Configuring SSO keystore passwords and encryption

Configure unique passwords to the SSO keystores, and encrypt them with the AES encryption algorithm.

About this task

Starting from application update 9.2.9, for all fresh configurations of single sign-on in BigFix Inventory, SSO keystore passwords use AES as a default encryption method. The password encryption schema remains unchanged if the single sign-on was enabled before an upgrade to version 9.2.9.

Both SAML and LTPA SSO types require two separate keystores: Service Provider and Identity Provider. You can set up either identical or different passwords for these keystores. To configure new passwords for your SSO keystores, or change encryption method from XOR to AES, use the appropriate variables and complete the following procedure.

<SP_keystore_name>
Service Provider keystore name is either SPKeyStore for SAML SSO, or LdapSSLTrustStore for LTPA SSO.
<IP_keystore_name>
Identity Provider keystore name is either SPKeyStore for SAML SSO, or LdapSSLTrustStore for LTPA SSO.
<alias>
Is either samlsp for SAML SSO, or default for LTPA SSO.

Procedure

  1. Stop the BigFix Inventory server.
  2. Optional: If you want to configure a custom SSO keystore password, follow the instructions below. If you only want to change password encryption method from XOR to AES, continue with step 3.
    1. To change the key password for the Service Provider keystore, run the following command.

      <Installation_directory>/jre/bin/keytool -keypasswd -keystore <Installation_directory>/wlp/usr/servers/server1/resources/security/<SP_keystore_name>.<keystore_extension> -storetype <type> -alias <alias>

      <Installation_directory>\jre\bin\keytool -keypasswd -keystore <Installation_directory>\wlp\usr\servers\server1\resources\security\<SP_keystore_name>.<keystore_extension> -storetype <type> -alias <alias>

      When prompted, provide the SSO keystore password. For the default keystore password contact the BigFix Support.
      
      Enter keystore password:
      Enter key password for <alias>:
      New key password for <alias>:
      Re-enter new key password for <alias>:
      Password change successful for alias <alias>
    2. To change the Service Provider keystore password, run the following command.

      <Installation_directory>/jre/jre/bin/keytool -storepasswd -keystore <Installation_directory>/wlp/usr/servers/server1/resources/security/<SP_keystore_name>.<keystore_extension> -storetype <type>

      <Installation_directory>\jre\jre\bin\keytool.exe -storepasswd -keystore <Installation_directory>\wlp\usr\servers\server1\resources\security\<SP_keystore_name>.<keystore_extension> -storetype <type>

      Set up the new keystore password. The password must match the password that you set up for the key (step a).
      
      Enter keystore password:
      New keystore password:
      Re-enter new keystore password:
      
    3. To change the Identity Provider keystore password, run the following command.

      <Installation_directory>/jre/jre/bin/keytool -storepasswd -keystore <Installation_directory>/wlp/usr/servers/server1/resources/security/<IP_keystore_name>.<keystore_extension> -storetype <type>

      <Installation_directory>\jre\jre\bin\keytool.exe -storepasswd -keystore <Installation_directory>\wlp\usr\servers\server1\resources\security\<IP_keystore_name>.<keystore_extension> -storetype <type>

      Set up the new keystore password.
      
      Enter keystore password:
      New keystore password:
      Re-enter new keystore password:
      
  3. To encrypt your Service Provider keystore password with AES, run the following command.
    1. Set the JAVA_HOME variable

      export JAVA_HOME=Installation_directory/jre/jre

      set JAVA_HOME=Installation_directory\jre\jre

    2. Run the following command.

      <Installation_directory>/wlp/bin/securityUtility encode --encoding=aes

      <Installation_directory>\wlp\bin\securityUtility.bat encode --encoding=aes

    Provide your current keystore password.

    
    Enter text:
    Re-enter text:
    {aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
  4. Update the Service Provider keystore password in the server.xml file. Enter the value generated in step 3 in the following code line:
     <keyStore id='<SP_keystore_name>' location='<SP_keystore_name>.<keystore_extension>' 
    password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
    For SAML SSO, update the additional line in the server.xml file.
    <samlWebSso20 enabled="true" id="defaultSP" keyAlias="samlsp" 
    keyPassword="{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX" 
    keyStoreRef="SPKeyStore" loginPageURL="https://hostname:9081/" nameIDFormat="customize">
    The server.xml file is located in the following folder.

    <Installation_directory>/wlp/usr/servers/server1/server.xml

    <Installation_directory>\wlp\usr\servers\server1\server.xml

  5. To encrypt your Identity Provider keystore password with AES, run the following command.

    <Installation_directory>/wlp/bin/securityUtility encode --encoding=aes

    <Installation_directory>\wlp\bin\securityUtility.bat encode --encoding=aes

    Provide your current keystore password.

    
    Enter text:
    Re-enter text:
    {aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
  6. Update the Identity Provider keystore password in the server.xml file. Enter the value generated in step 5 in the following code line.
     <keyStore id='<IP_keystore_name>' location='<IP_keystore_name>.<keystore_extension>' 
    password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
    The server.xml file is located in the following folder.
    • <Installation_directory>/wlp/usr/servers/server1/server.xml
    • <Installation_directory>\wlp\usr\servers\server1\server.xml
  7. Start the BigFix Inventory server.
    Note: The <type> and <keystore_extension> parameters that apply to the above commands specifies the following:
    <type>
    Starting from version 10.0.8.0, the type of the certificate is PKCS12. For earlier versions, it is JCEKS.
    <keystore_extension>
    Starting from version 10.0.8.0, the name of the keystore file is .p12. For earlier versions, it is .jceks.