| | 1 | == [[https://iam.alaska.edu/shib|Shibboleth]] / IdP Key Roll Over Procedure == |
| | 2 | |
| | 3 | This page documents the process of rolling over the IdP's keys. This includes the process of generating a new certificate for the IdP. The certificate and key are only used for signing the assertions and securing the attribute query back channel that is not user facing. |
| | 4 | |
| | 5 | The process from the 10k foot level is to add a second set of key and cert to the IdP and its metadata for distribution ahead of the actual roll over. Once all of the SPs have the new metadata then the IdP can be rolled over to using the new key and cert and the SPs will transparently follow since they have both the new cert and old cert in metadata. |
| | 6 | |
| | 7 | **Note**: All operations in this procedure occur under the tomcat user. |
| | 8 | |
| | 9 | 1. Generate a new key/certificate: |
| | 10 | {{{ |
| | 11 | -bash-3.2$ openssl req -x509 -newkey rsa:2048 -nodes -days 1095 -keyout idp.new.key -out idp.new.crt |
| | 12 | Generating a 2048 bit RSA private key |
| | 13 | ...........................................+++ |
| | 14 | ............................................................+++ |
| | 15 | writing new private key to 'idp.new.key' |
| | 16 | ----- |
| | 17 | You are about to be asked to enter information that will be incorporated |
| | 18 | into your certificate request. |
| | 19 | What you are about to enter is what is called a Distinguished Name or a DN. |
| | 20 | There are quite a few fields but you can leave some blank |
| | 21 | For some fields there will be a default value, |
| | 22 | If you enter '.', the field will be left blank. |
| | 23 | ----- |
| | 24 | Country Name (2 letter code) [GB]:US |
| | 25 | State or Province Name (full name) [Berkshire]:Alaska |
| | 26 | Locality Name (eg, city) [Newbury]:Fairbanks |
| | 27 | Organization Name (eg, company) [My Company Ltd]:University of Alaska |
| | 28 | Organizational Unit Name (eg, section) []:Office of Information Technology |
| | 29 | Common Name (eg, your name or your server's hostname) []:idp.alaska.edu |
| | 30 | Email Address []:iam@alaska.edu |
| | 31 | }}} |
| | 32 | |
| | 33 | 2. Copy the key/certificate into the credentials directory of the IdP installation: |
| | 34 | {{{ |
| | 35 | -bash-3.2$ cp idp.new.crt /opt/shibboleth-idp/credentials/ |
| | 36 | -bash-3.2$ cp idp.new.key /opt/shibboleth-idp/credentials/ |
| | 37 | }}} |
| | 38 | |
| | 39 | 3. Add the new key/certificate to the relying party configuration: |
| | 40 | {{{ |
| | 41 | -bash-3.2$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf |
| | 42 | -bash-3.2$ vi conf/relying-party.xml |
| | 43 | ... |
| | 44 | <security:Credential id="IdPCredentialNew" xsi:type="security:X509Filesystem"> |
| | 45 | <security:PrivateKey>/opt/shibboleth-idp/credentials/idp.new.key</security:PrivateKey> |
| | 46 | <security:Certificate>/opt/shibboleth-idp/credentials/idp.new.crt</security:Certificate> |
| | 47 | </security:Credential> |
| | 48 | ... |
| | 49 | :wq! |
