Dear list members,

I am looking for way to make automatic changes of the master password (aka root password). We deploy GeoServer automatically in our infrastructure and since GeoServer 2.4 we have to change the now static master password manually after each deploy - this happens quite often.

To make automatic deploys fun again, I tried to figure out how to change the master password via CLI tools, but was not successful yet.

These are current steps:

1. Create new master password provider

* create folder <data_dir>/security/masterpw/new_provider
* create file <data_dir>/security/masterpw/new_provider/masterpw.xml with proper content (no encryption activated)
* create file <data_dir>/security/masterpw/new_provider/passwd containing the new password in plaintext
* Change default master password provider in <data_dir>/security/masterpw.xml

2. Change keystore passwd

* keytool -storepasswd -new new_password -keystore geoserver.jceks -storetype JCEKS

3. Create new masterpw.digest

http://www.jasypt.org/cli.html

* digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000 input="new_password"
* Put the result in masterpw.digest, format: digest1:<new_hash>

4. Restart GeoServer

After doing this, it seems like GeoServer is not able to open the keystore anymore:

org.springframework.beans.factory.BeanCreationException: Error occured reading security configuration; nested exception is java.io.IOException: Keystore was tampered with, or password was incorrect

So maybe the way how the masterpw.digest gets generated is wrong? Base64 is used in the source code, but encoding the hash has not worked either.

Can anybody maybe give me a hint? This would be great!

[OT]
In my opinion the static master password is a step backwards in terms of security. Compared to the risk of the plain text password file with a randomly generated password, the static master password is much more dangerous. Especially since this fact is not mentioned or even highlighted in the current documentation, a lot of users are maybe not aware on how important this change is.
(There is already issue on this topic: GEOS-6136 [1])
[/OT]

Best regards,
Patric

[1] http://jira.codehaus.org/browse/GEOS-6136

--
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops

Dear list members,

sorry for asking again - can maybe anybody give me a hint? This would be great.

Best regards,
Patric

On 05/07/2014 05:24 PM, Patric Hafner | geOps wrote:

Dear list members,

I am looking for way to make automatic changes of the master password
(aka root password). We deploy GeoServer automatically in our
infrastructure and since GeoServer 2.4 we have to change the now static
master password manually after each deploy - this happens quite often.

To make automatic deploys fun again, I tried to figure out how to change
the master password via CLI tools, but was not successful yet.

These are current steps:

1. Create new master password provider

* create folder <data_dir>/security/masterpw/new_provider
* create file <data_dir>/security/masterpw/new_provider/masterpw.xml
with proper content (no encryption activated)
* create file <data_dir>/security/masterpw/new_provider/passwd
containing the new password in plaintext
* Change default master password provider in
<data_dir>/security/masterpw.xml

2. Change keystore passwd

* keytool -storepasswd -new new_password -keystore geoserver.jceks
-storetype JCEKS

3. Create new masterpw.digest

http://www.jasypt.org/cli.html

* digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000
input="new_password"
* Put the result in masterpw.digest, format: digest1:<new_hash>

4. Restart GeoServer

After doing this, it seems like GeoServer is not able to open the
keystore anymore:

org.springframework.beans.factory.BeanCreationException: Error occured
reading security configuration; nested exception is java.io.IOException:
Keystore was tampered with, or password was incorrect

So maybe the way how the masterpw.digest gets generated is wrong? Base64
is used in the source code, but encoding the hash has not worked either.

Can anybody maybe give me a hint? This would be great!

[OT]
In my opinion the static master password is a step backwards in terms of
security. Compared to the risk of the plain text password file with a
randomly generated password, the static master password is much more
dangerous. Especially since this fact is not mentioned or even
highlighted in the current documentation, a lot of users are maybe not
aware on how important this change is.
(There is already issue on this topic: GEOS-6136 [1])
[/OT]

Best regards,
Patric

[1] http://jira.codehaus.org/browse/GEOS-6136

On Thu, May 15, 2014 at 2:59 PM, Patric Hafner | geOps <
patric.hafner@anonymised.com> wrote:

Dear list members,

sorry for asking again - can maybe anybody give me a hint? This would be
great.

I guess the only one that could help you there is Christian (cc'ed),
everyone else would have to
go read the code to handle the master passwords...

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

One thing you can do is configure geoserver to use the web.xml file for the master password. That is easy to edit by hand…

Hi Jody,

can you explain how to configure this setup ?

Best regards,
Patric

On 05/15/2014 04:46 PM, Jody Garnett wrote:

One thing you can do is configure geoserver to use the web.xml file for
the master password. That is easy to edit by hand...

Jody Garnett

Hi all

@Jody, no idea what you are meaning with the web.xml file, please let me know.

At the moment, the only way to change the master password is using the GUI. Unfortunately , the security subsystem has no REST API. Changing the master password requires encryption of the keystore and all key entries. The master password itself is protected by a permutation. Doing all these things manually is quite a work.

Sorry for the bad news
Christian

Looks like it is only delegating to the application container:

http://docs.geoserver.org/stable/en/user/security/tutorials/j2ee/index.html

Hi Jody

The J2EE authentication filter has nothing to do with the master password, I think this is a misunderstanding.

Christian