Sealer alias case sensitivity

Yavor Yanakiev yavor at nyu.edu
Tue Dec 8 14:51:40 EST 2015 

It seems to me, in the documentation there must be a note that underlines
the importance of the aliase being in lowercase, especially when they are
entered as a valuet of "idp.sealer.aliasBase"  in the idp.properties file.


On Tue, Dec 8, 2015 at 12:41 PM, Brent Putman <putmanb at georgetown.edu>
wrote:

>
>
> On 12/8/15 9:49 AM, Cantor, Scott wrote:
>
> On 12/8/15, 12:52 AM, "users on behalf of Yavor Yanakiev" <users-bounces at shibboleth.net on behalf of yavor at nyu.edu> <users-bounces at shibboleth.netonbehalfofyavor@nyu.edu> wrote:
>
>
>
>
> The seckeygen.sh utility
> changes upercase characters in the alias name to lowercase without any warning, if you want to use a custom alias with capital letters.
>
> If anything's doing that, it's probably Java. We're not doing anything but trimming it.
>
>
> It is Java.  From the KeyStore Javadocs:
>
>
>  Whether aliases are case sensitive is implementation dependent. In order
>  to avoid problems, it is recommended not to use aliases in a KeyStore that
>  only differ in case.
>
>
>
>  I know from personal experience, and confirmed by googling, that Oracle's
> standard (non-SecretKey) impl (type "JKS" from the SUN provider) is
> case-insensitive, and always lowercases the alias that you give it.  I
> would assume it's the same for the "JCEKS" type used here for SecretKey
> support. ******************* Addendum: New to me, I did just discover that
> they purportedly have a different impl (type "CaseExactJKS") that supports
> case-sensitive aliases. [1]  I have not tried it.  That probably does not
> provide the "JCEKS" and SecretKey support needed here though.  Maybe they
> have a corresponding "CaseExactJCEKS" or something, but I think you'd have
> to consistently configure that type everywhere in the system.  I doubt it
> would be worth the trouble. [1]
> https://blogs.oracle.com/xuelei/entry/keystore_alias_case_sensitive_or
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
Yavor Yanakiev
Systems Developer for Identity Services
212-992-7585
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151208/ae8605a9/attachment.html>

More information about the users mailing list