Config and Secret Keys
Overview#
The Config Init job creates a set of secrets and configurations used by all Gluu services.
To check the values of the secret keys on the current deployment run :
kubectl get secrets gluu -n <namespace> -o yaml
To check the values of the configuration keys on the current deployment run :
kubectl get configmap gluu -n <namespace> -o yaml
Gluu Config Keys#
Key | Example Values |
---|---|
admin_email |
support@gluu.org |
admin_inum |
d3afef58-c026-4514-9d4c-e0a3efb4c29d |
api_rp_client_jks_fn |
/etc/certs/api-rp.jks |
api_rp_client_jwks_fn |
/etc/certs/api-rp-keys.json |
api_rs_client_cert_alg |
RS512 |
api_rs_client_cert_alias |
7193c192-c21d-4fa8-b13b-0667593a1f6f_sig_rs512 |
api_rs_client_jks_fn |
/etc/certs/api-rs.jks |
api_rs_client_jwks_fn |
/etc/certs/api-rs-keys.json |
api_test_client_id |
0008-db36db1f-025e-4164-aeed-f82df064eee8 |
auth_enc_keys |
RSA1_5 RSA-OAEP |
auth_sig_keys |
RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 |
city |
Austin |
couchbaseTrustStoreFn |
/etc/certs/couchbase.pkcs12 |
country_code |
US |
default_openid_jks_dn_name |
CN=oxAuth CA Certificates |
fido2ConfigFolder |
/etc/gluu/conf/fido2 |
gluu_radius_client_id |
1701.9c798f32-1b01-42e9-99fe-415060e69e8e |
hostname |
demoexample.gluu.org |
idp3Folder |
/opt/shibboleth-idp |
idp_client_id |
1101.638504bc-d445-4559-a192-66f0d4e919a8 |
jetty_base |
/opt/gluu/jetty |
ldapTrustStoreFn |
/etc/certs/opendj.pkcs12 |
ldap_binddn |
cn=directory manager |
ldap_init_host |
opendj |
ldap_init_port |
1636 |
ldap_port |
1389 |
ldap_site_binddn |
cn=directory manager |
ldaps_port |
1636 |
orgName |
Gluu |
oxauth_client_id |
1001.1c2946c9-b913-43e7-b82e-6215ad4e87c1 |
oxauth_key_rotated_at |
1581608454 |
oxauth_legacyIdTokenClaims |
true |
oxauth_openidScopeBackwardCompatibility |
true |
oxauth_openid_jks_fn |
/etc/certs/oxauth-keys.jks |
oxauth_openid_jwks_fn |
/etc/certs/oxauth-keys.json |
oxtrust_requesting_party_client_id |
1402.f611f06c-1946-4c45-8eac-a57795a324b7 |
oxtrust_resource_id |
1403.aff108f4-ed21-4d5c-81fb-a588e70e07f1 |
oxtrust_resource_server_client_id |
1401.ece0dc1e-a53c-462e-b161-43867b6a4aa1 |
passportSpJksFn |
/etc/certs/passport-sp.jks |
passportSpTLSCACert |
/etc/certs/passport-sp.pem |
passportSpTLSCert |
/etc/certs/passport-sp.crt |
passportSpTLSKey |
/etc/certs/passport-sp.key |
passport_resource_id |
1504.85bdbfac-6338-4b9c-b945-2dc245067c1a |
passport_rp_client_cert_alg |
RS512 |
passport_rp_client_cert_alias |
78882060-4214-4317-a402-79960fca7901_sig_rs512 |
passport_rp_client_cert_fn |
/etc/certs/passport-rp.pem |
passport_rp_client_id |
1502.d9b8c3aa-60a0-404c-afec-e13811a708ec |
passport_rp_client_jks_fn |
/etc/certs/passport-rp.jks |
passport_rp_client_jwks_fn |
/etc/certs/passport-rp-keys.json |
passport_rp_ii_client_id |
1503.3bda64b7-293e-4160-9c97-a5592c1fbd0a |
passport_rs_client_id |
1501.c7165c37-8208-4b72-9378-de60deb279b4 |
passport_rs_client_cert_alg |
RS512 |
passport_rs_client_cert_alias |
a98989b1-11f3-400f-a311-b9db088d331a_sig_rs512 |
passport_rs_client_jks_fn |
