Searched all the questions related to recover keyerror, got no answer on my situation.
So, I just have several simple operations:
install jmeter 4.0 (on centos 7)
cd to the bin directory, run ./create-rmi-keystore.sh and pressed Enter in each steps(entered a password 123654 at final step), and finally it gives me
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore rmi_keystore.jks -destkeystore rmi_keystore.jks -deststoretype pkcs12".
Copy the generated rmi_keystore.jks to jmeter/bin folder or reference it in property 'server.rmi.ssl.keystore.file'
so I run keytool -importkeystore -srckeystore rmi_keystore.jks -destkeystore rmi_keystore.jks -deststoretype pkcs12 and give a password 123654
It gives me:
Enter source keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Can anybody give a hand, Thanks advance:)
solved by this , to answer the question What is your first and last name?, you'll have to reply with rmi which must be a corresponding value with server.rmi.ssl.keystore.alias in jmeter.propertise.
Related
I am trying to add certificate for Kubernetes, but when I run the following command on cmd (MacOS):
openssl ec -in mycompany-robert.key -out mycompany-robert.dkey
I get the following prompt:
read EC key
Enter PEM pass phrase:
Then I enter some password, but it is not accepted and get the following error:
unable to load Key
4315711020:error:06FFF064:digital envelope routines:CRYPTO_internal:bad
decrypt:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/
Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/evp/evp_enc.c:521:
4315711020:error:09FFF065:PEM routines:CRYPTO_internal:bad
decrypt:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/
Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/pem/pem_lib.c:469:
So, how can I fix the problem?
Currently, I am integrating docebo API with python rest client. While creating an oAuth2 application in docebo with JWT bearer grant permission they are asking to upload the public key.
I have generated public key using below command on mac
ssh-keygen -t rsa -b 4096 -C <user id>
As they have mentioned public key format should be
—–BEGIN PUBLIC KEY—–
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgGOrtjv/oPcaWIQL7h3DwvGbWFhH
fAIP02pPPw1Cp8h0SUkmGAWUGKCNH2WuIeNxPlRZKmW86aivknrRtEN3QW6eEsFZ
ZSIKVmUPekKrSpvYmYwkTCnwCb4gpDu1ZPEde8VXhQjLRl7ielUktzzbXW7v1HmI
fDASHvMvIl4kwGA/AgMBAAE=
—–END PUBLIC KEY—–
According to that, I have converted id_rsa.pub to publicKey.pem using below command
ssh-keygen -f ~/.ssh/id_rsa.pub -m 'PEM' -e > publicKey.pem
chmod 600 public.pem
Still, I am not able to upload the publicKey.pem on the oauth2 application. Error is Public key is invalid.
Any idea about this. Thanks!
This is a late answer. Hopefully it can help others.
We use open ssl (https://www.openssl.org/source/) solved this issue. Run the commands below and import rsa_public.pem into Docebo.
openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem
I've set up a Jenkins instance, and am trying to set up LDAP and getting this error
Unable to connect to ldaps://server.domain.com:636 :
javax.naming.CommunicationException: server.domain.com:636 [Root
exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]
The target server is using a self-signed certificate. Is there a way to disable certification checking? In another web server instance, we run it with
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: False }
Could there be a similar option when using Jenkins?
You can override the Java default SSL factory like https://plugins.jenkins.io/skip-certificate-check
Or you can trust the cert by fetching the certificate public key and importing that into your ./jre/lib/security/cacert truststore.
export JAVA_HOME='/path/to/your/jre'
export LDAPHOST='LDAPHOST01.domain.ccTLD'
export LDAPSSLPORT='636'
export CERTFILENAME='/tmp/ldapcert.cer'
echo "" | openssl s_client -connect $LDAPHOST:$LDAPSSLPORT 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTFILENAME
keytool -import -trustcacerts -alias $LDAPHOST -file $CERTFILENAME -keystore $JAVA_HOME/lib/security/cacerts
When you import the certificate, you will be asked for the keystore password. The default is 'changeit' ... otherwise whatever you've changed it to. Details on the cert will be displayed, and you will be asked if you really want to trust the certificate.
[lisa#linux02 checkSSLCertExpiry]# keytool -import -trustcacerts -alias $LDAPHOST -file $CERTFILENAME -keystore $JAVA_HOME/lib/security/cacerts
Enter keystore password:
Owner: CN=LDAPHOST01
Issuer: CN=LDAPHOST01
Serial number: 3a2542463f2d59bb4018f9e9179dd6a8
Valid from: Mon Jun 02 16:55:08 EDT 2014 until: Sun Jun 02 16:55:08 EDT 2019
Certificate fingerprints:
MD5: C3:33:62:B4:A8:30:05:54:3A:F9:AE:99:66:35:EB:22
SHA1: FA:C2:7B:5D:BF:74:05:58:EF:37:F1:AD:8D:8B:DF:02:93:4C:D8:7E
SHA256: BE:D6:DF:A9:4F:82:6B:AF:2C:C7:45:9B:B7:A4:0A:B4:9A:81:DB:8E:49:A2:38:16:49:83:F7:4C:D5:EC:61:E0
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
...
