[jira] [Comment Edited] (KNOX-631) Config Driven Keystore for Signing and Validation Certs in KnoxSSO

Larry McCay (JIRA) Mon, 14 Mar 2016 13:29:27 -0700

    [ 
https://issues.apache.org/jira/browse/KNOX-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15194065#comment-15194065
 ]


Larry McCay edited comment on KNOX-631 at 3/14/16 8:28 PM:
-----------------------------------------------------------

adding two new configuration parameters to gateway-site.xml

* gateway.signing.keystore.name this is the filename of the keystore to be used 
for signing and verifying keys
* gateway.signing.key.alias this is the alias of the key to use for signing and 
verifying

Also, the use of a specific credential alias allows for a separate key 
passphrase to be used:

signing.key.passhrase

For keys that have a key passphrase for the private that is not the same as the 
master secret, you can provision the alias using knoxcli:

{code}
knoxcli.sh create-alias signing.key.passhrase
{code}
This is only necessary when it is not the same as the master secret.


was (Author: lmccay):
adding two new configuration parameters to gateway-site.xml

* gateway.signing.keystore.name this is the filename of the keystore to be used 
for signing and verifying keys
* gateway.signing.key.alias this is the alias of the key to use for signing and 
verifying

Also, the use of a specific credential alias allows for a separate key 
passphrase to be used:

signing.key.passhrase

For keys that have a key passphrase for the private that is not the same as the 
master secret, you can provision the alias using knoxcli:

knoxcli.sh create-alias signing.key.passhrase

This is only necessary when it is not the same as the master secret.

> Config Driven Keystore for Signing and Validation Certs in KnoxSSO
> ------------------------------------------------------------------
>
>                 Key: KNOX-631
>                 URL: https://issues.apache.org/jira/browse/KNOX-631
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 0.9.0
>
>
> Currently, KnoxSSO uses the gateway's identity keystore for signing and 
> validating cert storage. The gateway-identity alias is used for signing SAML 
> requests and a configured validation alias is used for the cert that is used 
> to verify the SAML assertion signatures.
> We need to be able to configure the keystore location and the signing alias.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (KNOX-631) Config Driven Keystore for Signing and Validation Certs in KnoxSSO

Reply via email to