Certificates#
Certificates in Chroot#
Gluu Server components have cryptographic keys and X.509 certificates that are stored inside thechroot. Details for certificates associated with each component are provided below. The following certificates are available in the /etc/certs folder.
| IDP | Shibboleth | APACHE | OPENDJ |
|---|---|---|---|
| idp-encryption.crt | shibIDP.crt | httpd.crt | opendj.crt |
| idp-encryption.csr | shibIDP.csr | https.csr | opendj.pksc12 |
| idp-encryption.key | shibIDP.jks | httpd.key | |
| idp-encryption.key.orig | shibIDP.key | httpd.key.orig | |
| idp-signing.crt | shibIDP.key.orig | ||
| idp-signing.csr | shibIDP.pkcs12 | ||
| idp-signing.key | |||
| idp-signing.key.orig |
The certificates for Passport authentication are passport-rp.jks, passport-rp.pem, passport-rs.jks.
The SCIM certificate is named scim-rs.jks and the OTP certificate is named otp_configuration.json.
Custom Script JSON Files#
Additionally the following json files are available which are used in different custom scripts for multi-factor authentication.
cert_creds.jsonduo_creds.jsongplus_client_secrets.jsonotp_configuration.jsonoxauth-keys.jsonsuper_gluu_creds.jsonvericloud_gluu_creds.json
Generating Cryptographic Keys#
The Gluu Server is compatible with the Java KeyGenerator to create new cryptographic keys if needed.
To get KeyGenerator, run the following command inside the chroot:
wget https://ox.gluu.org/maven/org/gluu/oxauth-client/4.1.0.Final/oxauth-client-4.1.0.Final-jar-with-dependencies.jar -O oxauth-client.jar
Then, run KeyGenerator with the following command:
java -jar oxauth-client.jar <arguments>
The Gluu implementation of KeyGenerator accepts the following arguments:
| Argument | Description |
|---|---|
| -at |
oxEleven Access Token |
| -dnname |
DN of certificate issuer |
| -enc_keys |
Encryption keys to generate (For example: RSA_OAEP, RSA1_5) |
| -expiration |
Expiration in days |
| -expiration_hours |
Expiration in hours |
| -h | Show help |
| -keypasswd |
Key Store password |
| -keystore |
Key Store file (such as /etc/certs/api-rs.jks) |
| -ox11 |
oxEleven Generate Key Endpoint. |
| -sig_keys |
Signature keys to generate. (For example: RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512) |
Certificates in oxTrust#
Certificates commonly used for SSO typically have a short expiration date, and can now be easily viewed and downloaded in oxTrust. Navigate to Configuration > Certificates to access these certificates.
The following are available:
- OpenDJ SSL
- httpd SSL
- IDP Signing
- IDP Encryption
Updating Apache Certificate#
The certificates must be manually updated from the /etc/certs/ folder.
There are many tools that can be used to update and renew certificates. By default Gluu uses OpenSSL. If you have questions about using other tools, like Let'sEncrypt, check the Gluu support portal for existing threads. If there is no existing information, sign up and open a ticket.
Warning
The private key cannot be password protected, and the public key must be base64 X.509.
Note
Please backup your full /etc/certs directory and cacerts file under /opt/jdkx.y.z/jre/lib/security/ folder before updating certificates.
Please follow these steps shown below to update the Apache SSL cert:
- Save the latest SSL httpd key and certificate in the
/etc/certsfolder - Rename them to
httpd.keyandhttpd.crtrespectively - Import 'httpd.der' into the Java Keystore
/ Convertion to DER, command:
openssl x509 -outform der -in httpd.crt -out httpd.der- Delete the existing certificate to avoid ambiguity due to presence of 2 different certificates for the same entity after importing the new one:
/opt/amazon-corretto-x.x.x.x/jre/bin/keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /opt/amazon-corretto-x.x.x.x/jre/lib/security/cacerts -storepass changeit - Import certificate into the Java Keystore(cacerts):
/opt/amazon-corretto-x.x.x.x/jre/bin/keytool -importcert -file httpd.der -keystore /opt/amazon-corretto-x.x.x.x/jre/lib/security/cacerts -alias <hostname_of_your_Gluu_Server>_httpd -storepass changeit
- Delete the existing certificate to avoid ambiguity due to presence of 2 different certificates for the same entity after importing the new one:
- Restart
opendj,apache2/httpd,oxauthandidentityservices.
