Configuring SSO keystore passwords and encryption
Configure unique passwords to the SSO keystores, and encrypt them with the AES encryption algorithm.
About this task
Starting from application update 9.2.9, for all fresh configurations of single sign-on in BigFix Inventory, SSO keystore passwords use AES as a default encryption method. The password encryption schema remains unchanged if the single sign-on was enabled before an upgrade to version 9.2.9.
Both SAML and LTPA SSO types require two separate keystores: Service Provider and Identity Provider. You can set up either identical or different passwords for these keystores. To configure new passwords for your SSO keystores, or change encryption method from XOR to AES, use the appropriate variables and complete the following procedure.
- <SP_keystore_name>
- Service Provider keystore name is either SPKeyStore for SAML SSO, or LdapSSLTrustStore for LTPA SSO.
- <IP_keystore_name>
- Identity Provider keystore name is either SPKeyStore for SAML SSO, or LdapSSLTrustStore for LTPA SSO.
- <alias>
- Is either samlsp for SAML SSO, or default for LTPA SSO.
Procedure
- Stop the BigFix Inventory server.
- Optional:
If you want to configure a custom SSO keystore password, follow the instructions below. If you
only want to change password encryption method from XOR to AES, continue with step 3.
-
To encrypt your Service Provider keystore password with AES, run the following command.
<Installation_directory>/wlp/bin/securityUtility encode --encoding=aes
<Installation_directory>\wlp\bin\securityUtility.bat encode --encoding=aes
Provide your current keystore password.
Enter text: Re-enter text: {aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
-
Update the Service Provider keystore password in the server.xml file.
Enter the value generated in step 3 in the following code line:
For SAML SSO, update the additional line in the server.xml file.<keyStore id='<SP_keystore_name>' location='<SP_keystore_name>.jceks' password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='JCEKS'/>
The server.xml file is located in the following folder.<samlWebSso20 enabled="true" id="defaultSP" keyAlias="samlsp" keyPassword="{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX" keyStoreRef="SPKeyStore" loginPageURL="https://hostname:9081/" nameIDFormat="customize">
<Installation_directory>/wlp/usr/servers/server1/server.xml
<Installation_directory>\wlp\usr\servers\server1\server.xml
-
To encrypt your Identity Provider keystore password with AES, run the following command.
<Installation_directory>/wlp/bin/securityUtility encode --encoding=aes
<Installation_directory>\wlp\bin\securityUtility.bat encode --encoding=aes
Provide your current keystore password.
Enter text: Re-enter text: {aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
-
Update the Identity Provider keystore password in the server.xml file.
Enter the value generated in step 5 in the following code line.
The server.xml file is located in the following folder.<keyStore id='<IP_keystore_name>' location='<IP_keystore_name>.jceks' password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='JCEKS'/>
- <Installation_directory>/wlp/usr/servers/server1/server.xml
- <Installation_directory>\wlp\usr\servers\server1\server.xml
- Start the BigFix Inventory server.