-
Bug
-
Resolution: Not an issue
-
Neutral
-
None
-
4.5.3
-
None
It seems the private activation key no longer gets created on first activation when it does not exist.
In our Magnolia web app we do not have an activation key by default. When we try to activate content the first time (the subscriber is configured correctly and running) this fails with the error 'Private key store doesn't exist at..'
It is easily reproduced in the Magnolia 4.5.3 EE distribution if you first remove the magnolia-activation-keypair.properties file from the magnoliaAuthor/WEB-INF/config/default dir, start up Magnolia and attempt to activate content.
In the log:
Caused by: java.lang.SecurityException: Private key store doesn't exist at [/Users/edgar/Downloads/magnolia-enterprise-4.5.3/apache-tomcat-6.0.32/webapps/magnoliaAuthor/WEB-INF/config/default/magnolia-activation-keypair.properties]. Please, ensure that [magnolia.author.key.location] actually points to the correct location
at info.magnolia.cms.security.SecurityUtil.checkPrivateKeyStoreExistence(SecurityUtil.java:367)
I guess the workaround is to generate an activation key and store that manually on the filesystem or use the one provided in the Magnolia EE distribution?
PS: this mechanism is introduced for security reasons right? If so, why does Magnolia distribute the key in it's Magnolia EE distributions? With default Magnolia installations the very same key is now used all over the world. So much for security.