Date: Thu, 28 Mar 2024 23:15:25 +0000 (UTC) Message-ID: <926722512.9.1711667725361@ab06db623fbd> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_8_1725675159.1711667725361" ------=_Part_8_1725675159.1711667725361 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The default configuration of the IdP relies on a component calle= d a "DataSealer" which in turn uses an AES secret key to secure cookies and= certain other data for the IdPs own use. This key must never be shared wit= h anybody else, and must be copied to every server node making up a cluster.
An initial key is generated by the installer in a special kind of Java k= eystore file called a "JCEKS" keystore, which stores secret keys instead of= public/private keys and certificates. A parallel file also tracks the key = version number. A tool is provided to regularly update this secret key (and= increase the version), which can be pushed to cluster nodes and continuall= y maintain the secrecy of this key. This should be done at least daily to l= imit the chance for, and damage from, exposure. You can list the keys with = the Java keytool utility (change the <secret> accordingly):
keytool= -v -list -keystore sealer.jks -storepass <secret> -storetype JCEKS= pre>
Each time the seckeygen utility runs, it generates a new iterat= ion of the key and updates the key version number (and a date/time in a com= ment). It also maintains a limited number of earlier keys (defaulting to 30= , set with the --count option), which should be set based on how often you = run the script and how long earlier data used by clients needs to be readab= le. Any data written with the DataSealer is always encrypted with the lates= t version of the key, but any data encrypted with an older key can still be= read as long as the key remains accessible.
The files are monitored by the process and new keys are automatically re= cognized.
To roll the key, a script similar to the following can be used in a sche= duled task on one of the cluster nodes or a staging server:
#!/bin/= bash IDP_HOME=3D/opt/shibboleth-idp $IDP_HOME/bin/seckeygen.sh \ =09--storefile $IDP_HOME/credentials/sealer.jks \ =09--storepass password \ =09--versionfile $IDP_HOME/credentials/sealer.kver \ =09--alias secret=20 scp $IDP_HOME/credentials/sealer.* host1:$IDP_HOME/credentials/ scp $IDP_HOME/credentials/sealer.* host2:$IDP_HOME/credentials/
The below bash version uses the idp.properties file so configurable items d=
on't need to be changed in multiple locations. It can be run manually or vi=
a cron (the script can replace the existing seckeygen.sh script entire=
ly as long as it is then run without command line parameters)
It adds some new properties - so that all features are completely config= urable from the idp.properties (prefixed with _ as they are unofficial)
idp.sealer._count
Number of earlier keys to keep (default 30)
idp.sealer._sync_hosts
Space separated list of hosts to scp the sealer files to (default genera= te locally)
#!/bin/= bash set -e=20 set -u =20 # Default IDP_HOME if not already set if [ ! -d "${IDP_HOME:=3D/opt/shibboleth-idp}" ] then echo "ERROR: Directory does not exist: ${IDP_HOME}" >&2 exit 1 fi function get_config { # Key to lookup (escape . for regex lookup) local KEY=3D${1:?"No key provided to look up value"} # Passed default value local DEFAULT=3D"${2:-}" # Lookup key, strip spaces, replace idp.home with IDP_HOME value local RESULT=3D$(sed -rn '/^'"${KEY//./\\.}"'\s*=3D/ { s|^[^=3D]*=3D(.*= )\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/conf/idp.pro= perties) if [ -z "$RESULT" ] then local RESULT=3D$(sed -rn '/^'"${KEY//./\\.}"'\s*=3D/ { s|^[^=3D]*=3D= (.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/credentia= ls/secrets.properties) fi # Set if no result with default - exit if no default echo ${RESULT:-${DEFAULT:?"No value in config and no default defined fo= r: '${KEY}'"}} } # Get config values ## Official config items ## storefile=3D$(get_config idp.sealer.storeResource) versionfile=3D$(get_config idp.sealer.versionResource) storepass=3D$(get_config idp.sealer.storePassword) alias=3D$(get_config idp.sealer.aliasBase secret) ## Extended config items ## count=3D$(get_config idp.sealer._count 30) # default cannot be empty - so "self" is the default (self is skipped for s= yncing) sync_hosts=3D$(get_config idp.sealer._sync_hosts ${HOSTNAME}) # Run the keygen utility=20 ${0%/*}/seckeygen.sh \ --storefile "${storefile}" \ --storepass "${storepass}" \ --versionfile "${versionfile}" \ --alias "${alias}" \ --count "${count}" # Display current version echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2 for EACH in ${sync_hosts} do if [ "${HOSTNAME}" =3D=3D "${EACH}" ] then echo "INFO: Host '${EACH}' is myself - skipping" >&2 elif ! ping -q -c 1 -W 3 ${EACH} >/dev/null 2>&1 then echo "ERROR: Host '${EACH}' not reachable - skipping" >&2 else =09=09# run scp in the background=20 scp "${storefile}" "${versionfile}" "${EACH}:${IDP_HOME}/credential= s/" & fi done