Config and Secret Keys

Overview#

The Config Init job creates a set of secrets and configurations used by all Gluu services.

To check the values of the secret keys on the current deployment run :

kubectl get secrets gluu -n <namespace> -o yaml

To check the values of the configuration keys on the current deployment run :

kubectl get configmap  gluu -n <namespace> -o yaml

Gluu Config Keys#

Key	Example Values
`admin_email`	`support@gluu.org`
`admin_inum`	`d3afef58-c026-4514-9d4c-e0a3efb4c29d`
`api_rp_client_jks_fn`	`/etc/certs/api-rp.jks`
`api_rp_client_jwks_fn`	`/etc/certs/api-rp-keys.json`
`api_rs_client_jks_fn`	`/etc/certs/api-rs.jks`
`api_rs_client_jwks_fn`	`/etc/certs/api-rs-keys.json`
`api_test_client_id`	`0008-db36db1f-025e-4164-aeed-f82df064eee8`
`city`	`Austin`
`couchbaseTrustStoreFn`	`/etc/certs/couchbase.pkcs12`
`country_code`	`US`
`default_openid_jks_dn_name`	`CN=oxAuth CA Certificates`
`fido2ConfigFolder`	`/etc/gluu/conf/fido2`
`gluu_radius_client_id`	`1701.9c798f32-1b01-42e9-99fe-415060e69e8e`
`hostname`	`demoexample.gluu.org`
`idp3Folder`	`/opt/shibboleth-idp`
`idp_client_id`	`1101.638504bc-d445-4559-a192-66f0d4e919a8`
`jetty_base`	`/opt/gluu/jetty`
`ldapTrustStoreFn`	`/etc/certs/opendj.pkcs12`
`ldap_binddn`	`cn=directory manager`
`ldap_init_host`	`opendj`
`ldap_init_port`	`1636`
`ldap_peers`	`["gluu-opendj-0.opendj.gluu.svc.cluster.local"]`
`ldap_port`	`1389`
`ldap_site_binddn`	`cn=directory manager`
`ldaps_port`	`1636`
`orgName`	`Gluu`
`oxauth_client_id`	`1001.1c2946c9-b913-43e7-b82e-6215ad4e87c1`
`oxauth_key_rotated_at`	`1581608454`
`oxauth_legacyIdTokenClaims`	`true`
`oxauth_openidScopeBackwardCompatibility`	`true`
`oxauth_openid_jks_fn`	`/etc/certs/oxauth-keys.jks`
`oxauth_openid_jwks_fn`	`/etc/certs/oxauth-keys.json`
`oxtrust_requesting_party_client_id`	`1402.f611f06c-1946-4c45-8eac-a57795a324b7`
`oxtrust_resource_id`	`1403.aff108f4-ed21-4d5c-81fb-a588e70e07f1`
`oxtrust_resource_server_client_id`	`1401.ece0dc1e-a53c-462e-b161-43867b6a4aa1`
`passportSpJksFn`	`/etc/certs/passport-sp.jks`
`passportSpTLSCACert`	`/etc/certs/passport-sp.pem`
`passportSpTLSCert`	`/etc/certs/passport-sp.crt`
`passportSpTLSKey`	`/etc/certs/passport-sp.key`
`passport_resource_id`	`1504.85bdbfac-6338-4b9c-b945-2dc245067c1a`
`passport_rp_client_cert_alg`	`RS512`
`passport_rp_client_cert_alias`	`78882060-4214-4317-a402-79960fca7901_sig_rs512`
`passport_rp_client_cert_fn`	`/etc/certs/passport-rp.pem`
`passport_rp_client_id`	`1502.d9b8c3aa-60a0-404c-afec-e13811a708ec`
`passport_rp_client_jks_fn`	`/etc/certs/passport-rp.jks`
`passport_rp_client_jwks_fn`	`/etc/certs/passport-rp-keys.json`
`passport_rp_ii_client_id`	`1503.3bda64b7-293e-4160-9c97-a5592c1fbd0a`
`passport_rs_client_id`	`1501.c7165c37-8208-4b72-9378-de60deb279b4`
`passport_rs_client_jks_fn`	`/etc/certs/passport-rs.jks`
`passport_rs_client_jwks_fn`	`/etc/certs/passport-rs-keys.json`
`radius_jwt_keyId`	`996e281b-a63a-44a9-badf-197f9fd1aa0f_sig_rs512`
`scim_resource_oxid`	`1203.`
`scim_rp_client_id`	`1202.4099a09e-f300-4fa8-8cfd-cb1347149652`
`scim_rp_client_jks_fn`	`etc/certs/scim-rp.jks`
`scim_rp_client_jwks_fn`	`/etc/certs/scim-rp-keys.json`
`scim_rs_client_id`	`1201.70bb198a-a10f-461b-81a1-68fa52ca0646`
`scim_rs_client_jks_fn`	`/etc/certs/scim-rs.jks`
`scim_rs_client_jwks_fn`	`/etc/certs/scim-rs-keys.json`
`scim_test_client_id`	`0008-1b21974a-5d5c-43f3-b332-e66a6399f2b5`
`shibJksFn`	`/etc/certs/shibIDP.jks`
`shibboleth_version`	`v3`
`state`	`TX`

