Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to restart container when Security parameters are set #429

Open
ENgraver666 opened this issue Dec 2, 2023 · 1 comment
Open

Unable to restart container when Security parameters are set #429

ENgraver666 opened this issue Dec 2, 2023 · 1 comment

Comments

@ENgraver666
Copy link

When the security parameters "PASSWORD_ENCRYPTION_KEY" and "CA_KEYSTOREPASS" are set in a environment variable, it's only possible to stop and remove the container. A restart makes the cryptotokens not readable.

PKCS12 key store mac invalid - wrong password or corrupted file

In the startup script "after-init-app.sh" these variables are copied to the end of "/ejbca/conf/cesecore.properties". In the case of a restart these variables are copied again. This results in a cesecore.properties file like this:

allow.external-dynamic.configuration=true

\# Optimization for fresh installations on EJBCA 6+
db.keepinternalcakeystores=false

\# All security log events are written to all enabled/configured devices.
\# The following AuditLogDevice implementations are available:
\#securityeventsaudit.implementation.X=org.cesecore.audit.impl.log4j.Log4jDevice
\#securityeventsaudit.implementation.X=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice

securityeventsaudit.implementation.1=null

\# Nodeid used for integrity protected audit log. If not set the hostname of local host is used.
\# Default: not set
password.encryption.key=encryptionkey
password.encryption.key=encryptionkey
password.encryption.key=encryptionkey

My compose file:

version: '3.9'
services:
    ejbca-ce:
        image: keyfactor/ejbca-ce:latest
        hostname: localhost
        environment:
          - DATABASE_PASSWORD=databasepassword
          - DATABASE_USER=ejbca
          - 'DATABASE_JDBC_URL=jdbc:mysql://ejbca-db:3306/ejbca?characterEncoding=UTF-8'
          - TLS_SETUP_ENABLED=simple
          - PASSWORD_ENCRYPTION_KEY=encryptionkey                 
        ports:
          - 8443:8443
        restart: unless-stopped

After a docker compose restart the cryptotokens are not readable. After a docker compose down and docker compose up -d everything is back to normal.

I guess that was also the case in #293 but it was not a problem with the imported CA keystore.
@svenska-primekey
Copy link

This is a bug and I will let the dev team know. Thanks for reporting this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ENgraver666 @svenska-primekey