Install Intermediate Certificates#
Please follow the steps below to install intermediate certificates:
- Log in to the Gluu Server container.
- Keep your intermediate certificate in the file
/etc/certs/. - Modify
/etc/httpd/conf.d/https_gluu.conf, and add
SSLCertificateChainFile /etc/certs/name_of_your_interm_root_cert.crt. - Restart the
httpdservice.
Updating Certificates and keys instructions for Kubernetes#
The following table shows all the keys that can be replaced inside the gluu secret.
| Key |
|---|
api_rp_jks_base64 |
api_rs_jks_base64 |
gluu_ro_client_base64_jwks |
idp3EncryptionCertificateText |
idp3EncryptionKeyText |
idp3SigningCertificateText |
idp3SigningKeyText |
ldap_pkcs12_base64 |
ldap_ssl_cacert |
ldap_ssl_cert |
ldap_ssl_key |
oxauth_jks_base64 |
oxauth_openid_key_base64 |
passport_rp_client_base64_jwks |
passport_rp_client_cert_base64 |
passport_rp_jks_base64 |
passport_rs_client_base64_jwks |
passport_rs_jks_base64 |
passport_sp_cert_base64 |
passport_sp_key_base64 |
radius_jks_base64 |
scim_rp_client_base64_jwks |
scim_rp_jks_base64 |
scim_rs_client_base64_jwks |
scim_rs_jks_base64 |
shibIDP_cert |
shibIDP_jks_base64 |
shibIDP_key |
ssl_cert |
ssl_key |
-
Login the vm controlling the kubernetes cluster.
-
Make a directory called
update.mkdir update && cd update -
Grab the gluu secret and store it as
gluu_secret.yamlkubectl get secrets gluu -n <namespace> -o yaml > gluu_secret.yaml -
Optional: If the gluu https crt and key are being updated the ingress tls needs to be copied as well.
1. Optional: Make a copy of this secret.kubectl get secrets tls-certificate -n <namespace> -o yaml > gluu_tls_certificate.yamlcp gluu_tls_certificate.yaml original_gluu_tls_certificate.yaml -
Make a copy of the gluu secret.
cp gluu_secret.yaml original_secret.yaml -
For every key in the table above that will be updated create a file with the same name as the key name and the contents of the key that will be updated. Forexample, we will update
ssl_certandssl_key.and pasted the new cert content i.evi ssl_cert-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----and pasted the new key content i.evi ssl_key-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- -
Download latest
pygluu-kubernetes.pyzand runupdate-secretcommand../pygluu-kubernetes.pyz update-secret -
gluu_secret.yamlshould have been modified now. Delete the existing secret so the updated one can replace it.kubectl delete secret gluu -n <namespace> -
Create the modified secret.
kubectl create -f gluu_secret.yaml -
Optional: If the gluu https crt and key are being updated the ingress tls needs to be updated as well.
kubectl apply -f gluu_tls_certificate.yamlPlease update the certificate and key associated with the load balancer on cloud deployments.
-
Restart pods to reload crts and keys in order
oxauth,oxtrust,oxpassport,oxshibboleth,radiuskubectl scale deploy oxauth -n <namespace> --replicas=0 kubectl scale deploy oxauth -n <namespace> --replicas=1 # Wait until oxauth is up kubectl scale statefulset oxtrust -n <namespace> --replicas=0 kubectl scale statefulset oxtrust -n <namespace> --replicas=0 ...