knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1643865 - in /knox: site/ site/books/knox-0-4-0/ site/books/knox-0-5-0/ site/books/knox-0-6-0/ trunk/books/0.5.0/ trunk/books/0.6.0/
Date Mon, 08 Dec 2014 16:58:43 GMT
Author: lmccay
Date: Mon Dec  8 16:58:43 2014
New Revision: 1643865

URL: http://svn.apache.org/r1643865
Log:
KNOX-477 - better docs for certificate management

Modified:
    knox/site/books/knox-0-4-0/deployment-overview.png
    knox/site/books/knox-0-4-0/deployment-provider.png
    knox/site/books/knox-0-4-0/deployment-service.png
    knox/site/books/knox-0-4-0/runtime-overview.png
    knox/site/books/knox-0-4-0/runtime-request-processing.png
    knox/site/books/knox-0-5-0/deployment-overview.png
    knox/site/books/knox-0-5-0/deployment-provider.png
    knox/site/books/knox-0-5-0/deployment-service.png
    knox/site/books/knox-0-5-0/knox-0-5-0.html
    knox/site/books/knox-0-5-0/runtime-overview.png
    knox/site/books/knox-0-5-0/runtime-request-processing.png
    knox/site/books/knox-0-6-0/deployment-overview.png
    knox/site/books/knox-0-6-0/deployment-provider.png
    knox/site/books/knox-0-6-0/deployment-service.png
    knox/site/books/knox-0-6-0/runtime-overview.png
    knox/site/books/knox-0-6-0/runtime-request-processing.png
    knox/site/books/knox-0-6-0/user-guide.html
    knox/site/index.html
    knox/site/issue-tracking.html
    knox/site/license.html
    knox/site/mail-lists.html
    knox/site/project-info.html
    knox/site/team-list.html
    knox/trunk/books/0.5.0/config.md
    knox/trunk/books/0.6.0/config.md

Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/knox-0-5-0.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/knox-0-5-0.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/books/knox-0-5-0/knox-0-5-0.html (original)
+++ knox/site/books/knox-0-5-0/knox-0-5-0.html Mon Dec  8 16:58:43 2014
@@ -448,16 +448,18 @@ ip-10-39-107-209.ec2.internal
   <li>Using a single gateway instance as a master instance the artifacts can be generated
or placed into the expected location and then replicated across all of the slave instances
before startup.</li>
   <li>Using an NFS mount as a central location for the artifacts would provide a single
source of truth without the need to replicate them over the network. Of course, NFS mounts
have their own challenges.</li>
   <li>Using the KnoxCLI to create and manage the security artifacts.</li>
-</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a id="Keystores"></a>Keystores</h4><p>In
order to provide your own certificate for use by the gateway, you will need to either import
an existing key pair into a Java keystore or generate a self-signed cert using the Java keytool.</p><h5><a
id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing a key pair into a Java
keystore</h5><p>One way to accomplish this is to start with a PKCS12 store for
your key pair and then convert it to a Java keystore or JKS.</p>
+</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a id="Keystores"></a>Keystores</h4><p>In
order to provide your own certificate for use by the gateway, you will need to either import
an existing key pair into a Java keystore or generate a self-signed cert using the Java keytool.</p><h5><a
id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing a key pair into a Java
keystore</h5><p>One way to accomplish this is to start with a PKCS12 store for
your key pair and then convert it to a Java keystore or JKS.</p><p>The following
example uses openssl to create a PKCS12 encoded store from your provided certificate and private
key that are in PEM format.</p>
 <pre><code>openssl pkcs12 -export -in cert.pem -inkey key.pem &gt; server.p12
-</code></pre><p>The above example uses openssl to create a PKCS12 encoded
store for your provided certificate private key.</p>
+</code></pre><p>The next example converts the PKCS12 store into a Java
keystore (JKS). It should prompt you for the keystore and key passwords for the destination
keystore. You must use the master-secret for the keystore password and keep track of the password
that you use for the key passphrase.</p>
 <pre><code>keytool -importkeystore -srckeystore {server.p12} -destkeystore gateway.jks
-srcstoretype pkcs12
-</code></pre><p>This example converts the PKCS12 store into a Java keystore
(JKS). It should prompt you for the keystore and key passwords for the destination keystore.
You must use the master-secret for both.</p><p>While using this approach a couple
of important things to be aware of:</p>
+</code></pre><p>While using this approach a couple of important things
to be aware of:</p>
 <ol>
-  <li>the alias MUST be &ldquo;gateway-identity&rdquo;</li>
-  <li>the name of the expected identity keystore for the gateway MUST be gateway.jks</li>
-  <li>the passwords for the keystore and the imported key may both be set to the master
secret for the gateway install</li>
-</ol><p>NOTE: The password for the keystore as well as that of the imported key
may be the master secret for the gateway instance or you may set the gateway-identity-passphrase
alias using the Knox CLI to the actual key passphrase. See the Knox CLI section for details.</p><h5><a
id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
+  <li><p>the alias MUST be &ldquo;gateway-identity&rdquo;. You may need
to change it using keytool after the import of the PKCS12 store. You can use keytool to do
this - for example:</p><p>keytool -changealias -alias &ldquo;1&rdquo;
-destalias &ldquo;gateway-identity&rdquo; -keystore gateway.jks -storepass {knoxpw}</p></li>
+  <li><p>the name of the expected identity keystore for the gateway MUST be gateway.jks</p></li>
+  <li><p>the passwords for the keystore and the imported key may both be set
to the master secret for the gateway install. You can change the key passphrase after import
using keytool as well. You may need to do this in order to provision the password in the credential
store as described later in this section. For example:</p><p>keytool -keypasswd
-alias gateway-identity -keystore gateway.jks</p></li>
+</ol><p>NOTE: The password for the keystore as well as that of the imported key
may be the master secret for the gateway instance or you may set the gateway-identity-passphrase
alias using the Knox CLI to the actual key passphrase. See the Knox CLI section for details.</p><p>The
following will allow you to provision the passphrase for the private key that you set during
keystore creation above - it will prompt you for the actual passphrase.</p>
+<pre><code>bin/knoxcli.sh create-alias gateway-identity-passphrase
+</code></pre><h5><a id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
 <pre><code>keytool -genkey -keyalg RSA -alias gateway-identity -keystore gateway.jks
\
     -storepass {master-secret} -validity 360 -keysize 2048
 </code></pre><p>Keytool will prompt you for a number of elements used will
comprise the distiniguished name (DN) within your certificate. </p><p><em>NOTE:</em>
When it prompts you for your First and Last name be sure to type in the hostname of the machine
that your gateway instance will be running on. This is used by clients during hostname verification
to ensure that the presented certificate matches the hostname that was used in the URL for
the connection - so they need to match.</p><p><em>NOTE:</em> When
it prompts for the key password just press enter to ensure that it is the same as the keystore
password. Which as was described earlier must match the master secret for the gateway instance.
Alternatively, you can set it to another passphrase - take note of it and set the gateway-identity-passphrase
alias to that passphrase using the Knox CLI.</p><p>See the Knox CLI section for
descriptions of the command line utilties related to the management of the keystores.</p><h5><a
id="Cre
 dential+Store"></a>Credential Store</h5><p>Whenever you provide your
own keystore with either a self-signed cert or an issued certificate signed by a trusted authority,
you will need to set an alias for the gateway-identity-passphrase or create an empty credential
store. This is necessary for the current release in order for the system to determine the
correct password for the keystore and the key.</p><p>The credential stores in
Knox use the JCEKS keystore type as it allows for the storage of general secrets in addition
to certificates.</p><p>Keytool may be used to create credential stores but the
Knox CLI section details how to create aliases. These aliases are managed within credential
stores which are created by the CLI as needed. The simplest approach is to create the gateway-identity-passpharse
alias with the Knox CLI. This will create the credential store if it doesn&rsquo;t already
exist and add the key passphrase.</p><p>See the Knox CLI section for descriptions
of the comman
 d line utilties related to the management of the credential stores.</p><h5><a
id="Provisioning+of+Keystores"></a>Provisioning of Keystores</h5><p>Once
you have created these keystores you must move them into place for the gateway to discover
them and use them to represent its identity for SSL connections. This is done by copying the
keystores to the <code>{GATEWAY_HOME}/data/security/keystores</code> directory
for your gateway install.</p><h4><a id="Summary+of+Secrets+to+be+Managed"></a>Summary
of Secrets to be Managed</h4>

Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/books/knox-0-6-0/user-guide.html (original)
+++ knox/site/books/knox-0-6-0/user-guide.html Mon Dec  8 16:58:43 2014
@@ -448,16 +448,18 @@ ip-10-39-107-209.ec2.internal
   <li>Using a single gateway instance as a master instance the artifacts can be generated
or placed into the expected location and then replicated across all of the slave instances
before startup.</li>
   <li>Using an NFS mount as a central location for the artifacts would provide a single
source of truth without the need to replicate them over the network. Of course, NFS mounts
have their own challenges.</li>
   <li>Using the KnoxCLI to create and manage the security artifacts.</li>
-</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a id="Keystores"></a>Keystores</h4><p>In
order to provide your own certificate for use by the gateway, you will need to either import
an existing key pair into a Java keystore or generate a self-signed cert using the Java keytool.</p><h5><a
id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing a key pair into a Java
keystore</h5><p>One way to accomplish this is to start with a PKCS12 store for
your key pair and then convert it to a Java keystore or JKS.</p>
+</ol><p>See the Knox CLI section for descriptions of the command line utilties
related to the security artifact management.</p><h4><a id="Keystores"></a>Keystores</h4><p>In
order to provide your own certificate for use by the gateway, you will need to either import
an existing key pair into a Java keystore or generate a self-signed cert using the Java keytool.</p><h5><a
id="Importing+a+key+pair+into+a+Java+keystore"></a>Importing a key pair into a Java
keystore</h5><p>One way to accomplish this is to start with a PKCS12 store for
your key pair and then convert it to a Java keystore or JKS.</p><p>The following
example uses openssl to create a PKCS12 encoded store from your provided certificate and private
key that are in PEM format.</p>
 <pre><code>openssl pkcs12 -export -in cert.pem -inkey key.pem &gt; server.p12
-</code></pre><p>The above example uses openssl to create a PKCS12 encoded
store for your provided certificate private key.</p>
+</code></pre><p>The next example converts the PKCS12 store into a Java
keystore (JKS). It should prompt you for the keystore and key passwords for the destination
keystore. You must use the master-secret for the keystore password and keep track of the password
that you use for the key passphrase.</p>
 <pre><code>keytool -importkeystore -srckeystore {server.p12} -destkeystore gateway.jks
-srcstoretype pkcs12
-</code></pre><p>This example converts the PKCS12 store into a Java keystore
(JKS). It should prompt you for the keystore and key passwords for the destination keystore.
You must use the master-secret for both.</p><p>While using this approach a couple
of important things to be aware of:</p>
+</code></pre><p>While using this approach a couple of important things
to be aware of:</p>
 <ol>
-  <li>the alias MUST be &ldquo;gateway-identity&rdquo;</li>
-  <li>the name of the expected identity keystore for the gateway MUST be gateway.jks</li>
-  <li>the passwords for the keystore and the imported key may both be set to the master
secret for the gateway install</li>
-</ol><p>NOTE: The password for the keystore as well as that of the imported key
may be the master secret for the gateway instance or you may set the gateway-identity-passphrase
alias using the Knox CLI to the actual key passphrase. See the Knox CLI section for details.</p><h5><a
id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
+  <li><p>the alias MUST be &ldquo;gateway-identity&rdquo;. You may need
to change it using keytool after the import of the PKCS12 store. You can use keytool to do
this - for example:</p><p>keytool -changealias -alias &ldquo;1&rdquo;
-destalias &ldquo;gateway-identity&rdquo; -keystore gateway.jks -storepass {knoxpw}</p></li>
