DataSealer key rollover

Michael Dahlberg olgamirth at
Mon Apr 18 14:31:15 EDT 2016

Several days ago I implemented the datasealer key rollover procedure
described in
At the time, I assumed that the running java process would pickup and use
the new sealer.jks file.  However, today I needed to stop the IdP process
and now unfortunately, it won't start back up.

In the jetty logs, I get the error message

2016-04-18 12:50:43.431 [ERROR] :
Error loading de
fault key from base name 'secret' Key
was not present in keystore

(As I did not set an alias when doing the initial installation, I assumed
that the alias "secret" was a hardcoded variable).  If I return the
original sealer.jks and sealer.kver, the IdP starts without any problems.

Does the Idp need to be restarted to use the new sealer file?

I assume that sealer.jks encrypts the client-side cookies that are part of
Shib V3 (but I'm probably incorrect on this point) and that standard key
rollover techniques are required for standard security practices.
Unfortunately, I'm not sure why

$IDP_HOME/bin/ \
    --storefile $IDP_HOME/credentials/sealer.jks \
    --storepass "supersecretpassphrase" \
    --versionfile $IDP_HOME/credentials/sealer.kver \
    --alias secret

would not produce a usable sealer.jks file (obviously, the storepass
variable is not correct here, but it is in my script).

Any suggestions?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list