Sealer key error...
Marc SAHIN
marc.sahin at univ-lyon2.fr
Thu Jun 29 09:22:39 EDT 2017
I use the rotate script daily and it was working without error.
https://wiki.shibboleth.net/confluence/display/IDP30/SecretKeyManagement
I restored both Sealer.jks and Sealer.kver and verified the version of
secret key.
However, I can't start Tomcat because of password of Sealer.jks
Is it possible to recreate the keystore from scratch ?
Can it be caused client side error ?
Cordialement
Marc SAHIN
Administrateur Systèmes
Pôle Système - DSI - Université Lumière Lyon 2
04 78 77 26 66
On 29/06/2017 14:58, Cantor, Scott wrote:
> (Or if you did reset the version file, those are just inevitable errors from clients holding data encrypted under an older key that are coming back now with data it can't decrypt.)
>
> -- Scott
>
> On 6/29/17, 8:55 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>
> On 6/29/17, 8:52 AM, "users on behalf of Marc SAHIN" <users-bounces at shibboleth.net on behalf of marc.sahin at univ-lyon2.fr> wrote:
>
>> Strangely, I can list the content of Selaer.jks keystore without password
>> and can not list the SecretKeys with password defined in idp.properties(idp.sealer.storePassword).
> Then something tampered with the file. The IdP doesn't write to it, only the seckeygen utility or manually using keytool with it would do that.
>
>> When I restore the Sealer files, it looks for another secret key like belows :
> Then you didn't reset the version file. You have to clear the key version file next to it if you need to completely revert it, or you need to make sure the version in the file matches the end of the alias name that's in the store.
>
> -- Scott
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170629/6eed70d1/attachment.html>
More information about the users
mailing list