How-To Change Default Keystore Password

Preface

In this guide we’ll learn how to change the password of the sk4keystore.jks file. This file contains the Skyformation self signed certificate. You might want to change this password to improve the security of your certificate key. The new password should also be updated in a volatile file which is stored in the tomcat container. In this section we will see how to find this file and update it so that the new password will not be lost.

Steps

Change the password of the sk4keystore.jks file

Please enter the tomcat container by running the command: 

sudo docker exec -it sk4tomcat bash 

In order to change the sk4keystore.jks file's password, you may run the command: 

keytool -storepasswd -keystore sk4conf/sk4keystore.jks 

You will be asked to enter your current password, please enter 'changeit'.

Then, you may enter your new password: 

New keystore password:  new-password
Re-enter new keystore password:  new-password

Update the new password in the server.xml File

Install a text editor, this can be done by: 

apt-get update
apt-get install vim

Please enter the tomcat container again. Then, you may edit the server.xml file with the command:

vim conf/server.xml

In the server.xml file find the following lines and change the certificateKeystorePassword field to the new password. 

 <Certificate certificateKeystoreFile="sk4conf/sk4keystore.jks"
                           certificateKeystorePassword="changeit"
                           certificateKeyAlias="SkyFormation"
                           type="RSA" />

Create a new volume to map the sk4tomcat conf folder outside of the container

The server.xml file is deleted every time the sk4tomcat container restarts. Therefore, you may map the /conf folder which consists this file outside of the container. In order to do that, you should add a new volume.

Note: Please Create a docker-compose.override.yml file if one does not exist. You may find instructions in  https://support.skyformation.com/hc/en-us/articles/360011732120-How-To-Create-a-Docker-Compose-Override-File.

Edit the docker-compose.override.yml 

version: '3'
services:
  sk4tomcat:
    image: '498895000136.dkr.ecr.us-east-1.amazonaws.com/tomcat:<sk4-version>'          
    volumes:
    - tomcatconf:/usr/local/tomcat/conf 
volumes:
  tomcatconf:

Update the Exabeam cloud connector’s service file docker-compose execute command

 In the etc/systemd/system/sk4compose.service file add a -f flag with the docker-compose.override.yml file:

ExecStart=/usr/local/bin/docker-compose -f <path to docker-compose.yml> -f <path to docker-compose.yml.override.yml> up

ExecStop=/usr/local/bin/docker-compose -f <path to docker-compose.yml> -f <path to docker-compose.override.yml> down

*When the path to the docker-compose.yml and docker-compose.override.yml files is in /opt/exabeam/data/sk4 on Exabeam type deployment, or in /opt/sk4 in standalone deployments.

Verify 

In order to make systemd to affect this change, you may invoke the command:

sudo systemctl daemon-reload

 Then, restart the machine and run the command:

sudo docker volume inspect sk4_tomcatconf

If you receive an answer in the following format you are done:  

[
    {
        "CreatedAt": "2020-02-10T10:25:05Z",
        "Driver": "local",
        "Labels": {
            "com.docker.compose.project": "sk4",
            "com.docker.compose.volume": "tomcatconf"
        },
        "Mountpoint": "/var/lib/docker/volumes/sk4_tomcatconf/_data",
        "Name": "sk4_tomcatconf",
        "Options": null,
        "Scope": "local"
    }
]

 In addition, you may run the command: 

docker-compose -f <path to docker-compose.yml> -f <path to docker-compose.override.yml> config 

 You should see the tomcatconf in the list of volumes below.