The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.



A DataSealer is a JavaBean that can be configured for use by other IdP plugins to provide encrypted, MAC'd, time-limited encoding of data for preservation of state outside the IdP. It is typically needed as part of a stateless clustering solution.

Other plugins, such as the CryptoTransientPrincipalConnector or ResolverCryptoTransientIDAttributeDefinition, require injection of an instance of this object. You will typically configure the object by adding a <bean> declaration to a Spring configuration file. You can modify internal.xml directly, but it's typically better to create your own extension file and add it to web.xml in the contextConfigLocation context parameter.

The SunPKCS11 JCE provider that is installed by default on the Solaris JVM appears to be incompatible with this code. To use it, modify the default provider list by editing $JAVA_HOME/jre/lib/security/


The object usually gets its cryptographic key(s) from a special kind of keystore of type "JCEKS" designed for symmetric keys. Creating one requires overriding the keystore type when using the keytool command:

keytool -genseckey -keystore secret.jks -storetype JCEKS -alias nameid -keyalg AES -keysize 128

Once you create the keystore file, copy it to all the IdP servers in your cluster.

Using larger key sizes typically requires the "full-strength" JCE policy files, and seems to cause problems for some sites. Using AES-128 generates fairly reasonable sizes of data (256 bytes) and is strong enough at least for the moment.

Bean Properties

  • keystoreType(string) (defaults to JCEKS)
    • Type of keystore.
  • keystorePath(local file path)
    • Path to a keystore. Required if cipherKey isn't set directly.
  • keystorePassword(string)
    • The password for the keystore. Required if cipherKey isn't set directly.
  • cipherKeyAlias(string)
    • A keystore alias for the encryption key to use. Required if cipherKey isn't set directly.
  • cipherKeyPassword(string)
    • The password for the encryption key. Required if cipherKey isn't set directly.
  • cipherAlgorithm(string) (defaults to AES/CBC/PKCS5Padding)
    • A JCE algorithm specifier for the encryption algorithm to use.
  • macKeyAlias(string)
    • A keystore alias for the HMAC key to use. If no key or alias is set, the cipher key is used.
  • macKeyPassword(string)
    • The password for the HMAC key. If no key or alias is set, the cipher key is used.
  • macAlgorithm(string) (defaults to HmacSHA256)
    • A JCE algorithm specifier for the HMAC algorithm to use.
  • cipherKey(SecretKey)
    • Allows the encryption key to be set directly.
  • macKey(SecretKey)
    • Allows the HMAC key to be set directly.


<bean id="shibboleth.TransientIDDataSealer" class="edu.internet2.middleware.shibboleth.common.util.DataSealer" 
        depends-on="shibboleth.LogbackLogging" init-method="init">
    <property name="keystorePath" value="/opt/shibboleth-idp/credentials/secret.jks" />
    <property name="keystorePassword" value="authdev" />
    <property name="cipherKeyAlias" value="nameid" />
    <property name="cipherKeyPassword" value="authdev" />