#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: LDAPHOST01
DNSName: LDAPHOST01.domain.ccTLD
]
Trust this certificate? [no]: yes
Certificate was added to keystore
A keytool command to verify the certificate exists in the store:
[lisa#linux02 checkSSLCertExpiry]# keytool -list -keystore $JAVA_HOME/lib/security/cacerts -alias $LDAPHOST
Enter keystore password:
LDAPHOST01.domain.ccTLD, Sep 28, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): FA:C2:7B:5D:BF:74:05:58:EF:37:F1:AD:8D:8B:DF:02:93:4C:D8:7E
Overriding Java's default trust mechanisms is once-and-done, but obviously removes all of the security that goes with verifying a certificate. Trusting the LDAP server's cert means you'll need to know every time the cert is renewed, and you'll need to import the new certificate into your cacerts file.
To avoid having auth fail every year or two when the directory server cert expires, I set up a certificate authority (CA) with a fairly long (10 years or so) validity. You can do this with a dedicated PKI infrastructure or simply OpenSSL. By importing the CA's public key into cacerts, you trust any certificate issued against the CA. So if the directory certificate is renewed every year, you don't need to do anything. In a decade when the CA cert is replaced, you'll need to add the new CA cert to the store.
I'm currently working on a project that must be a platform signed system app to be privileged to communicate on the I2C bus of a proprietary Android device.
The manifest contains android:sharedUserId="android.uid.system" and the resulting unsigned apk is signed, zipaligned and installed with this batch...
java -jar signapk.jar platform.x509.pem platform.pk8 unsigned.apk signed.apk
zipalign -f -v 4 signed.apk aligned.apk
adb install -rg aligned.apk
This works fine. However, I need to do extensive development running with this privilege requiring the debugger to be attached. I have tried using a custom Configuration that retains the debugger symbols while including the Mono runtime in the package only to find out that you cannot attach to an already running Android app from Xamarin.
Is there a way to create a keystore that is signed with the platform signature that I could put in ...\AppData\Local\Xamarin\Mono for Android\ to replace debug.keystore? The idea being that the debug build-deploy process would pick this up and I'd have the privileges I need AND have attachment to the debugger.
Any help much appreciated.
You can create a JKS keystore from a DER-encoded PKCS #8 private key and the corresponding PEM-encoded X.509 certificate as follows:
openssl pkcs8 -inform der -in platform.pk8 -nocrypt -out platform.key
openssl pkcs12 -export -in platform.x509.pem -inkey platform.key -out platform.p12
keytool -importkeystore \
-srckeystore platform.p12 -srcstoretype pkcs12 \
-destkeystore platform.keystore \
-deststorepass android -destkeypass android
shred -u platform.key platform.p12
For those following, after I performed the steps from Alex, I added this to the .csproj file to get Visual Studio to use it for this specific example.
<PropertyGroup Condition="'$(Configuration)' == 'Debug'">
<AndroidKeyStore>True</AndroidKeyStore>
<AndroidSigningKeyStore>(path)\platform.keystore</AndroidSigningKeyStore>
<AndroidSigningStorePass>android</AndroidSigningStorePass>
<AndroidSigningKeyAlias>1</AndroidSigningKeyAlias>
<AndroidSigningKeyPass>android</AndroidSigningKeyPass>
</PropertyGroup>
On my computer:
travis login --org
Username: xxxxxx
Password: xxxxxx
Successfully logged in as xxxxxx!
travis encrypt-file codesigning.asc -r XXXXXX/XXXXXX
encrypting codesigning.asc for XXXXXX/XXXXXX
storing result as codesigning.asc.enc
storing secure env variables for decryption
Please add the following to your build script (before_install stage in your .travis.yml, for instance):
openssl aes-256-cbc -K $encrypted_abcd1234_key -iv $encrypted_abcd1234_iv -in codesigning.asc.enc -out codesigning.asc -d
Pro Tip: You can add it automatically by running with --add.
Make sure to add codesigning.asc.enc to the git repository.
Make sure not to add codesigning.asc to the git repository.
Commit all changes to your .travis.yml.
On my travis acount:
On my GitHub repository:
I paste the codesigning.asc.enc file in the test folder test/codesigning.asc.enc.
I add this shell script:
if [ "$TRAVIS_BRANCH" = 'master' ] && [ "$TRAVIS_PULL_REQUEST" == 'false' ]; then
echo "******** Starting gpg"
openssl aes-256-cbc -K "$encrypted_abcd1234_key" -iv "$encrypted_abcd1234_iv" -in test/codesigning.asc.enc -out test/codesigning.asc -d
gpg --fast-import test/codesigning.asc
fi
I have this error on my travis console:
bad decrypt
139864985556640:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
gpg: invalid radix64 character FE skipped
gpg: invalid radix64 character C4 skipped
gpg: read_block: read error: invalid packet
gpg: import from `test/codesigning.asc' failed: invalid keyring
gpg: Total number processed: 0
OpenPGP (the cryptographic protocol implemented by gpg) and X.509 (the cryptographic protocol used by OpenSSL) are not compatible. You cannot import this key to GnuPG (you could to gpgsm which implements X.509, but this is not the normal gpg you want to use). You will have to stick with OpenSSL or GnuTLS to handle the key and encrypted messages for it.