Saml Encryption
Our applicare server is using a default keystore called samlKeystore.jks located in $arcturus_home/server/webapps/applicare/WEB-INF/classes/security/samlKeystore.jks. It is defined in $arcturus_home/server/webapps/applicare/WEB-INF/config-saml.xml as the following:
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
The default used is apollo with password nalle123.
To extract the default certificate, use the following command in the terminal:
keytool -export -keystore $arcturus_home/server/webapps/applicare/WEB-INF/classes/security/samlKeystore.jks
-alias apollo -file exemple.cer
2. Generating and importing private keys
Private keys (with either self-signed or CA-signed certificates) are used to digitally sign SAML messages and encrypt their content. In some cases, they are also used for SSL/TLS Client authentication of your service provider application. The SAML Extension ships with a default private key in samlKeystore.jks with alias apollo which can be used for initial testing, but for security reasons should be replaced with your own key in early development stages.
If your IDP does not require keys signed by a specific certification authority, you can generate your own self-signed key with the Java utility keytool using the following command:
keytool -genkeypair -alias some-alias -keypass changeit -keystore samlKeystore.jks
The keystore will now contain an additional PrivateKeyEntry with alias mykey which can be imported to the keyManager in your securityContext.xml.
Keys signed by certification authorities are typically provided in .p12/.pfx format (or can be converted to such using OpenSSL) and imported to Java keystore with the following command:
keytool -importkeystore -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass password \
-alias some-alias -destkeystore samlKeystore.jks -destalias some-alias \
-destkeypass changeit
To determine available the alias in the p12 file, use the following command:
keytool -list -keystore key.p12 -storetype pkcs12
3. Importing public keys
Cryptographic material used to decrypt incoming data and verify signatures in SAML messages and metadata is stored either in the metadata of remote entities or in the keyManager. In order to import additional trusted keys to the keystore, use this command:
keytool -importcert -alias some-alias -file key.cer -keystore samlKeystore.jks
4. Disable encryption
In order to disable encryption, replace the following:
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
with this:
<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>
In addition, replace this:
<property name="entityBaseURL" value="${applicare.saml.entityBaseUrl}"></property>
with this:
<property name="entityBaseURL" value="${applicare.saml.entityBaseUrl}"></property>
<property name="requestSigned" value="false"></property>
<property name="wantAssertionSigned" value="false"></property>
IDP.XML
In the metadata file passed to Applicare, make sure that the SPSSODescriptor has these attributes:
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
After that, regenerate Applicare metadata using this:
/applicare/saml/metadata
Afterwards, ensure that the SPSSODescriptor in the generated file possesses these attributes:
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
Please sign in to leave a comment.
Comments
0 comments