You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2016/03/14 21:28:33 UTC

[jira] [Comment Edited] (KNOX-631) Config Driven Keystore for Signing and Validation Certs in KnoxSSO

    [ https://issues.apache.org/jira/browse/KNOX-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15194065#comment-15194065 ] 

Larry McCay edited comment on KNOX-631 at 3/14/16 8:28 PM:
-----------------------------------------------------------

adding two new configuration parameters to gateway-site.xml

* gateway.signing.keystore.name this is the filename of the keystore to be used for signing and verifying keys
* gateway.signing.key.alias this is the alias of the key to use for signing and verifying

Also, the use of a specific credential alias allows for a separate key passphrase to be used:

signing.key.passhrase

For keys that have a key passphrase for the private that is not the same as the master secret, you can provision the alias using knoxcli:

{code}
knoxcli.sh create-alias signing.key.passhrase
{code}
This is only necessary when it is not the same as the master secret.


was (Author: lmccay):
adding two new configuration parameters to gateway-site.xml

* gateway.signing.keystore.name this is the filename of the keystore to be used for signing and verifying keys
* gateway.signing.key.alias this is the alias of the key to use for signing and verifying

Also, the use of a specific credential alias allows for a separate key passphrase to be used:

signing.key.passhrase

For keys that have a key passphrase for the private that is not the same as the master secret, you can provision the alias using knoxcli:

knoxcli.sh create-alias signing.key.passhrase

This is only necessary when it is not the same as the master secret.

> Config Driven Keystore for Signing and Validation Certs in KnoxSSO
> ------------------------------------------------------------------
>
>                 Key: KNOX-631
>                 URL: https://issues.apache.org/jira/browse/KNOX-631
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 0.9.0
>
>
> Currently, KnoxSSO uses the gateway's identity keystore for signing and validating cert storage. The gateway-identity alias is used for signing SAML requests and a configured validation alias is used for the cert that is used to verify the SAML assertion signatures.
> We need to be able to configure the keystore location and the signing alias.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)