| | 50 | -bash-3.2$ svn ci conf/relying-party.xml -m "Added new IdP key/cert." |
| | 51 | }}} |
| | 52 | |
| | 53 | 4. Add the new key/certificate to the IdP metadata: |
| | 54 | {{{ |
| | 55 | -bash-3.2$ cat idp.new.crt |
| | 56 | -----BEGIN CERTIFICATE----- |
| | 57 | MIIFDDCCA/SgAwIBAgIJAN58IPd0DVLpMA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD |
| | 58 | VQQGEwJVUzEPMA0GA1UECBMGQWxhc2thMRIwEAYDVQQHEwlGYWlyYmFua3MxHTAb |
| | 59 | BgNVBAoTFFVuaXZlcnNpdHkgb2YgQWxhc2thMSkwJwYDVQQLEyBPZmZpY2Ugb2Yg |
| | 60 | SW5mb3JtYXRpb24gVGVjaG5vbG9neTEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUx |
| | 61 | HTAbBgkqhkiG9w0BCQEWDmlhbUBhbGFza2EuZWR1MB4XDTExMDcwNzIzMDc1NFoX |
| | 62 | DTE0MDcwNjIzMDc1NFowgbQxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2Ex |
| | 63 | EjAQBgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFz |
| | 64 | a2ExKTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcw |
| | 65 | FQYDVQQDEw5pZHAuYWxhc2thLmVkdTEdMBsGCSqGSIb3DQEJARYOaWFtQGFsYXNr |
| | 66 | YS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqzXokjJWPQdz8 |
| | 67 | cHsoSiNADLwYX89wxjTe5Xp47iqSWlx3eaxQlOOSY9OJ59dE4+tN8ACqiWJp0iga |
| | 68 | /GpyEH93jLoZBToTGMImto0SgC1I2eTk+htpJ6wn7Mu8fKpBhZ74OYiXf6NHoMCJ |
| | 69 | w4exXAv+inZcbcIrLnfUKPQxbRhoKvJO/DQHvMl7KNtN+H0rjFNu0ASTdQ96hffi |
| | 70 | SQpolP9kb1cnGH1xGmAcm+4O3LG+3//qNk22R0JpP+UAu3ZVITMXzbhOzyZ26RQK |
| | 71 | DA16v2kDzJEONJJM9/rk/YlG35cLea72NjTs4IPoyJLSk6ZaFZV4z4wsC5ChGoKB |
| | 72 | 4r3hCOqRAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQU2V5wFIfP1b31LPo89aUrJX2i |
| | 73 | MZkwgekGA1UdIwSB4TCB3oAU2V5wFIfP1b31LPo89aUrJX2iMZmhgbqkgbcwgbQx |
| | 74 | CzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQBgNVBAcTCUZhaXJiYW5r |
| | 75 | czEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2ExKTAnBgNVBAsTIE9mZmlj |
| | 76 | ZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw5pZHAuYWxhc2th |
| | 77 | LmVkdTEdMBsGCSqGSIb3DQEJARYOaWFtQGFsYXNrYS5lZHWCCQDefCD3dA1S6TAM |
| | 78 | BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBiXjlb84MPNRuPISvPa/hG |
| | 79 | qbZWDAYRvH3b+/3JxGeDtkcBYkmk8/HZZKRxxbdm9OBSYmkdhY/NqA+LVd08nP6T |
| | 80 | rpWM1sYIGfXo3OoyQOgDiwB1RnJwTRsHX+qUkKZWeUF5TzW7dhNtW5Efv7kMMU+X |
| | 81 | dBy3y0HhLJKUnUEgRD6c21bAaRow1uowhNZMZ9Pl+TbJyiOZdWPPUFSXDk/VarwI |
| | 82 | DOq2Qf8ih5EnbMLVtIDRlAUkfoskx69nWiwt4pmw5BjwnthYdNCfmZLoEJbpWCh8 |
| | 83 | 8QBWVqNSK1+XRDa6lm1v3UkNMBR3+TZG3MAVcYrwHDnUTayxGZ6psy2yY+ET0mwH |
| | 84 | -----END CERTIFICATE----- |
| | 85 | -bash-3.2$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/metadata |
| | 86 | -bash-3.2$ vi metadata/idp-metadata.xml |
| | 87 | ... |
| | 88 | <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> |
| | 89 | ... |
| | 90 | <KeyDescriptor use="signing"> |
| | 91 | <ds:KeyInfo> |
| | 92 | <ds:X509Data> |
| | 93 | <ds:X509Certificate> |
| | 94 | MIIFDDCCA/SgAwIBAgIJAN58IPd0DVLpMA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD |
| | 95 | VQQGEwJVUzEPMA0GA1UECBMGQWxhc2thMRIwEAYDVQQHEwlGYWlyYmFua3MxHTAb |
