Preface
In this guide we’ll learn how to change the password of the sk4keystore.jks file. This file contains the Skyformation self signed certificate. You might want to change this password to improve the security of your certificate key. The new password should also be updated in a volatile file which is stored in the tomcat container. In this section we will see how to find this file and update it so that the new password will not be lost.
Steps
Change the password of the sk4keystore.jks file
Please enter the tomcat container by running the command:
sudo docker exec -it sk4tomcat bash
In order to change the sk4keystore.jks file's password, you may run the command:
keytool -storepasswd -keystore sk4conf/sk4keystore.jks
You will be asked to enter your current password, please enter 'changeit'.
Then, you may enter your new password:
New keystore password: new-password
Re-enter new keystore password: new-password
Update the new password in the server.xml File
Install a text editor, this can be done by:
apt-get update
apt-get install vim
Please enter the tomcat container again. Then, you may edit the server.xml file with the command:
vim conf/server.xml
In the server.xml file find the following lines and change the certificateKeystorePassword field to the new password.
<Certificate certificateKeystoreFile="sk4conf/sk4keystore.jks"
certificateKeystorePassword="changeit"
certificateKeyAlias="SkyFormation"
type="RSA" />
Create a new volume to map the sk4tomcat conf folder outside of the container
The server.xml file is deleted every time the sk4tomcat container restarts. Therefore, you may map the /conf folder which consists this file outside of the container. In order to do that, you should add a new volume.
Note: Please Create a docker-compose.override.yml file if one does not exist. You may find instructions in https://support.skyformation.com/hc/en-us/articles/360011732120-How-To-Create-a-Docker-Compose-Override-File.
Edit the docker-compose.override.yml
version: '3'
services:
sk4tomcat:
image: '498895000136.dkr.ecr.us-east-1.amazonaws.com/tomcat:<sk4-version>'
volumes:
- tomcatconf:/usr/local/tomcat/conf
volumes:
tomcatconf:
Update the Exabeam cloud connector’s service file docker-compose execute command
In the etc/systemd/system/sk4compose.service file add a -f flag with the docker-compose.override.yml file:
ExecStart=/usr/local/bin/docker-compose -f <path to docker-compose.yml> -f <path to docker-compose.yml.override.yml> up
ExecStop=/usr/local/bin/docker-compose -f <path to docker-compose.yml> -f <path to docker-compose.override.yml> down
*When the path to the docker-compose.yml and docker-compose.override.yml files is in /opt/exabeam/data/sk4 on Exabeam type deployment, or in /opt/sk4 in standalone deployments.
Verify
In order to make systemd to affect this change, you may invoke the command:
sudo systemctl daemon-reload
Then, restart the machine and run the command:
sudo docker volume inspect sk4_tomcatconf
If you receive an answer in the following format you are done:
[
{
"CreatedAt": "2020-02-10T10:25:05Z",
"Driver": "local",
"Labels": {
"com.docker.compose.project": "sk4",
"com.docker.compose.volume": "tomcatconf"
},
"Mountpoint": "/var/lib/docker/volumes/sk4_tomcatconf/_data",
"Name": "sk4_tomcatconf",
"Options": null,
"Scope": "local"
}
]
In addition, you may run the command:
docker-compose -f <path to docker-compose.yml> -f <path to docker-compose.override.yml> config
You should see the tomcatconf in the list of volumes below.
Comments
0 comments
Please sign in to leave a comment.