Gluu Secret Keys#

Key	Encode/Decode	File
`api_rp_client_base64_jwks`	base64
`api_rp_client_jks_pass`	base64
`api_rp_client_jks_pass_encoded`	pyDes + base64
`api_rp_jks_base64`	pyDes + base64	/etc/certs/api-rp.jks
`api_rs_client_base64_jwks`	base64
`api_rs_client_jks_pass`	base64
`api_rs_client_jks_pass_encoded`	pyDes + base64
`api_rs_jks_base64`	pyDes + base64	/etc/certs/api-rs.jks
`api_test_client_secret`	base64
`encoded_ldapTrustStorePass`	pyDes + base64
`encoded_ox_ldap_pw`	pyDes + base64
`encoded_oxtrust_admin_password`	ldap_encode + base64
`encoded_salt`	base64
`encoded_shib_jks_pw`	pyDes + base64
`gluu_ro_client_base64_jwks`	base64	/etc/certs/gluu-radius.keys
`gluu_ro_encoded_pw`	base64
`idp3EncryptionCertificateText`	base64	/etc/certs/idp-encryption.crt
`idp3EncryptionKeyText`	base64	/etc/certs/idp-encryption.key
`idp3SigningCertificateText`	base64	/etc/certs/idp-signing.crt
`idp3SigningKeyText`	base64	/etc/certs/idp-signing.key
`idpClient_encoded_pw`	pyDes + base64
`ldap_pkcs12_base64`	pyDes + base64	/etc/certs/opendj.pkcs12
`ldap_ssl_cacert`	pyDes + base64	/etc/certs/opendj.pem
`ldap_ssl_cert`	pyDes + base64	/etc/certs/opendj.crt
`ldap_ssl_key`	pyDes + base64	/etc/certs/opendj.key
`ldap_truststore_pass`	base64
`oxauthClient_encoded_pw`	pyDes + base64
`oxauth_jks_base64`	pyDes + base64	/etc/certs/oxauth-keys.jks
`oxauth_openid_jks_pass`	base64
`oxauth_openid_key_base64`	base64	/etc/certs/oxauth-keys.json
`pairwiseCalculationKey`	base64
`pairwiseCalculationSalt`	base64
`passportSpJksPass`	base64
`passportSpKeyPass`	base64
`passport_rp_client_base64_jwks`	base64	/etc/certs/passport-rp-keys.json
`passport_rp_client_cert_base64`	pyDes + base64	/etc/certs/passport-rp.pem
`passport_rp_client_jks_pass`	base64
`passport_rp_jks_base64`	pyDes + base64	/etc/certs/passport-rp.jks
`passport_rs_client_base64_jwks`	base64	/etc/certs/passport-rs-keys.json
`passport_rs_client_jks_pass`	base64
`passport_rs_client_jks_pass_encoded`	pyDes + base64
`passport_rs_jks_base64`	pyDes + base64	/etc/certs/passport-rs.jks
`passport_sp_cert_base64`	pyDes + base64	/etc/certs/passport-sp.crt
`passport_sp_key_base64`	pyDes + base64	/etc/certs/passport-sp.key
`radius_jks_base64`	pyDes + base64	/etc/certs/gluu-radius.jks
`radius_jwt_pass`	pyDes + base64
`scim_rp_client_base64_jwks`	base64	/etc/certs/scim-rp-keys.json
`scim_rp_client_jks_pass`	base64
`scim_rp_client_jks_pass_encoded`	pyDes + base64
`scim_rp_jks_base64`	pyDes + base64	/etc/certs/scim-rp.jks
`scim_rs_client_base64_jwks`	base64	/etc/certs/scim-rs-keys.json
`scim_rs_client_jks_pass`	base64
`scim_rs_client_jks_pass_encoded`	pyDes + base64
`scim_rs_jks_base64`	pyDes + base64	/etc/certs/scim-rs.jks
`scim_test_client_secret`	base64
`shibIDP_cert`	pyDes + base64	/etc/certs/shibIDP.crt
`shibIDP_jks_base64`	pyDes + base64	/etc/certs/shibIDP.jks
`shibIDP_key`	pyDes + base64	/etc/certs/shibIDP.key
`shibJksPass`	base64
`ssl_cert`	base64	/etc/certs/gluu_https.crt
`ssl_cert_pass`	base64
`ssl_key`	base64	/etc/certs/gluu_https.key

