase alias using the Knox CLI to the actual key
passphrase. See the Knox CLI section for details.</p><p>The following will
allow you to provision the passphrase for the private key that you set during
keystore creation above - it will prompt you for the actual passphrase.</p>
+<pre><code>bin/knoxcli.sh create-alias gateway-identity-passphrase
+</code></pre><h5><a
id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
<pre><code>keytool -genkey -keyalg RSA -alias gateway-identity -keystore
gateway.jks \
-storepass {master-secret} -validity 360 -keysize 2048
</code></pre><p>Keytool will prompt you for a number of elements used will
comprise the distiniguished name (DN) within your certificate.
</p><p><em>NOTE:</em> When it prompts you for your First and Last name be sure
to type in the hostname of the machine that your gateway instance will be
running on. This is used by clients during hostname verification to ensure that
the presented certificate matches the hostname that was used in the URL for the
connection - so they need to match.</p><p><em>NOTE:</em> When it prompts for
the key password just press enter to ensure that it is the same as the keystore
password. Which as was described earlier must match the master secret for the
gateway instance. Alternatively, you can set it to another passphrase - take
note of it and set the gateway-identity-passphrase alias to that passphrase
using the Knox CLI.</p><p>See the Knox CLI section for descriptions of the
command line utilties related to the management of the keystores.</p><h5><a
id="Cre
dential+Store"></a>Credential Store</h5><p>Whenever you provide your own
keystore with either a self-signed cert or an issued certificate signed by a
trusted authority, you will need to set an alias for the
gateway-identity-passphrase or create an empty credential store. This is
necessary for the current release in order for the system to determine the
correct password for the keystore and the key.</p><p>The credential stores in
Knox use the JCEKS keystore type as it allows for the storage of general
secrets in addition to certificates.</p><p>Keytool may be used to create
credential stores but the Knox CLI section details how to create aliases. These
aliases are managed within credential stores which are created by the CLI as
needed. The simplest approach is to create the gateway-identity-passpharse
alias with the Knox CLI. This will create the credential store if it
doesn’t already exist and add the key passphrase.</p><p>See the Knox CLI
section for descriptions of the comman
d line utilties related to the management of the credential stores.</p><h5><a
id="Provisioning+of+Keystores"></a>Provisioning of Keystores</h5><p>Once you
have created these keystores you must move them into place for the gateway to
discover them and use them to represent its identity for SSL connections. This
is done by copying the keystores to the
<code>{GATEWAY_HOME}/data/security/keystores</code> directory for your gateway
install.</p><h4><a id="Summary+of+Secrets+to+be+Managed"></a>Summary of Secrets
to be Managed</h4>
Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/books/knox-0-6-0/user-guide.html (original)
+++ knox/site/books/knox-0-6-0/user-guide.html Mon Dec 8 16:58:43 2014
@@ -448,16 +448,18 @@ ip-10-39-107-209.ec2.internal
<li>Using a single gateway instance as a master instance the artifacts can
be generated or placed into the expected location and then replicated across
all of the slave instances before startup.</li>
<li>Using an NFS mount as a central location for the artifacts would provide
a single source of truth without the need to replicate them over the network.