+  <li><p>the name of the expected identity keystore for the gateway MUST be gateway.jks</p></li>
+  <li><p>the passwords for the keystore and the imported key may both be set
to the master secret for the gateway install. You can change the key passphrase after import
using keytool as well. You may need to do this in order to provision the password in the credential
store as described later in this section. For example:</p><p>keytool -keypasswd
-alias gateway-identity -keystore gateway.jks</p></li>
+</ol><p>NOTE: The password for the keystore as well as that of the imported key
may be the master secret for the gateway instance or you may set the gateway-identity-passphrase
alias using the Knox CLI to the actual key passphrase. See the Knox CLI section for details.</p><p>The
following will allow you to provision the passphrase for the private key that you set during
keystore creation above - it will prompt you for the actual passphrase.</p>
+<pre><code>bin/knoxcli.sh create-alias gateway-identity-passphrase
+</code></pre><h5><a id="Generating+a+self-signed+cert+for+use+in+testing+or+development+environments"></a>Generating
a self-signed cert for use in testing or development environments</h5>
 <pre><code>keytool -genkey -keyalg RSA -alias gateway-identity -keystore gateway.jks
\
     -storepass {master-secret} -validity 360 -keysize 2048
 </code></pre><p>Keytool will prompt you for a number of elements used will
comprise the distiniguished name (DN) within your certificate. </p><p><em>NOTE:</em>
When it prompts you for your First and Last name be sure to type in the hostname of the machine
that your gateway instance will be running on. This is used by clients during hostname verification
to ensure that the presented certificate matches the hostname that was used in the URL for
the connection - so they need to match.</p><p><em>NOTE:</em> When
it prompts for the key password just press enter to ensure that it is the same as the keystore
password. Which as was described earlier must match the master secret for the gateway instance.
Alternatively, you can set it to another passphrase - take note of it and set the gateway-identity-passphrase
alias to that passphrase using the Knox CLI.</p><p>See the Knox CLI section for
descriptions of the command line utilties related to the management of the keystores.</p><h5><a
id="Cre
 dential+Store"></a>Credential Store</h5><p>Whenever you provide your
own keystore with either a self-signed cert or an issued certificate signed by a trusted authority,
you will need to set an alias for the gateway-identity-passphrase or create an empty credential
store. This is necessary for the current release in order for the system to determine the
correct password for the keystore and the key.</p><p>The credential stores in
Knox use the JCEKS keystore type as it allows for the storage of general secrets in addition
to certificates.</p><p>Keytool may be used to create credential stores but the
Knox CLI section details how to create aliases. These aliases are managed within credential
stores which are created by the CLI as needed. The simplest approach is to create the gateway-identity-passpharse
alias with the Knox CLI. This will create the credential store if it doesn&rsquo;t already
exist and add the key passphrase.</p><p>See the Knox CLI section for descriptions
of the comman
 d line utilties related to the management of the credential stores.</p><h5><a
id="Provisioning+of+Keystores"></a>Provisioning of Keystores</h5><p>Once
you have created these keystores you must move them into place for the gateway to discover
them and use them to represent its identity for SSL connections. This is done by copying the
keystores to the <code>{GATEWAY_HOME}/data/security/keystores</code> directory
for your gateway install.</p><h4><a id="Summary+of+Secrets+to+be+Managed"></a>Summary
of Secrets to be Managed</h4>

