Menu
▾
▴
Re: [Unity-idm-discuss] Certificate rollover for SAML
|
From: Sander A. <sa....@fz...> - 2018-07-20 05:55:47
|
Hi Krzysztof, Ok, got it. Just one question in addition. If I configure both in pki.properties and add both manually in the metadata, can unity use the second cert, not configured in requesterCredential, to decrypt messages from IdPs, if they use for some reason the second one. E.g. they did not fetch federation metadata. Best regards, Sander Am Donnerstag, den 19.07.2018, 23:31 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 17.07.2018 o 08:11, Sander Apweiler pisze: > > Hi Krzysztof, > > > > we have to renew our certificate, used for SAML signing and > > en/decryption. We want to add a second one to propagate it to the > > IdPs > > and remove the old one later. Switch has a good explanation about > > our > > goals [1]. > > > > I configured a second certificate: > > unity.pki.credentials.ROLLOVER.format=pkcs12 > > unity.pki.credentials.ROLLOVER.path=/PATH/TO/keystore.p12 > > unity.pki.credentials.ROLLOVER.keyAlias=NEW-ALIAS > > unity.pki.credentials.ROLLOVER.password=MY-SUPER-PASSWORD > > > > Restart unity and add the second cert in requester credentials: > > unity.saml.requester.requesterCredential=MAIN;ROLLOVER > > > > When I reload the authenticator, the process hung up. No second > > cert > > was stored in metadata. I must remove the second cert from > > requester > > credentials and restart unity to get the system running again. I > > saw no > > issues in logs. > > > > Is this purpose possible? Or must I replace the cert in a timeslot > > where I expect only few user to propagate the new cert? > > I'm not sure if I've got your intention. requesterCredential setting > is > used to select which certificate you use for signing/decryption. You > can > use only one. However if you want, you can prepare your own > metadata, > including two certificates (current and future). Then you wait for > the > new metadata to be propagated (what is your federation dependent). > After > new certificate is loaded in metadata of all peers in the > federation, > you can make a real switch: change requesterCredential to the new > one. > And you can remove the old one (soon to be expired) from metadata to > clean up the environment. > > HTH > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