Of course, NFS mounts have their own challenges.</li>
<li>Using the KnoxCLI to create and manage the security artifacts.</li>
-</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a
id="Keystores"></a>Keystores</h4><p>In order to provide your own certificate
for use by the gateway, you will need to either import an existing key pair
into a Java keystore or generate a self-signed cert using the Java
keytool.</p><h5><a id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing
a key pair into a Java keystore</h5><p>One way to accomplish this is to start
with a PKCS12 store for your key pair and then convert it to a Java keystore or
JKS.</p>
+</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a
id="Keystores"></a>Keystores</h4><p>In order to provide your own certificate
for use by the gateway, you will need to either import an existing key pair
into a Java keystore or generate a self-signed cert using the Java
keytool.</p><h5><a id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing
a key pair into a Java keystore</h5><p>One way to accomplish this is to start
with a PKCS12 store for your key pair and then convert it to a Java keystore or
JKS.</p><p>The following example uses openssl to create a PKCS12 encoded store
from your provided certificate and private key that are in PEM format.</p>
<pre><code>openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
-</code></pre><p>The above example uses openssl to create a PKCS12 encoded
store for your provided certificate private key.</p>
+</code></pre><p>The next example converts the PKCS12 store into a Java
keystore (JKS). It should prompt you for the keystore and key passwords for the
destination keystore. You must use the master-secret for the keystore password
and keep track of the password that you use for the key passphrase.</p>
<pre><code>keytool -importkeystore -srckeystore {server.p12} -destkeystore
gateway.jks -srcstoretype pkcs12
-</code></pre><p>This example converts the PKCS12 store into a Java keystore
(JKS). It should prompt you for the keystore and key passwords for the
destination keystore. You must use the master-secret for both.</p><p>While
using this approach a couple of important things to be aware of:</p>
+</code></pre><p>While using this approach a couple of important things to be
aware of:</p>
<ol>
- <li>the alias MUST be “gateway-identity”</li>
- <li>the name of the expected identity keystore for the gateway MUST be
gateway.jks</li>
- <li>the passwords for the keystore and the imported key may both be set to
the master secret for the gateway install</li>
-</ol><p>NOTE: The password for the keystore as well as that of the imported
key may be the master secret for the gateway instance or you may set the
gateway-identity-passphrase alias using the Knox CLI to the actual key
passphrase. See the Knox CLI section for details.</p><h5><a
id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
+ <li><p>the alias MUST be “gateway-identity”. You may need to
change it using keytool after the import of the PKCS12 store. You can use
keytool to do this - for example:</p><p>keytool -changealias -alias
“1” -destalias “gateway-identity” -keystore gateway.jks
-storepass {knoxpw}</p></li>
+ <li><p>the name of the expected identity keystore for the gateway MUST be
gateway.jks</p></li>
+ <li><p>the passwords for the keystore and the imported key may both be set
to the master secret for the gateway install. You can change the key passphrase
after import using keytool as well. You may need to do this in order to
provision the password in the credential store as described later in this
section. For example:</p><p>keytool -keypasswd -alias gateway-identity
-keystore gateway.jks</p></li>
+</ol><p>NOTE: The password for the keystore as well as that of the imported
key may be the master secret for the gateway instance or you may set the
gateway-identity-passphrase alias using the Knox CLI to the actual key
passphrase. See the Knox CLI section for details.</p><p>The following will
allow you to provision the passphrase for the private key that you set during
keystore creation above - it will prompt you for the actual passphrase.</p>
+<pre><code>bin/knoxcli.sh create-alias gateway-identity-passphrase
+</code></pre><h5><a
id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
<pre><code>keytool -genkey -keyalg RSA -alias gateway-identity -keystore
gateway.jks \
-storepass {master-secret} -validity 360 -keysize 2048
</code></pre><p>Keytool will prompt you for a number of elements used will
comprise the distiniguished name (DN) within your certificate.
