Activation security
- Related topics
Publishing or activation of content from author to public instances is authenticated using public-key cryptography. Public-key cryptography is a system that requires two separate keys: a public key to lock or encrypt the plain text request and a private key to unlock or decrypt the cyphertext request. Neither key can do both and neither is derivable from knowledge of the other. One is published and the other is kept private.
On receiving a publishing request, a Magnolia public instance authenticates the author instance using a public key. The author instance generates the key automatically on first publishing of content and transfers it to the public instance. You can generate new public keys any time on the author instance. A single public key is used for multiple public instances.
Configuration
The authentication mechanism requires no configuration. The public key
is generated automatically on the first activation of content and
transferred to the public instance. The configuration of activation is
stored in the server
:
The key pair is also stored on the local file system. If you use the
default Magnolia bundle, the location is configured in a
magnolia.properties
file.
# Location of the file containing both the private and the public keys used to verify authenticity of activation requests
# This file is generated if not present
magnolia.author.key.location=${magnolia.home}/WEB-INF/config/default/magnolia-activation-keypair.properties
Generating a new public key
You can create a new public key in the Publishing Tools app. Key lengths from 512 to 1024 bits are possible.
To generate a new public key:
-
On the author instance, open the Publishing Tools app.
-
Click Generate new key. This generates a new public key and registers it automatically on the author instance.
-
Copy the new key from the Current public key box.
-
Sign in to the public instances and open the Configuration app.
-
Paste the key to Configuration >
/server/activation/publicKey
.
Copy the newly generated public key to all public instances. It is not
transferred automatically on activation as is the case with the initial
key. You cannot activate the publicKey
node to the public instance as
at this point because a mismatch exists between the keys on author and
public.
Troubleshooting
Any type of misconfiguration related either to the keys themselves or the handshaking process between the author and the public instance(s) may lead to activation errors.
Example:
SEVERE: Servlet.service() for servlet [default] in context with path [/magnoliaPublic] threw exception org.bouncycastle.crypto.DataLengthException: input too large for RSA cipher. at org.bouncycastle.crypto.engines.RSACoreEngine.convertInput(Unknown Source) at org.bouncycastle.crypto.engines.RSABlindedEngine.processBlock(Unknown Source) at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.getOutput(Unknown Source) at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Cipher.java:2168) at info.magnolia.cms.security.SecurityUtil.decrypt(SecurityUtil.java:168) at info.magnolia.cms.security.SecurityUtil.decrypt(SecurityUtil.java:131) at info.magnolia.publishing.authentication.DefaultPrivatePublicKeyAuthenticator.authenticate(DefaultPrivatePublicKeyAuthenticator.java:92)