Configuring SSO keystore passwords and encryption

Configure unique passwords to the SSO keystores, and encrypt them with the AES encryption algorithm.

About this task

9.2.9 Starting from application update 9.2.9, for all fresh configurations of single sign-on in License Metric Tool, SSO keystore passwords use AES as a default encryption method. The password encryption schema remains unchanged if the single sign-on was enabled before an upgrade to version 9.2.9.

Both SAML and LTPA SSO types require two separate keystores: Service Provider and Identity Provider. You can set up either identical or different passwords for these keystores. To configure new passwords for your SSO keystores, or change encryption method from XOR to AES, use the appropriate variables and complete the following procedure.

<SP_keystore_name>: Service Provider keystore name is either SPKeyStore for SAML SSO, or LdapKeyStore for LTPA SSO.
<IP_keystore_name>: Identity Provider keystore name is either IdPKeyStore for SAML SSO, or LdapSSLTrustStore for LTPA SSO.
<alias>: Is either samlsp for SAML SSO, or default for LTPA SSO.

Procedure

Stop the License Metric Tool server.
Optional: To configure a custom SSO keystore password, perform the following steps. For application update 9.2.26 and later, perform step 2.b and 2.c only. For earlier application updates, perform step 2.a as well. If you only want to change password encryption method from XOR to AES, continue to step 3.
1. To change the key password for the Service Provider keystore, run the following command.
  <install_dir>/jre/bin/keytool -keypasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<SP_keystore_name>.jceks -storetype JCEKS -alias <alias>
  
  <install_dir>\jre\bin\keytool -keypasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\<SP_keystore_name>.jceks -storetype JCEKS -alias <alias>
  When prompted, provide the SSO keystore password. For the default keystore password contact the IBM Support.
```
Enter keystore password:
Enter key password for <alias>:
New key password for <alias>:
Re-enter new key password for <alias>:
Password change successful for alias <alias>
```
2. To change the Service Provider keystore password, run the following command.
  
  <install_dir>/jre/jre/bin/keytool -storepasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<SP_keystore_name> -storetype <type>
  
  <install_dir>\jre\jre\bin\keytool.exe -storepasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\<SP_keystore_name> -storetype <type>
  
  Where:
  
  <type>
  
  Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.
  
  <SP_keystore_name>
  
  Starting from application update 9.2.26, extension of the keystore file is .p12. For earlier application updates, it is jceks.
3. To change the Identity Provider keystore password, run the following command.
  <install_dir>/jre/jre/bin/keytool -storepasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<IP_keystore_name> -storetype <type>
  
  <install_dir>\jre\jre\bin\keytool.exe -storepasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\<IP_keystore_name> -storetype <type>
  
  Where:
  
  <type>
  
  Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.
  
  <IP_keystore_name>
  
  Starting from application update 9.2.26, extension of the keystore file is .p12. For earlier application updates, it is jceks.
  Set up the new keystore password.
```
Enter keystore password:
New keystore password:
Re-enter new keystore password:
```
To encrypt your Service Provider keystore password with AES, perform the following steps.
1. Set the JAVA_HOME variable.
  
  export JAVA_HOME=<install_dir>/jre/jre
  
  set JAVA_HOME=<install_dir>\jre\jre
2. Run the following command.
  <install_dir>/wlp/bin/securityUtility encode --encoding=aes
  
  <install_dir>\wlp\bin\securityUtility.bat encode --encoding=aes
  
  Provide your current keystore password.
```
Enter text:
Re-enter text:
{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
```
Update the Service Provider keystore password in the server.xml file.
The server.xml file is located in the following folder.
- <install_dir>/wlp/usr/servers/server1/server.xml
- <install_dir>\wlp\usr\servers\server1\server.xml
Enter the value generated in step 3 in the following code line.
```
 <keyStore id='<SP_keystore_name>' location='<SP_keystore_name>' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
```
Where:

<type>

Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.

For SAML SSO, update the additional line in the server.xml file.

<samlWebSso20 enabled="true" id="defaultSP" keyAlias="samlsp" 
keyPassword="{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX" 
keyStoreRef="SPKeyStore" loginPageURL="https://hostname:9081/" nameIDFormat="customize">

To encrypt your Identity Provider keystore password with AES, run the following command.
<install_dir>/wlp/bin/securityUtility encode --encoding=aes

<install_dir>\wlp\bin\securityUtility.bat encode --encoding=aes

Provide your current keystore password.
```
Enter text:
Re-enter text:
{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
```
Update the Identity Provider keystore password in the server.xml file.
The server.xml file is located in the following folder.
- <install_dir>/wlp/usr/servers/server1/server.xml
- <install_dir>\wlp\usr\servers\server1\server.xml
Enter the value generated in step 6 in the following code line.
```
<keyStore id='<IP_keystore_name>' location='<IP_keystore_name>' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
```
Where:

<type>

Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.
Start the License Metric Tool server.