generating sealer keystore by hand

Scott Koranda skoranda at
Thu May 7 14:21:47 EDT 2015

On Thu, May 7, 2015 at 12:57 PM, Scott Koranda <skoranda at> wrote:
> Hello,
> I am using version 3.1.1 of the Shibboleth IdP.
> For various reasons I would like to generate the cookie encryption key
> and the keystore it is stored in "by hand" for the initial deployment
> (I plan to use the provided script for updating the key and version
> number).
> I understand the keystore to be of type JCEKS and the key to be AES.
> Am I correct that a key length of 256 and an alias of 'secret1' (since
> the initial version number starts counting at 1) generated with this
> command
> keytool -genseckey -keystore sealer.jks -storetype jceks -storepass
> PASSWORD -keyalg AES -keysize 256 -alias secret1 -keypass PASSWORD
> is sufficient for use by the v3 IdP?
> My testing appears to show that it is sufficient, but I would like
> confirmation if possible.
> Do you consider these details to be a "public API" of sorts that will
> not change (much) going forward, or is relying on the IdP installation
> process to create the key and keystore the only supported mechanism?


I see in the various configuration options for the
internal AES encryption key.


Scott K

More information about the users mailing list