| | 96 | BgNVBAoTFFVuaXZlcnNpdHkgb2YgQWxhc2thMSkwJwYDVQQLEyBPZmZpY2Ugb2Yg |
| | 97 | SW5mb3JtYXRpb24gVGVjaG5vbG9neTEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUx |
| | 98 | HTAbBgkqhkiG9w0BCQEWDmlhbUBhbGFza2EuZWR1MB4XDTExMDcwNzIzMDc1NFoX |
| | 99 | DTE0MDcwNjIzMDc1NFowgbQxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2Ex |
| | 100 | EjAQBgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFz |
| | 101 | a2ExKTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcw |
| | 102 | FQYDVQQDEw5pZHAuYWxhc2thLmVkdTEdMBsGCSqGSIb3DQEJARYOaWFtQGFsYXNr |
| | 103 | YS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqzXokjJWPQdz8 |
| | 104 | cHsoSiNADLwYX89wxjTe5Xp47iqSWlx3eaxQlOOSY9OJ59dE4+tN8ACqiWJp0iga |
| | 105 | /GpyEH93jLoZBToTGMImto0SgC1I2eTk+htpJ6wn7Mu8fKpBhZ74OYiXf6NHoMCJ |
| | 106 | w4exXAv+inZcbcIrLnfUKPQxbRhoKvJO/DQHvMl7KNtN+H0rjFNu0ASTdQ96hffi |
| | 107 | SQpolP9kb1cnGH1xGmAcm+4O3LG+3//qNk22R0JpP+UAu3ZVITMXzbhOzyZ26RQK |
| | 108 | DA16v2kDzJEONJJM9/rk/YlG35cLea72NjTs4IPoyJLSk6ZaFZV4z4wsC5ChGoKB |
| | 109 | 4r3hCOqRAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQU2V5wFIfP1b31LPo89aUrJX2i |
| | 110 | MZkwgekGA1UdIwSB4TCB3oAU2V5wFIfP1b31LPo89aUrJX2iMZmhgbqkgbcwgbQx |
| | 111 | CzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQBgNVBAcTCUZhaXJiYW5r |
| | 112 | czEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2ExKTAnBgNVBAsTIE9mZmlj |
| | 113 | ZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw5pZHAuYWxhc2th |
| | 114 | LmVkdTEdMBsGCSqGSIb3DQEJARYOaWFtQGFsYXNrYS5lZHWCCQDefCD3dA1S6TAM |
| | 115 | BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBiXjlb84MPNRuPISvPa/hG |
| | 116 | qbZWDAYRvH3b+/3JxGeDtkcBYkmk8/HZZKRxxbdm9OBSYmkdhY/NqA+LVd08nP6T |
| | 117 | rpWM1sYIGfXo3OoyQOgDiwB1RnJwTRsHX+qUkKZWeUF5TzW7dhNtW5Efv7kMMU+X |
| | 118 | dBy3y0HhLJKUnUEgRD6c21bAaRow1uowhNZMZ9Pl+TbJyiOZdWPPUFSXDk/VarwI |
| | 119 | DOq2Qf8ih5EnbMLVtIDRlAUkfoskx69nWiwt4pmw5BjwnthYdNCfmZLoEJbpWCh8 |
| | 120 | 8QBWVqNSK1+XRDa6lm1v3UkNMBR3+TZG3MAVcYrwHDnUTayxGZ6psy2yY+ET0mwH |
| | 121 | </ds:X509Certificate> |
| | 122 | </ds:X509Data> |
| | 123 | </ds:KeyInfo> |
| | 124 | </KeyDescriptor> |
| | 125 | ... |
| | 126 | </IDPSSODescriptor> |
| | 127 | |
| | 128 | <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"> |
| | 129 | ... |
| | 130 | <KeyDescriptor use="signing"> |
| | 131 | <ds:KeyInfo> |
| | 132 | <ds:X509Data> |
| | 133 | <ds:X509Certificate> |
| | 134 | MIIFDDCCA/SgAwIBAgIJAN58IPd0DVLpMA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD |
| | 135 | VQQGEwJVUzEPMA0GA1UECBMGQWxhc2thMRIwEAYDVQQHEwlGYWlyYmFua3MxHTAb |
| | 136 | BgNVBAoTFFVuaXZlcnNpdHkgb2YgQWxhc2thMSkwJwYDVQQLEyBPZmZpY2Ugb2Yg |
| | 137 | SW5mb3JtYXRpb24gVGVjaG5vbG9neTEXMBUGA1UEAxMOaWRwLmFsYXNrYS5lZHUx |
| | 138 | HTAbBgkqhkiG9w0BCQEWDmlhbUBhbGFza2EuZWR1MB4XDTExMDcwNzIzMDc1NFoX |
| | 139 | DTE0MDcwNjIzMDc1NFowgbQxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2Ex |
| | 140 | EjAQBgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFz |
| | 141 | a2ExKTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcw |
