/
SecretKeyManagement

The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

SecretKeyManagement

Owned by Scott Cantor
Last updated: Mar 08, 2017 by u0097636@kuleuven.beVersion comment

The default configuration of the IdP relies on a component called a "DataSealer" which in turn uses an AES secret key to secure cookies and certain other data for the IdPs own use. This key must never be shared with anybody else, and must be copied to every server node making up a cluster.

An initial key is generated by the installer in a special kind of Java keystore file called a "JCEKS" keystore, which stores secret keys instead of public/private keys and certificates. A parallel file also tracks the key version number. A tool is provided to regularly update this secret key (and increase the version), which can be pushed to cluster nodes and continually maintain the secrecy of this key. This should be done at least daily to limit the chance for, and damage from, exposure. You can list the keys with the Java keytool utility (change the <secret> accordingly):

command to list keys
keytool -v -list -keystore sealer.jks -storepass <secret> -storetype JCEKS

Each time the seckeygen utility runs, it generates a new iteration of the key and updates the key version number (and a date/time in a comment). It also maintains a limited number of earlier keys (defaulting to 30, set with the --count option), which should be set based on how often you run the script and how long earlier data used by clients needs to be readable. Any data written with the DataSealer is always encrypted with the latest version of the key, but any data encrypted with an older key can still be read as long as the key remains accessible.

To roll the key, a script similar to the following can be used in a scheduled task on one of the cluster nodes or a staging server:

bash example to update and copy secret key
#!/bin/bash

IDP_HOME=/opt/shibboleth-idp

$IDP_HOME/bin/seckeygen.sh \
	--storefile $IDP_HOME/credentials/sealer.jks \
	--storepass password \
	--versionfile $IDP_HOME/credentials/sealer.kver \
	--alias secret 

scp $IDP_HOME/credentials/sealer.* host1:$IDP_HOME/credentials/
scp $IDP_HOME/credentials/sealer.* host2:$IDP_HOME/credentials/

The below bash version uses the idp.properties file so configurable items don't need to be changed in multiple locations. It can be run manually or via cron (the script can replace the existing seckeygen.sh script entirely as long as it is then run without command line parameters)

It adds some new properties - so that all features are completely configurable from the idp.properties (prefixed with _ as they are unofficial)

  • idp.sealer._count
    • Number of earlier keys to keep (default 30)
  • idp.sealer._sync_hosts
    • Space separated list of hosts to scp the sealer files to (default generate locally)
bash example using the configuration from idp.properties
#!/bin/bash

set -e 
set -u
 
# Default IDP_HOME if not already set
if [ ! -d "${IDP_HOME:=/opt/shibboleth-idp}" ]
then
    echo "ERROR: Directory does not exist: ${IDP_HOME}" >&2
    exit 1
fi

function get_config {
    # Key to lookup (escape . for regex lookup)
    local KEY=${1:?"No key provided to look up value"}
    # Passed default value
    local DEFAULT="${2:-}"
    # Lookup key, strip spaces, replace idp.home with IDP_HOME value
    local RESULT=$(sed -rn '/^'"${KEY//./\\.}"'\s*=/ { s|^[^=]*=(.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/conf/idp.properties)
    # Set if no result with default - exit if no default
    echo ${RESULT:-${DEFAULT:?"No value in config and no default defined for: '${KEY}'"}}
}

# Get config values
## Official config items ##
storefile=$(get_config idp.sealer.storeResource)
versionfile=$(get_config idp.sealer.versionResource)
storepass=$(get_config idp.sealer.storePassword)
alias=$(get_config idp.sealer.aliasBase secret)
## Extended config items ##
count=$(get_config idp.sealer._count 30)
# default cannot be empty - so "self" is the default (self is skipped for syncing)
sync_hosts=$(get_config idp.sealer._sync_hosts ${HOSTNAME})

# Run the keygen utility 
${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \
    --storefile "${storefile}" \
    --storepass "${storepass}" \
    --versionfile "${versionfile}" \
    --alias "${alias}" \
    --count "${count}"

# Display current version
echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2

for EACH in ${sync_hosts}
do
    if [ "${HOSTNAME}" == "${EACH}" ]
    then
        echo "INFO: Host '${EACH}' is myself - skipping" >&2
    elif ! ping -q -c 1 -W 3 ${EACH} >/dev/null 2>&1
    then
        echo "ERROR: Host '${EACH}' not reachable - skipping" >&2
    else
		# run scp in the background 
        scp "${storefile}" "${versionfile}" "${EACH}:${IDP_HOME}/credentials/" &
    fi
done

Related content