Configuring SSO keystores passwords and encryption

Edit online

Configure unique passwords to the SSO keystores, and encrypt them with the AES encryption algorithm.

About this task

9.2.9 Starting from application update 9.2.9, for all fresh configurations of single sign-on in License Metric Tool, SSO keystores passwords use AES as a default encryption method. The password encryption schema remains unchanged if the single sign-on was enabled before an upgrade to version 9.2.9.

Both SAML and LTPA SSO types require two separate keystores: Service Provider and Identity Provider. You can set up either identical or different passwords for these keystores. To configure new passwords for your SSO keystores, or change encryption method from XOR to AES, use the appropriate variables and complete the following procedure.

<SP_keystore_name>
Service Provider keystore name is either SPKeyStore for SAML SSO, or LdapKeyStore for LTPA SSO.
<IP_keystore_name>
Identity Provider keystore name is either IdPKeyStore for SAML SSO, or LdapSSLTrustStore for LTPA SSO.
<alias>
Is either samlsp for SAML SSO, or default for LTPA SSO.

Procedure

  1. Stop the License Metric Tool server.
  2. Optional: To configure a custom SSO keystores passwords, perform the following steps. For application update 9.2.26 and later, perform step 2.b and 2.c only. For earlier application updates, perform step 2.a as well. If you only want to change password encryption method from XOR to AES, continue to step 3.
    1. To change the key password for the Service Provider keystore, run the following command.

      Linux <install_dir>/jre/bin/keytool -keypasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<SP_keystore_name>.jceks -storetype JCEKS -alias <alias>

      Windows <install_dir>\jre\bin\keytool -keypasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\<SP_keystore_name>.jceks -storetype JCEKS -alias <alias>

      Where:
      <SP_keystore_name>
      Extension of the Service Provider keystore file is jceks.
      <alias>
      The alias of the key for which you want to change the password.
      When prompted, provide the Service Provider keystore password. For the default Service Provider keystore password contact the IBM Support.
      
Enter keystore password:
Enter key password for <alias>:
New key password for <alias>:
Re-enter new key password for <alias>:
Password change successful for alias <alias>
    2. To change the Service Provider keystore password, run the following command.

      Linux <install_dir>/jre/jre/bin/keytool -storepasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<SP_keystore_name> -storetype <type>

      Windows <install_dir>\jre\jre\bin\keytool.exe -storepasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\<SP_keystore_name> -storetype <type>

      Where:
      <type>
      Starting from application update 9.2.26, the type of the Service Provider keystore is PKCS12. For earlier application updates, it is JCEKS.
      <SP_keystore_name>
      Starting from application update 9.2.26, extension of the Service Provider keystore file is .p12. For earlier application updates, it is jceks.
      Set up the new Service Provider keystore password. For the default Service Provider keystore password contact the IBM Support.
      
Enter keystore password:
New keystore password:
Re-enter new keystore password:
    3. To change the Identity Provider keystore password, run the following command.

      Linux <install_dir>/jre/jre/bin/keytool -storepasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/<IP_keystore_name> -storetype <type>

      Windows <install_dir>\jre\jre\bin\keytool.exe -storepasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\<IP_keystore_name> -storetype <type>

      Where:
      <type>
      Starting from application update 9.2.26, the type of the Identity Provider keystore is PKCS12. For earlier application updates, it type is JCEKS.
      <IP_keystore_name>
      Starting from application update 9.2.26, extension of the Identity Provider keystore file is .p12. For earlier application updates, it is jceks.
      Set up the new Identity Provider keystore password. For the default Identity Provider keystore password contact the IBM Support.
      
Enter keystore password:
New keystore password:
Re-enter new keystore password:
  3. To encrypt your Service Provider keystore password with AES, perform the following steps.
    1. Set the JAVA_HOME variable.

      Linux export JAVA_HOME=<install_dir>/jre/jre

      Windows set JAVA_HOME=<install_dir>\jre\jre

    2. Run the following command.

      Linux <install_dir>/wlp/bin/securityUtility encode --encoding=aes

      Windows <install_dir>\wlp\bin\securityUtility.bat encode --encoding=aes

      Provide your current Service Provider keystore password.

      
Enter text:
Re-enter text:
{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
  4. Update the Service Provider keystore password in the server.xml file.
    The server.xml file is located in the following folder.
    • Linux <install_dir>/wlp/usr/servers/server1/server.xml
    • Windows <install_dir>\wlp\usr\servers\server1\server.xml
    Enter the value generated in step 3 in the following code line.
     <keyStore id='<SP_keystore_name>' location='<SP_keystore_name>' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
    Where:
    <type>
    Starting from application update 9.2.26, the type of the Service Provider keystore is PKCS12. For earlier application updates, it is JCEKS.
  5. For SAML SSO, update the additional line in the server.xml file. 
    <samlWebSso20 enabled="true" id="defaultSP" keyAlias="samlsp" 
keyPassword="{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX" 
keyStoreRef="SPKeyStore" loginPageURL="https://hostname:9081/" nameIDFormat="customize">
  6. To encrypt your Identity Provider keystore password with AES, run the following command.

    Linux <install_dir>/wlp/bin/securityUtility encode --encoding=aes

    Windows <install_dir>\wlp\bin\securityUtility.bat encode --encoding=aes

    Provide your current Identity Provider keystore password.

    
Enter text:
Re-enter text:
{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
  7. Update the Identity Provider keystore password in the server.xml file.
    The server.xml file is located in the following folder.
    • Linux <install_dir>/wlp/usr/servers/server1/server.xml
    • Windows <install_dir>\wlp\usr\servers\server1\server.xml
    Enter the value generated in step 6 in the following code line.
    <keyStore id='<IP_keystore_name>' location='<IP_keystore_name>' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
    Where:
    <type>
    Starting from application update 9.2.26, the type of the Identity Provider keystore is PKCS12. For earlier application updates, it is JCEKS.
  8. Start the License Metric Tool server.