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Mon Dec  8 16:58:43 2014
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20141126" />
+    <meta name="Date-Revision-yyyymmdd" content="20141208" />
     <meta http-equiv="Content-Language" content="en" />
                                                     
 <script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
                         <a href="https://cwiki.apache.org/confluence/display/KNOX/Index"
class="externalLink" title="Wiki">Wiki</a>
               
                     
-                &nbsp;| <span id="publishDate">Last Published: 2014-11-26</span>
+                &nbsp;| <span id="publishDate">Last Published: 2014-12-08</span>
               &nbsp;| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
             </div>
       <div class="clear">

Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Mon Dec  8 16:58:43 2014
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20141126" />
+    <meta name="Date-Revision-yyyymmdd" content="20141208" />
     <meta http-equiv="Content-Language" content="en" />
                                                     
 <script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
                         <a href="https://cwiki.apache.org/confluence/display/KNOX/Index"
class="externalLink" title="Wiki">Wiki</a>
               
                     
-                &nbsp;| <span id="publishDate">Last Published: 2014-11-26</span>
+                &nbsp;| <span id="publishDate">Last Published: 2014-12-08</span>
               &nbsp;| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
             </div>
       <div class="clear">

Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Mon Dec  8 16:58:43 2014
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20141126" />
+    <meta name="Date-Revision-yyyymmdd" content="20141208" />
     <meta http-equiv="Content-Language" content="en" />
                                                     
 <script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
                         <a href="https://cwiki.apache.org/confluence/display/KNOX/Index"
class="externalLink" title="Wiki">Wiki</a>
               
                     
-                &nbsp;| <span id="publishDate">Last Published: 2014-11-26</span>
+                &nbsp;| <span id="publishDate">Last Published: 2014-12-08</span>
               &nbsp;| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
             </div>
       <div class="clear">

Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Mon Dec  8 16:58:43 2014
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20141126" />
+    <meta name="Date-Revision-yyyymmdd" content="20141208" />
     <meta http-equiv="Content-Language" content="en" />
                                                     
 <script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
                         <a href="https://cwiki.apache.org/confluence/display/KNOX/Index"
class="externalLink" title="Wiki">Wiki</a>
               
                     
-                &nbsp;| <span id="publishDate">Last Published: 2014-11-26</span>
+                &nbsp;| <span id="publishDate">Last Published: 2014-12-08</span>
               &nbsp;| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
             </div>
       <div class="clear">

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Mon Dec  8 16:58:43 2014
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20141126" />
+    <meta name="Date-Revision-yyyymmdd" content="20141208" />
     <meta http-equiv="Content-Language" content="en" />
                                                     
 <script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
                         <a href="https://cwiki.apache.org/confluence/display/KNOX/Index"
class="externalLink" title="Wiki">Wiki</a>
               
                     
-                &nbsp;| <span id="publishDate">Last Published: 2014-11-26</span>
+                &nbsp;| <span id="publishDate">Last Published: 2014-12-08</span>
               &nbsp;| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
             </div>
       <div class="clear">

Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Mon Dec  8 16:58:43 2014
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-11-26 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2014-12-08 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
       @import url("./css/site.css");
     </style>
     <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
-    <meta name="Date-Revision-yyyymmdd" content="20141126" />
+    <meta name="Date-Revision-yyyymmdd" content="20141208" />
     <meta http-equiv="Content-Language" content="en" />
                                                     
 <script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
                         <a href="https://cwiki.apache.org/confluence/display/KNOX/Index"
class="externalLink" title="Wiki">Wiki</a>
               
                     
-                &nbsp;| <span id="publishDate">Last Published: 2014-11-26</span>
+                &nbsp;| <span id="publishDate">Last Published: 2014-12-08</span>
               &nbsp;| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
             </div>
       <div class="clear">

Modified: knox/trunk/books/0.5.0/config.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.5.0/config.md?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/trunk/books/0.5.0/config.md (original)
+++ knox/trunk/books/0.5.0/config.md Mon Dec  8 16:58:43 2014
@@ -298,22 +298,31 @@ In order to provide your own certificate
 ##### Importing a key pair into a Java keystore #####
 One way to accomplish this is to start with a PKCS12 store for your key pair and then convert
it to a Java keystore or JKS.
 
+The following example uses openssl to create a PKCS12 encoded store from your provided certificate
and private key that are in PEM format.
+
     openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
 
-The above example uses openssl to create a PKCS12 encoded store for your provided certificate
private key.
+The next example converts the PKCS12 store into a Java keystore (JKS). It should prompt you
for the keystore and key passwords for the destination keystore. You must use the master-secret
for the keystore password and keep track of the password that you use for the key passphrase.
 
     keytool -importkeystore -srckeystore {server.p12} -destkeystore gateway.jks -srcstoretype
pkcs12
 
-This example converts the PKCS12 store into a Java keystore (JKS). It should prompt you for
the keystore and key passwords for the destination keystore. You must use the master-secret
for both.
-
 While using this approach a couple of important things to be aware of:
 
