Replacing Signing Key with trusted certificate

This topic contains 5 replies, has 2 voices, and was last updated by  Peter Major 1 week, 2 days ago.

  • Author
    Posts
  • #22762
     dhruvb 
    Participant

    I am leading the security SSO RnD work at my workplace and I have the evaluation version of openAm installed. I am stuck with the following situation.

    We can get the SSO flow working and saml response signed with ‘test’ certificate, however my goal is to replace the default ‘test’ certificate with our ‘internalIdentityCertificate’.

    The keystore.jceks file contains our ‘internalIdentityCertificate’ however I can’t see this certificate in the dropdown IDP/Assertion Content/Signing and Encryption/CertificateAliases.

    I would highly appreciate any help/suggestion on this.

    Regards
    Dhruv

    • This topic was modified 1 week, 2 days ago by  dhruvb.
    #22809
     Peter Major 
    Moderator

    After updating the keystore, you should restart the container so that the new aliases are made available. Also keep in mind that if you just replace the private key stored under the “test” alias, you will need to resave the federation configuration to pick up the new certificate and update the standard metadata.

    #22811
     dhruvb 
    Participant

    Hello Peter Major,

    I have restarted the container. I haven’t replace the ‘test’ alias all I have done is added an entry within the keystore.jceks by importing ‘internalIdentity’.crt. The keystore now contains 11 entries instead of 10 default ones as expected however, the dropdown doesn’t pick this new alias when creating new Hosted Identity Provider.

    But for existing IDP I can manually enter this new certificate alias to match the entry in the keystore.jceks and happily gets saved. But when I try to SSO flow again with this new signing certificate alias I get

    libSAML2:07/20/2018 05:38:03:645 PM BST: Thread[http-apr-7778-exec-10,5,main]: TransactionId[8497c67d-2b9d-4538-ba0c-1885d002f17e-1020111]
    ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.
    com.sun.identity.saml2.common.SAML2Exception: Null input.
    at com.sun.identity.saml2.common.QuerySignatureUtil.verify(QuerySignatureUtil.java:190)
    at org.forgerock.openam.saml2.UtilProxySAMLAuthenticator.authenticate(UtilProxySAMLAuthenticator.java:167)
    libSAML2:08/08/2018 10:14:22:207 AM BST: Thread[http-apr-7778-exec-3,5,main]: TransactionId[01719746-dc96-4a7b-9d80-6e76f265d9c6-9045]
    ERROR: UtilProxySAMLAuthenticatorLookup.retrieveAuthenticationFromCache: Unable to do sso or federation.
    com.sun.identity.saml2.common.SAML2Exception: The private key was null.

    #22812
     Peter Major 
    Moderator

    You should try to list the contents of the keystore, if your alias maps to a trustedCertificate instead of a privateKeyEntry, then that’s your problem.

    #22813
     dhruvb 
    Participant

    Yes, here is the list yes the alias is trustedCertificate instead of privateKeyEntry how shall I resovle this ?
    es384test, 03-Feb-2017, PrivateKeyEntry,

    selfserviceenctest, 18-Mar-2016, PrivateKeyEntry,

    es256test, 03-Feb-2017, PrivateKeyEntry,

    dsameuserpwd, 08-Aug-2018, SecretKeyEntry,

    rsajwtsigningkey, 24-May-2016, PrivateKeyEntry,

    directenctest, 23-May-2018, SecretKeyEntry,

    selfservicesigntest, 23-May-2018, SecretKeyEntry,

    test, 03-Apr-2018, PrivateKeyEntry,

    configstorepwd, 08-Aug-2018, SecretKeyEntry,

    identitykey, 07-Aug-2018, trustedCertEntry

    #22814
     Peter Major 
    Moderator
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?