...
Other plugins, such as the CryptoTransientPrincipalConnector or ResolverCryptoTransientIDAttributeDefinition, require injection of an instance of this object. You will typically configure the object by adding a <bean> declaration to a Spring configuration file. You can modify internal.xml directly, but it's typically better to create your own extension file and add it to web.xml in the contextConfigLocation context parameter.
| Warning |
|---|
The SunPKCS11 JCE provider that is installed by default on the Solaris JVM appears to be incompatible with this code. To use it, modify the default provider list by editing $JAVA_HOME/jre/lib/security/java.security. |
Keystore
The object usually gets its cryptographic key(s) from a special kind of keystore of type "JCEKS" designed for symmetric keys. Creating one requires overriding the keystore type when using the keytool command:
| Code Block |
|---|
keytool -genseckey -keystore secret.jks -storetype JCEKS -alias secretnameid -keyalg AES -keysize 192128 |
Once you create the keystore file, copy it to all the IdP servers in your cluster.
Using larger key sizes typically requires the "full-strength" JCE policy files, and seems to cause problems for some sites. Using AES-128 generates fairly reasonable sizes of data (256 bytes) and is strong enough at least for the moment.
Bean Properties
keystoreType(string) (defaults to JCEKS)- Type of keystore.
...
macKey(SecretKey)- Allows the HMAC key to be set directly.
Example
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="shibboleth.TransientIDDataSealer" class="edu.internet2.middleware.shibboleth.common.util.DataSealer"
depends-on="shibboleth.LogbackLogging" init-method="init">
<property name="keystorePath" value="/opt/shibboleth-idp/credentials/secret.jks" />
<property name="keystorePassword" value="authdev" />
<property name="cipherKeyAlias" value="nameid" />
<property name="cipherKeyPassword" value="authdev" />
</bean>
|