| | 142 | FQYDVQQDEw5pZHAuYWxhc2thLmVkdTEdMBsGCSqGSIb3DQEJARYOaWFtQGFsYXNr |
| | 143 | YS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqzXokjJWPQdz8 |
| | 144 | cHsoSiNADLwYX89wxjTe5Xp47iqSWlx3eaxQlOOSY9OJ59dE4+tN8ACqiWJp0iga |
| | 145 | /GpyEH93jLoZBToTGMImto0SgC1I2eTk+htpJ6wn7Mu8fKpBhZ74OYiXf6NHoMCJ |
| | 146 | w4exXAv+inZcbcIrLnfUKPQxbRhoKvJO/DQHvMl7KNtN+H0rjFNu0ASTdQ96hffi |
| | 147 | SQpolP9kb1cnGH1xGmAcm+4O3LG+3//qNk22R0JpP+UAu3ZVITMXzbhOzyZ26RQK |
| | 148 | DA16v2kDzJEONJJM9/rk/YlG35cLea72NjTs4IPoyJLSk6ZaFZV4z4wsC5ChGoKB |
| | 149 | 4r3hCOqRAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQU2V5wFIfP1b31LPo89aUrJX2i |
| | 150 | MZkwgekGA1UdIwSB4TCB3oAU2V5wFIfP1b31LPo89aUrJX2iMZmhgbqkgbcwgbQx |
| | 151 | CzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQBgNVBAcTCUZhaXJiYW5r |
| | 152 | czEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2ExKTAnBgNVBAsTIE9mZmlj |
| | 153 | ZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw5pZHAuYWxhc2th |
| | 154 | LmVkdTEdMBsGCSqGSIb3DQEJARYOaWFtQGFsYXNrYS5lZHWCCQDefCD3dA1S6TAM |
| | 155 | BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBiXjlb84MPNRuPISvPa/hG |
| | 156 | qbZWDAYRvH3b+/3JxGeDtkcBYkmk8/HZZKRxxbdm9OBSYmkdhY/NqA+LVd08nP6T |
| | 157 | rpWM1sYIGfXo3OoyQOgDiwB1RnJwTRsHX+qUkKZWeUF5TzW7dhNtW5Efv7kMMU+X |
| | 158 | dBy3y0HhLJKUnUEgRD6c21bAaRow1uowhNZMZ9Pl+TbJyiOZdWPPUFSXDk/VarwI |
| | 159 | DOq2Qf8ih5EnbMLVtIDRlAUkfoskx69nWiwt4pmw5BjwnthYdNCfmZLoEJbpWCh8 |
| | 160 | 8QBWVqNSK1+XRDa6lm1v3UkNMBR3+TZG3MAVcYrwHDnUTayxGZ6psy2yY+ET0mwH |
| | 161 | </ds:X509Certificate> |
| | 162 | </ds:X509Data> |
| | 163 | </ds:KeyInfo> |
| | 164 | </KeyDescriptor> |
| | 165 | ... |
| | 166 | :wq! |
| | 167 | -bash-3.2$ svn ci metadata/idp-metadata.xml -m "Added new IdP cert." |
| | 168 | }}} |
| | 169 | 5. Submit the new certificate to !InCommon for inclusion in the next federation metadata publication. This occurs daily and is done from an administrative web interface. See David Bantz for more details as he currently is the only individual with access to this. |
| | 170 | |
| | 171 | 6. Restart the IdP or wait for the reload interval of 15 minutes: |
| | 172 | {{{ |
| | 173 | -bash-3.2$ /opt/tomcat/bin/shutdown.sh |
| | 174 | -bash-3.2$ ps -ef | grep tomcat |
| | 175 | tomcat 9097 1 0 Jun06 ? 00:26:23 /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Xmx1024m -XX:MaxPermSize=128m -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/tomcat/endorsed -classpath /opt/tomcat/bin/bootstrap.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start |
| | 176 | root 9821 2633 0 15:22 pts/1 00:00:00 su - tomcat |
| | 177 | tomcat 9823 9821 0 15:22 pts/1 00:00:00 -bash |
| | 178 | tomcat 12913 9823 0 15:46 pts/1 00:00:00 ps -ef |
| | 179 | tomcat 12914 9823 0 15:46 pts/1 00:00:00 grep tomcat |
| | 180 | -bash-3.2$ /opt/tomcat/bin/startup.sh |
| | 181 | }}} |
| | 182 | |
| | 183 | 7. Test config changes according to [[https://iam.alaska.edu/shib/wiki/TestIdPConfig|Test IdP Config Change]] procedure. |
| | 184 | |
| | 185 | 8. |
