generating sealer keystore by hand

Scott Koranda skoranda at
Thu May 7 13:57:11 EDT 2015


I am using version 3.1.1 of the Shibboleth IdP.

For various reasons I would like to generate the cookie encryption key
and the keystore it is stored in "by hand" for the initial deployment
(I plan to use the provided script for updating the key and version

I understand the keystore to be of type JCEKS and the key to be AES.

Am I correct that a key length of 256 and an alias of 'secret1' (since
the initial version number starts counting at 1) generated with this

keytool -genseckey -keystore sealer.jks -storetype jceks -storepass
PASSWORD -keyalg AES -keysize 256 -alias secret1 -keypass PASSWORD

is sufficient for use by the v3 IdP?

My testing appears to show that it is sufficient, but I would like
confirmation if possible.

Do you consider these details to be a "public API" of sorts that will
not change (much) going forward, or is relying on the IdP installation
process to create the key and keystore the only supported mechanism?


Scott K

More information about the users mailing list