Shibboleth v3 - Session HA Questions

prasanna cg prasannacgin at yahoo.in
Wed Jul 1 21:17:10 UTC 2020 

Hi Andy,

No, that command doesn't create a new keystore. It only adds a new encryption key to the existing keystore. 

> On Jul 1, 2020, at 5:11 PM, Andrew Jason Morgan <morgan at oregonstate.edu> wrote:
> 
> We use the following command to rotate keys on a regular basis:
> 
> $IDP_HOME/bin/seckeygen.sh \
>     --storefile $IDP_HOME/credentials/sealer.jks \
>     --storepass $STOREPASS \
>     --versionfile $IDP_HOME/credentials/sealer.kver \
>     --alias secret
> 
> I don't know if it will create a new keystore, though.
> 
> Andy
> 
> From: users <users-bounces at shibboleth.net <mailto:users-bounces at shibboleth.net>> on behalf of prasanna cg <prasannacgin at yahoo.in <mailto:prasannacgin at yahoo.in>>
> Sent: Wednesday, July 1, 2020 1:36 PM
> To: Shib Users <users at shibboleth.net <mailto:users at shibboleth.net>>
> Subject: Re: Shibboleth v3 - Session HA Questions
>  
> Thanks for that Scott ! 
> 
> I was not able to find any documentations / articles to generate new sealer files for IDP. So was curious to know if there is any backdoor way. I used the logs in DEBUG mode and I don't see any log that  stated that the cookie was wrapped with a key that is known / available (or anything related to that). At the same time, if I change my key on one IDP node, create a session and test SSO with other IDP node, it certainly records a log as below and enforces for re-authentication
> 
> 2020-07-01 19:30:41,186 - INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy:289] - Key 'secret2' not found
> 2020-07-01 19:30:41,188 - INFO [net.shibboleth.utilities.java.support.security.DataSealer:218] - Data was wrapped with a key (secret2) no longer available
> 
> And since I couldn't find if the keys were ever copied across nodes my environment, I merely did a cksum and see them to be common between the IDP nodes. Not sure if that confirms but I am assuming it would have been copied. 
> 
>  
> 
>> On Jul 1, 2020, at 3:52 PM, Cantor, Scott <cantor.2 at osu.edu <mailto:cantor.2 at osu.edu>> wrote:
>> 
>> On 7/1/20, 3:50 PM, "users on behalf of prasanna cg" <users-bounces at shibboleth.net <mailto:users-bounces at shibboleth.net> on behalf of prasannacgin at yahoo.in <mailto:prasannacgin at yahoo.in>> wrote:
>> 
>>> Thanks Scott. I understand I am missing something here. Let me look further. Also, Is there a way to create a new / fresh
>>> "sealer.jks" and “sealer.kver” files in an IDP node ? I am trying to see if I can ignore the ones that exist now and create a
>>> new file for each of my IDP nodes and test again. 
>> 
>> I believe the script that rolls the key can essentially initialize one from empty state, but I'm not positive.
>> 
>> Initially I wrote your question off as "he's nuts?" but you've clearly digested the documentation sufficiently to be questioning reality appropriately.
>> 
>> I would really suggest you just use the logs.
>> 
>> -- Scott
>> 
>> 
>> 
>> 
>> -- 
>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://wiki.shibboleth.net/confluence/x/coFAAg>
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://wiki.shibboleth.net/confluence/x/coFAAg>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200701/af05f6f4/attachment.htm>

More information about the users mailing list