Shibboleth v3 - Session HA Questions

Andrew Jason Morgan morgan at oregonstate.edu
Wed Jul 1 21:11:21 UTC 2020 

We use the following command to rotate keys on a regular basis:

$IDP_HOME/bin/seckeygen.sh \
    --storefile $IDP_HOME/credentials/sealer.jks \
    --storepass $STOREPASS \
    --versionfile $IDP_HOME/credentials/sealer.kver \
    --alias secret

I don't know if it will create a new keystore, though.

Andy

________________________________
From: users <users-bounces at shibboleth.net> on behalf of prasanna cg <prasannacgin at yahoo.in>
Sent: Wednesday, July 1, 2020 1:36 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth v3 - Session HA Questions

Thanks for that Scott !

I was not able to find any documentations / articles to generate new sealer files for IDP. So was curious to know if there is any backdoor way. I used the logs in DEBUG mode and I don't see any log that  stated that the cookie was wrapped with a key that is known / available (or anything related to that). At the same time, if I change my key on one IDP node, create a session and test SSO with other IDP node, it certainly records a log as below and enforces for re-authentication

2020-07-01 19:30:41,186 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:289] - Key 'secret2' not found
2020-07-01 19:30:41,188 - INFO [net.shibboleth.utilities.java.support.security.DataSealer:218] - Data was wrapped with a key (secret2) no longer available

And since I couldn't find if the keys were ever copied across nodes my environment, I merely did a cksum and see them to be common between the IDP nodes. Not sure if that confirms but I am assuming it would have been copied.



On Jul 1, 2020, at 3:52 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:

On 7/1/20, 3:50 PM, "users on behalf of prasanna cg" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of prasannacgin at yahoo.in<mailto:prasannacgin at yahoo.in>> wrote:

Thanks Scott. I understand I am missing something here. Let me look further. Also, Is there a way to create a new / fresh
"sealer.jks" and “sealer.kver” files in an IDP node ? I am trying to see if I can ignore the ones that exist now and create a
new file for each of my IDP nodes and test again.

I believe the script that rolls the key can essentially initialize one from empty state, but I'm not positive.

Initially I wrote your question off as "he's nuts?" but you've clearly digested the documentation sufficiently to be questioning reality appropriately.

I would really suggest you just use the logs.

-- Scott




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200701/7f3e21d8/attachment.htm>

More information about the users mailing list