/etc/certs/passport-rs.jks |
passport_rs_client_jwks_fn |
/etc/certs/passport-rs-keys.json |
radius_jwt_keyId |
996e281b-a63a-44a9-badf-197f9fd1aa0f_sig_rs512 |
scim_resource_oxid |
1203. |
scim_rp_client_id |
1202.4099a09e-f300-4fa8-8cfd-cb1347149652 |
scim_rp_client_jks_fn |
etc/certs/scim-rp.jks |
scim_rp_client_jwks_fn |
/etc/certs/scim-rp-keys.json |
scim_rs_client_cert_alg |
RS512 |
scim_rs_client_cert_alias |
a515336b-cb7f-4cc0-88cc-7ee89f0af6a7_sig_rs512 |
scim_rs_client_id |
1201.70bb198a-a10f-461b-81a1-68fa52ca0646 |
scim_rs_client_jks_fn |
/etc/certs/scim-rs.jks |
scim_rs_client_jwks_fn |
/etc/certs/scim-rs-keys.json |
scim_test_client_id |
0008-1b21974a-5d5c-43f3-b332-e66a6399f2b5 |
serf_peers |
["gluu-opendj-0.opendj.gluu.svc.cluster.local"] |
shibJksFn |
/etc/certs/shibIDP.jks |
shibboleth_version |
v3 |
state |
TX |
Gluu Secret Keys#
Key | Encode/Decode | File |
---|---|---|
api_rp_client_base64_jwks |
base64 | |
api_rp_client_jks_pass |
base64 | |
api_rp_client_jks_pass_encoded |
pyDes + base64 | |
api_rp_jks_base64 |
pyDes + base64 | /etc/certs/api-rp.jks |
api_rs_client_base64_jwks |
base64 | |
api_rs_client_jks_pass |
base64 | |
api_rs_client_jks_pass_encoded |
pyDes + base64 | |
api_rs_jks_base64 |
pyDes + base64 | /etc/certs/api-rs.jks |
api_test_client_secret |
base64 | |
couchbase_shib_user_password |
base64 | |
encoded_ldapTrustStorePass |
pyDes + base64 | |
encoded_ox_ldap_pw |
pyDes + base64 | |
encoded_oxtrust_admin_password |
ldap_encode + base64 | |
encoded_salt |
base64 | |
encoded_shib_jks_pw |
pyDes + base64 | |
gluu_ro_client_base64_jwks |
base64 | /etc/certs/gluu-radius.keys |
gluu_ro_encoded_pw |
base64 | |
idp3EncryptionCertificateText |
base64 | /etc/certs/idp-encryption.crt |
idp3EncryptionKeyText |
base64 | /etc/certs/idp-encryption.key |
idp3SigningCertificateText |
base64 | /etc/certs/idp-signing.crt |
idp3SigningKeyText |
base64 | /etc/certs/idp-signing.key |
idpClient_encoded_pw |
pyDes + base64 | |
jcr_last_pw |
base64 | |
ldap_pkcs12_base64 |
pyDes + base64 | /etc/certs/opendj.pkcs12 |
ldap_ssl_cacert |
pyDes + base64 | /etc/certs/opendj.pem |
ldap_ssl_cert |
pyDes + base64 | /etc/certs/opendj.crt |
ldap_ssl_key |
pyDes + base64 | /etc/certs/opendj.key |
ldap_truststore_pass |
base64 | |
oxauthClient_encoded_pw |
pyDes + base64 | |
oxauth_jks_base64 |
pyDes + base64 | /etc/certs/oxauth-keys.jks |
oxauth_openid_jks_pass |
base64 | |
oxauth_openid_key_base64 |
base64 | /etc/certs/oxauth-keys.json |
pairwiseCalculationKey |
base64 | |
pairwiseCalculationSalt |
base64 | |
passportSpJksPass |
base64 | |
passportSpKeyPass |
base64 | |
passport_rp_client_base64_jwks |
base64 | /etc/certs/passport-rp-keys.json |
passport_rp_client_cert_base64 |
pyDes + base64 | /etc/certs/passport-rp.pem |
passport_rp_client_jks_pass |
base64 | |
passport_rp_jks_base64 |
pyDes + base64 | /etc/certs/passport-rp.jks |
passport_rs_client_base64_jwks |
base64 | /etc/certs/passport-rs-keys.json |
passport_rs_client_jks_pass |
base64 | |
passport_rs_client_jks_pass_encoded |