</p><p><em>NOTE:</em> When it prompts you for your First and Last name be sure
to type in the hostname of the machine that your gateway instance will be
running on. This is used by clients during hostname verification to ensure that
the presented certificate matches the hostname that was used in the URL for the
connection - so they need to match.</p><p><em>NOTE:</em> When it prompts for
the key password just press enter to ensure that it is the same as the keystore
password. Which as was described earlier must match the master secret for the
gateway instance. Alternatively, you can set it to another passphrase - take
note of it and set the gateway-identity-passphrase alias to that passphrase
using the Knox CLI.</p><p>See the Knox CLI section for descriptions of the
command line utilties related to the management of the keystores.</p><h5><a
id="Cre
dential+Store"></a>Credential Store</h5><p>Whenever you provide your own
keystore with either a self-signed cert or an issued certificate signed by a
trusted authority, you will need to set an alias for the
gateway-identity-passphrase or create an empty credential store. This is
necessary for the current release in order for the system to determine the
correct password for the keystore and the key.</p><p>The credential stores in
Knox use the JCEKS keystore type as it allows for the storage of general
secrets in addition to certificates.</p><p>Keytool may be used to create
credential stores but the Knox CLI section details how to create aliases. These
aliases are managed within credential stores which are created by the CLI as
needed. The simplest approach is to create the gateway-identity-passpharse
alias with the Knox CLI. This will create the credential store if it
doesn’t already exist and add the key passphrase.</p><p>See the Knox CLI
section for descriptions of the comman
d line utilties related to the management of the credential stores.</p><h5><a
id="Provisioning+of+Keystores"></a>Provisioning of Keystores</h5><p>Once you
have created these keystores you must move them into place for the gateway to
discover them and use them to represent its identity for SSL connections. This
is done by copying the keystores to the
<code>{GATEWAY_HOME}/data/security/keystores</code> directory for your gateway
install.</p><h4><a id="Summary+of+Secrets+to+be+Managed"></a>Summary of Secrets
to be Managed</h4>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Mon Dec 8 16:58:43 2014
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20141126" />
+ <meta name="Date-Revision-yyyymmdd" content="20141208" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2014-11-26</span>
+ | <span id="publishDate">Last Published:
2014-12-08</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/issue-tracking.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Mon Dec 8 16:58:43 2014
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20141126" />
+ <meta name="Date-Revision-yyyymmdd" content="20141208" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2014-11-26</span>
+ | <span id="publishDate">Last Published:
2014-12-08</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/license.html
URL:
http://svn.apache.org/viewvc/knox/site/license.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Mon Dec 8 16:58:43 2014
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20141126" />
+ <meta name="Date-Revision-yyyymmdd" content="20141208" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2014-11-26</span>
+ | <span id="publishDate">Last Published:
2014-12-08</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/mail-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Mon Dec 8 16:58:43 2014
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20141126" />
+ <meta name="Date-Revision-yyyymmdd" content="20141208" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2014-11-26</span>
+ | <span id="publishDate">Last Published:
2014-12-08</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Mon Dec 8 16:58:43 2014
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20141126" />
+ <meta name="Date-Revision-yyyymmdd" content="20141208" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2014-11-26</span>
+ | <span id="publishDate">Last Published:
2014-12-08</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/team-list.html
URL:
http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Mon Dec 8 16:58:43 2014
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20141126" />
+ <meta name="Date-Revision-yyyymmdd" content="20141208" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2014-11-26</span>
+ | <span id="publishDate">Last Published:
2014-12-08</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/trunk/books/0.5.0/config.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.5.0/config.md?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/trunk/books/0.5.0/config.md (original)
+++ knox/trunk/books/0.5.0/config.md Mon Dec 8 16:58:43 2014
@@ -298,22 +298,31 @@ In order to provide your own certificate
##### Importing a key pair into a Java keystore #####
One way to accomplish this is to start with a PKCS12 store for your key pair
and then convert it to a Java keystore or JKS.
+The following example uses openssl to create a PKCS12 encoded store from your
provided certificate and private key that are in PEM format.
+
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
-The above example uses openssl to create a PKCS12 encoded store for your
provided certificate private key.
+The next example converts the PKCS12 store into a Java keystore (JKS). It
should prompt you for the keystore and key passwords for the destination
keystore. You must use the master-secret for the keystore password and keep
track of the password that you use for the key passphrase.
keytool -importkeystore -srckeystore {server.p12} -destkeystore
gateway.jks -srcstoretype pkcs12
-This example converts the PKCS12 store into a Java keystore (JKS). It should
prompt you for the keystore and key passwords for the destination keystore. You
must use the master-secret for both.
