DataSealer

A DataSealer is a JavaBean that can be configured for use by other IdP plugins to provide encrypted, MAC'd,

...

time-limited

...

encoding

...

of

...

data

...

for

...

preservation

...

of

...

state

...

outside

...

the

...

IdP.

...

It

...

is

...

typically

...

needed

...

as

...

part

...

of

...

a

...

stateless

...

clustering

...

solution

...

.

...

Other

...

plugins,

...

such

...

as

...

the

...

CryptoTransientPrincipalConnector

...

or

...

ResolverCryptoTransientIDAttributeDefinition

...

,

...

require

...

injection

...

of

...

an

...

instance

...

of

...

this

...

object.

...

You

...

will

...

typically

...

configure

...

the

...

object

...

by

...

adding

...

a

...

<bean>

...

declaration

...

to

...

a

...

Spring

...

configuration

...

file.

...

You

...

can

...

modify

...

internal.xml

...

directly,

...

but

...

it's

...

typically

...

better

...

to

...

create

...

your

...

own

...

extension

...

file

...

and

...

add

...

it

...

to

...

web.xml

...

in

...

the

...

contextConfigLocation

...

context

...

parameter.

...

Warning

The SunPKCS11 JCE provider that is installed by default on the Solaris JVM appears to be incompatible with this code. To use it, modify the default provider list by editing $JAVA_HOME/jre/lib/security/java.security

*.{warn} h2. Keystore The object usually gets its cryptographic

.

Keystore

The object usually gets its cryptographic key(s)

...

from

...

a

...

special

...

kind

...

of

...

keystore

...

of

...

type

...

"JCEKS"

...

designed

...

for

...

symmetric

...

keys.

...

Creating

...

one

...

requires

...

overriding

...

the

...

keystore

...

type

...

when

...

using

...

the

...

keytool

...

command:

...

}

Code Block

keytool -genseckey -keystore secret.jks -storetype JCEKS -alias secretnameid -keyalg AES -keysize 128{code} Using larger key sizes typically requires the

Once you create the keystore file, copy it to all the IdP servers in your cluster.

Using larger key sizes typically requires the "full-strength"

...

JCE

...

policy

...

files,

...

and

...

seems

...

to

...

cause

...

problems

...

for

...

some

...

sites.

...

Using

...

AES-128

...

generates

...

fairly

...

reasonable

...

sizes

...

of

...

data

...

(256

...

bytes)

...

and

...

is

...

strong

...

enough

...

at

...

least

...

for

...

the

...

moment.

...

Bean

...

Properties

keystoreType(string)

...

(defaults

...

to

...

JCEKS)

...

- Type

...

- of

...

- keystore.

...

keystorePath(local

...

file

...

path)

...

- Path

...

- to

...

- a

...

- keystore.

...

- Required

...

- if

...

- cipherKey

...

- isn't

...

- set

...

- directly.

...

keystorePassword(string)

...

- The

...

- password

...

- for

...

- the

...

- keystore.

...

- Required

...

- if

...

- cipherKey

...

- isn't

...

- set

...

- directly.

...

cipherKeyAlias(string)

...

- A

...

- keystore

...

- alias

...

- for

...

- the

...

- encryption

...

- key

...

- to

...

- use.

...

- Required

...

- if

...

- cipherKey

...

- isn't

...

- set

...

- directly.

...

cipherKeyPassword(string)

...

- The

...

- password

...

- for

...

- the

...

- encryption

...

- key.

...

- Required

...

- if

...

- cipherKey

...

- isn't

...

- set

...

- directly.

...

cipherAlgorithm(string)

...

(defaults

...

to

...

AES/CBC/PKCS5Padding)

...

- A

...

- JCE

...

- algorithm

...

- specifier

...

- for

...

- the

...

- encryption

...

- algorithm

...

- to

...

- use.

...

macKeyAlias(string)

...

- A

...

- keystore

...

- alias

...

- for

...

- the

...

- HMAC

...

- key

...

- to

...

- use.

...

- If

...

- no

...

- key

...

- or

...

- alias

...

- is

...

- set,

...

- the

...

- cipher

...

- key

...

- is

...

- used.

...

macKeyPassword(string)

...

- The

...

- password

...

- for

...

- the

...

- HMAC

...

- key.

...

- If

...

- no

...

- key

...

- or

...

- alias

...

- is

...

- set,

...

- the

...

- cipher

...

- key

...

- is

...

- used.

...

macAlgorithm(string)

...

(defaults

...

to

...

HmacSHA256)

...

- A

...

- JCE

...

- algorithm

...

- specifier

...

- for

...

- the

...

- HMAC

...

- algorithm

...

- to

...

- use.

...

cipherKey(SecretKey)

...

- Allows

...

- the

...

- encryption

...

- key

...

- to

...

- be

...

- set

...

- directly.

...

macKey(SecretKey)

...

- Allows

...

- the

...

- HMAC

...

- key

...

- to

...

- be

...

- set

...

- directly.

...

Example

Code Block

	xml
	xml

<bean id="shibboleth.TransientIDDataSealer" class="edu.internet2.middleware.shibboleth.common.util.DataSealer" 
        depends-on="shibboleth.LogbackLogging" init-method="init">
    <property name="keystorePath" value="/opt/shibboleth-idp/credentials/secret.jks" />
    <property name="keystorePassword" value="authdev" />
    <property name="cipherKeyAlias" value="nameid" />
    <property name="cipherKeyPassword" value="authdev" />
</bean>
{code}

Versions Compared

Old Version 3

New Version Current

Key

DataSealer

Keystore

Bean

Properties

Example

Page Comparison

Versions Compared

Old Version 3

New Version Current

Key

DataSealer

Keystore

Bean

Properties

Example