Examples decoding passwords#

Opening `/etc/certs/scim-rp.jks` file#

Note

We assume Gluu is installed in a namespace called gluu

Make a directory called delete_me
```
mkdir delete_me && cd delete_me
```

Get the scim_rp_client_jks_pass from backend secret and save scim_rp_client_jks_pass in a file called scim_rp_client_jks_pass

kubectl get secret gluu -o json -n gluu | grep '"scim_rp_client_jks_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' > scim_rp_client_jks_pass

Base64 decode the scim_rp_client_jks_pass and save the decoded scim_rp_client_jks_pass in a file called scim_rp_client_jks_pass_decoded
```
base64 -d scim_rp_client_jks_pass > scim_rp_client_jks_pass_decoded
```

Use scim_rp_client_jks_pass_decoded to unlock /etc/certs/scim-rp.jks in oxauth pod.

keytool -list -v -keystore /etc/certs/scim-rp.jks --storepass scim_rp_client_jks_pass_decoded

Opening `/etc/certs/scim-rs.jks` file#

Note

We assume Gluu is installed in a namespace called gluu

Make a directory called delete_me
```
mkdir delete_me && cd delete_me
```

Get the scim_rs_client_jks_pass from backend secret and save scim_rs_client_jks_pass in a file called scim_rs_client_jks_pass

kubectl get secret gluu -o json -n gluu | grep '"scim_rs_client_jks_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' > scim_rs_client_jks_pass

Base64 decode the scim_rs_client_jks_pass and save the decoded scim_rs_client_jks_pass in a file called scim_rs_client_jks_pass_decoded
```
base64 -d scim_rs_client_jks_pass > scim_rs_client_jks_pass_decoded
```

Use scim_rs_client_jks_pass_decoded to unlock /etc/certs/scim-rs.jks in oxauth pod.

keytool -list -v -keystore /etc/certs/scim-rp.jks --storepass scim_rs_client_jks_pass_decoded

Opening `/etc/certs/opendj.pkcs12` file#

Note

We assume Gluu is installed in a namespace called gluu

Make a directory called delete_me
```
mkdir delete_me && cd delete_me
```

Get the ldap_truststore_pass from backend secret and save ldap_truststore_pass in a file called ldap_truststore_pass

kubectl get secret gluu -o json -n gluu | grep '"ldap_truststore_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' > ldap_truststore_pass

Base64 decode the ldap_truststore_pass and save the decoded ldap_truststore_pass in a file called ldap_truststore_pass_decoded
```
base64 -d ldap_truststore_pass > ldap_truststore_pass_decoded
```

Use ldap_truststore_pass_decoded to unlock /etc/certs/opendj.pkcs12 in opendj pod.

keytool -list -v -keystore /etc/certs/opendj.pkcs12 --storepass ldap_truststore_pass_decoded

Config and Secret Keys

Overview#

Gluu Config Keys#

Gluu Secret Keys#

Examples decoding passwords#

Opening /etc/certs/scim-rp.jks file#

Opening /etc/certs/scim-rs.jks file#

Opening /etc/certs/opendj.pkcs12 file#

Opening `/etc/certs/scim-rp.jks` file#

Opening `/etc/certs/scim-rs.jks` file#

Opening `/etc/certs/opendj.pkcs12` file#