-
While using this approach a couple of important things to be aware of:
-1. the alias MUST be "gateway-identity"
+1. the alias MUST be "gateway-identity". You may need to change it using
keytool after the import of the PKCS12 store. You can use keytool to do this -
for example:
+
+ keytool -changealias -alias "1" -destalias "gateway-identity" -keystore
gateway.jks -storepass {knoxpw}
+
2. the name of the expected identity keystore for the gateway MUST be
gateway.jks
-3. the passwords for the keystore and the imported key may both be set to the
master secret for the gateway install
+3. the passwords for the keystore and the imported key may both be set to the
master secret for the gateway install. You can change the key passphrase after
import using keytool as well. You may need to do this in order to provision the
password in the credential store as described later in this section. For
example:
+
+ keytool -keypasswd -alias gateway-identity -keystore gateway.jks
NOTE: The password for the keystore as well as that of the imported key may be
the master secret for the gateway instance or you may set the
gateway-identity-passphrase alias using the Knox CLI to the actual key
passphrase. See the Knox CLI section for details.
+The following will allow you to provision the passphrase for the private key
that you set during keystore creation above - it will prompt you for the actual
passphrase.
+
+ bin/knoxcli.sh create-alias gateway-identity-passphrase
+
##### Generating a self-signed cert for use in testing or development
environments #####
keytool -genkey -keyalg RSA -alias gateway-identity -keystore gateway.jks \
Modified: knox/trunk/books/0.6.0/config.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config.md?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/trunk/books/0.6.0/config.md (original)
+++ knox/trunk/books/0.6.0/config.md Mon Dec 8 16:58:43 2014
@@ -298,22 +298,31 @@ In order to provide your own certificate
##### Importing a key pair into a Java keystore #####
One way to accomplish this is to start with a PKCS12 store for your key pair
and then convert it to a Java keystore or JKS.
+The following example uses openssl to create a PKCS12 encoded store from your
provided certificate and private key that are in PEM format.
+
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
-The above example uses openssl to create a PKCS12 encoded store for your
provided certificate private key.
+The next example converts the PKCS12 store into a Java keystore (JKS). It
should prompt you for the keystore and key passwords for the destination
keystore. You must use the master-secret for the keystore password and keep
track of the password that you use for the key passphrase.
keytool -importkeystore -srckeystore {server.p12} -destkeystore
gateway.jks -srcstoretype pkcs12
-This example converts the PKCS12 store into a Java keystore (JKS). It should
prompt you for the keystore and key passwords for the destination keystore. You
must use the master-secret for both.
-
While using this approach a couple of important things to be aware of:
-1. the alias MUST be "gateway-identity"
+1. the alias MUST be "gateway-identity". You may need to change it using
keytool after the import of the PKCS12 store. You can use keytool to do this -
for example:
+
+ keytool -changealias -alias "1" -destalias "gateway-identity" -keystore
gateway.jks -storepass {knoxpw}
+
2. the name of the expected identity keystore for the gateway MUST be
gateway.jks
-3. the passwords for the keystore and the imported key may both be set to the
master secret for the gateway install
+3. the passwords for the keystore and the imported key may both be set to the
master secret for the gateway install. You can change the key passphrase after
import using keytool as well. You may need to do this in order to provision the
password in the credential store as described later in this section. For
example:
+
+ keytool -keypasswd -alias gateway-identity -keystore gateway.jks
NOTE: The password for the keystore as well as that of the imported key may be
the master secret for the gateway instance or you may set the
gateway-identity-passphrase alias using the Knox CLI to the actual key
passphrase. See the Knox CLI section for details.
+The following will allow you to provision the passphrase for the private key
that you set during keystore creation above - it will prompt you for the actual
passphrase.
+
+ bin/knoxcli.sh create-alias gateway-identity-passphrase
+
##### Generating a self-signed cert for use in testing or development
environments #####
keytool -genkey -keyalg RSA -alias gateway-identity -keystore gateway.jks \
