Shibboleth v3 - Session HA Questions
prasannacgin at yahoo.in
Wed Jul 1 20:36:08 UTC 2020
Thanks for that Scott !
I was not able to find any documentations / articles to generate new sealer files for IDP. So was curious to know if there is any backdoor way. I used the logs in DEBUG mode and I don't see any log that stated that the cookie was wrapped with a key that is known / available (or anything related to that). At the same time, if I change my key on one IDP node, create a session and test SSO with other IDP node, it certainly records a log as below and enforces for re-authentication
2020-07-01 19:30:41,186 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:289] - Key 'secret2' not found
2020-07-01 19:30:41,188 - INFO [net.shibboleth.utilities.java.support.security.DataSealer:218] - Data was wrapped with a key (secret2) no longer available
And since I couldn't find if the keys were ever copied across nodes my environment, I merely did a cksum and see them to be common between the IDP nodes. Not sure if that confirms but I am assuming it would have been copied.
> On Jul 1, 2020, at 3:52 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 7/1/20, 3:50 PM, "users on behalf of prasanna cg" <users-bounces at shibboleth.net on behalf of prasannacgin at yahoo.in> wrote:
>> Thanks Scott. I understand I am missing something here. Let me look further. Also, Is there a way to create a new / fresh
>> "sealer.jks" and “sealer.kver” files in an IDP node ? I am trying to see if I can ignore the ones that exist now and create a
>> new file for each of my IDP nodes and test again.
> I believe the script that rolls the key can essentially initialize one from empty state, but I'm not positive.
> Initially I wrote your question off as "he's nuts?" but you've clearly digested the documentation sufficiently to be questioning reality appropriately.
> I would really suggest you just use the logs.
> -- Scott
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users