-1. the alias MUST be "gateway-identity"
+1. the alias MUST be "gateway-identity". You may need to change it using keytool after the
import of the PKCS12 store. You can use keytool to do this - for example: 
+
+    keytool -changealias -alias "1" -destalias "gateway-identity" -keystore gateway.jks -storepass
{knoxpw}
+    
 2. the name of the expected identity keystore for the gateway MUST be gateway.jks
-3. the passwords for the keystore and the imported key may both be set to the master secret
for the gateway install
+3. the passwords for the keystore and the imported key may both be set to the master secret
for the gateway install. You can change the key passphrase after import using keytool as well.
You may need to do this in order to provision the password in the credential store as described
later in this section. For example:
+
+    keytool -keypasswd -alias gateway-identity -keystore gateway.jks
 
 NOTE: The password for the keystore as well as that of the imported key may be the master
secret for the gateway instance or you may set the gateway-identity-passphrase alias using
the Knox CLI to the actual key passphrase. See the Knox CLI section for details.
 
+The following will allow you to provision the passphrase for the private key that you set
during keystore creation above - it will prompt you for the actual passphrase.
+
+    bin/knoxcli.sh create-alias gateway-identity-passphrase
+
 ##### Generating a self-signed cert for use in testing or development environments #####
 
     keytool -genkey -keyalg RSA -alias gateway-identity -keystore gateway.jks \

Modified: knox/trunk/books/0.6.0/config.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config.md?rev=1643865&r1=1643864&r2=1643865&view=diff
==============================================================================
--- knox/trunk/books/0.6.0/config.md (original)
+++ knox/trunk/books/0.6.0/config.md Mon Dec  8 16:58:43 2014
@@ -298,22 +298,31 @@ In order to provide your own certificate
 ##### Importing a key pair into a Java keystore #####
 One way to accomplish this is to start with a PKCS12 store for your key pair and then convert
it to a Java keystore or JKS.
 
+The following example uses openssl to create a PKCS12 encoded store from your provided certificate
and private key that are in PEM format.
+
     openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
 
-The above example uses openssl to create a PKCS12 encoded store for your provided certificate
private key.
+The next example converts the PKCS12 store into a Java keystore (JKS). It should prompt you
for the keystore and key passwords for the destination keystore. You must use the master-secret
for the keystore password and keep track of the password that you use for the key passphrase.
 
     keytool -importkeystore -srckeystore {server.p12} -destkeystore gateway.jks -srcstoretype
pkcs12
 
-This example converts the PKCS12 store into a Java keystore (JKS). It should prompt you for
the keystore and key passwords for the destination keystore. You must use the master-secret
for both.
-
 While using this approach a couple of important things to be aware of:
 
-1. the alias MUST be "gateway-identity"
+1. the alias MUST be "gateway-identity". You may need to change it using keytool after the
import of the PKCS12 store. You can use keytool to do this - for example: 
+
+    keytool -changealias -alias "1" -destalias "gateway-identity" -keystore gateway.jks -storepass
{knoxpw}
+    
 2. the name of the expected identity keystore for the gateway MUST be gateway.jks
-3. the passwords for the keystore and the imported key may both be set to the master secret
for the gateway install
+3. the passwords for the keystore and the imported key may both be set to the master secret
for the gateway install. You can change the key passphrase after import using keytool as well.
You may need to do this in order to provision the password in the credential store as described
later in this section. For example:
+
+    keytool -keypasswd -alias gateway-identity -keystore gateway.jks
 
 NOTE: The password for the keystore as well as that of the imported key may be the master
secret for the gateway instance or you may set the gateway-identity-passphrase alias using
the Knox CLI to the actual key passphrase. See the Knox CLI section for details.
 
+The following will allow you to provision the passphrase for the private key that you set
during keystore creation above - it will prompt you for the actual passphrase.
+
+    bin/knoxcli.sh create-alias gateway-identity-passphrase
+
 ##### Generating a self-signed cert for use in testing or development environments #####
 
     keytool -genkey -keyalg RSA -alias gateway-identity -keystore gateway.jks \



Mime
View raw message