DataSealer key rollover
Cantor, Scott
cantor.2 at osu.edu
Mon Apr 18 14:38:27 EDT 2016
> Several days ago I implemented the datasealer key rollover procedure
> described in
> https://wiki.shibboleth.net/confluence/display/IDP30/SecretKeyManageme
> nt. At the time, I assumed that the running java process would pickup and
> use the new sealer.jks file. However, today I needed to stop the IdP process
> and now unfortunately, it won't start back up.
It tracks the key version in the other file and uses that to decide which alias to read out of the keystore or to decide when the default key has changed.
> 2016-04-18 12:50:43.431 [ERROR] :
> net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:
> Error loading default key from base name 'secret'
> net.shibboleth.utilities.java.support.security.KeyNotFoundException: Key
> was not present in keystore
Then it's out of sync. The kver file doesn't contain a key version that matches an alias in the jks file. The IdP doesn't maintain any of that internally, and if it doesn't start up, those files aren't in sync with each other.
> Does the Idp need to be restarted to use the new sealer file?
No.
>Unfortunately, I'm not sure why
>
> $IDP_HOME/bin/seckeygen.sh \
> --storefile $IDP_HOME/credentials/sealer.jks \
> --storepass "supersecretpassphrase" \
> --versionfile $IDP_HOME/credentials/sealer.kver \
> --alias secret
>
> would not produce a usable sealer.jks file (obviously, the storepass variable
> is not correct here, but it is in my script).
It would.
-- Scott
More information about the users
mailing list