Shibboleth v3 - Session HA Questions

Andrew Jason Morgan morgan at
Wed Jul 1 21:11:21 UTC 2020

We use the following command to rotate keys on a regular basis:

$IDP_HOME/bin/ \
    --storefile $IDP_HOME/credentials/sealer.jks \
    --storepass $STOREPASS \
    --versionfile $IDP_HOME/credentials/sealer.kver \
    --alias secret

I don't know if it will create a new keystore, though.


From: users <users-bounces at> on behalf of prasanna cg <prasannacgin at>
Sent: Wednesday, July 1, 2020 1:36 PM
To: Shib Users <users at>
Subject: Re: Shibboleth v3 - Session HA Questions

Thanks for that Scott !

I was not able to find any documentations / articles to generate new sealer files for IDP. So was curious to know if there is any backdoor way. I used the logs in DEBUG mode and I don't see any log that  stated that the cookie was wrapped with a key that is known / available (or anything related to that). At the same time, if I change my key on one IDP node, create a session and test SSO with other IDP node, it certainly records a log as below and enforces for re-authentication

2020-07-01 19:30:41,186 - INFO [] - Key 'secret2' not found
2020-07-01 19:30:41,188 - INFO [] - Data was wrapped with a key (secret2) no longer available

And since I couldn't find if the keys were ever copied across nodes my environment, I merely did a cksum and see them to be common between the IDP nodes. Not sure if that confirms but I am assuming it would have been copied.

On Jul 1, 2020, at 3:52 PM, Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:

On 7/1/20, 3:50 PM, "users on behalf of prasanna cg" <users-bounces at<mailto:users-bounces at> on behalf of prasannacgin at<mailto:prasannacgin at>> wrote:

Thanks Scott. I understand I am missing something here. Let me look further. Also, Is there a way to create a new / fresh
"sealer.jks" and “sealer.kver” files in an IDP node ? I am trying to see if I can ignore the ones that exist now and create a
new file for each of my IDP nodes and test again.

I believe the script that rolls the key can essentially initialize one from empty state, but I'm not positive.

Initially I wrote your question off as "he's nuts?" but you've clearly digested the documentation sufficiently to be questioning reality appropriately.

I would really suggest you just use the logs.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list