pyDes + base64 | |
passport_rs_jks_base64 |
pyDes + base64 | /etc/certs/passport-rs.jks |
passport_sp_cert_base64 |
pyDes + base64 | /etc/certs/passport-sp.crt |
passport_sp_key_base64 |
pyDes + base64 | /etc/certs/passport-sp.key |
radius_jks_base64 |
pyDes + base64 | /etc/certs/gluu-radius.jks |
radius_jwt_pass |
pyDes + base64 | |
redis_pw |
base64 | |
scim_rp_client_base64_jwks |
base64 | /etc/certs/scim-rp-keys.json |
scim_rp_client_jks_pass |
base64 | |
scim_rp_client_jks_pass_encoded |
pyDes + base64 | |
scim_rp_jks_base64 |
pyDes + base64 | /etc/certs/scim-rp.jks |
scim_rs_client_base64_jwks |
base64 | /etc/certs/scim-rs-keys.json |
scim_rs_client_jks_pass |
base64 | |
scim_rs_client_jks_pass_encoded |
pyDes + base64 | |
scim_rs_jks_base64 |
pyDes + base64 | /etc/certs/scim-rs.jks |
scim_test_client_secret |
base64 | |
sealer_jks_base64 |
base64 | |
sealer_kver_base64 |
base64 | |
shibIDP_cert |
pyDes + base64 | /etc/certs/shibIDP.crt |
shibIDP_jks_base64 |
pyDes + base64 | /etc/certs/shibIDP.jks |
shibIDP_key |
pyDes + base64 | /etc/certs/shibIDP.key |
shibJksPass |
base64 | |
ssl_cert |
base64 | /etc/certs/gluu_https.crt |
ssl_cert_pass |
base64 | |
ssl_key |
base64 | /etc/certs/gluu_https.key |
Examples decoding passwords#
Opening /etc/certs/scim-rp.jks
file#
Note
We assume Gluu is installed in a namespace called gluu
-
Make a directory called
delete_me
mkdir delete_me && cd delete_me
-
Get the
scim_rp_client_jks_pass
from backend secret and savescim_rp_client_jks_pass
in a file calledscim_rp_client_jks_pass
kubectl get secret gluu -o json -n gluu | grep '"scim_rp_client_jks_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' > scim_rp_client_jks_pass
-
Base64 decode the
scim_rp_client_jks_pass
and save the decodedscim_rp_client_jks_pass
in a file calledscim_rp_client_jks_pass_decoded
base64 -d scim_rp_client_jks_pass > scim_rp_client_jks_pass_decoded
-
Use
scim_rp_client_jks_pass_decoded
to unlock/etc/certs/scim-rp.jks
in oxauth pod.keytool -list -v -keystore /etc/certs/scim-rp.jks --storepass scim_rp_client_jks_pass_decoded
Opening /etc/certs/scim-rs.jks
file#
Note
We assume Gluu is installed in a namespace called gluu
-
Make a directory called
delete_me
mkdir delete_me && cd delete_me
-
Get the
scim_rs_client_jks_pass
from backend secret and savescim_rs_client_jks_pass
in a file calledscim_rs_client_jks_pass
kubectl get secret gluu -o json -n gluu | grep '"scim_rs_client_jks_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' > scim_rs_client_jks_pass
-
Base64 decode the
scim_rs_client_jks_pass
and save the decodedscim_rs_client_jks_pass
in a file calledscim_rs_client_jks_pass_decoded
base64 -d scim_rs_client_jks_pass > scim_rs_client_jks_pass_decoded
-
Use
scim_rs_client_jks_pass_decoded
to unlock/etc/certs/scim-rs.jks
in oxauth pod.keytool -list -v -keystore /etc/certs/scim-rp.jks --storepass scim_rs_client_jks_pass_decoded
Opening /etc/certs/opendj.pkcs12
file#
Note
We assume Gluu is installed in a namespace called gluu
-
Make a directory called
delete_me
mkdir delete_me && cd delete_me
-
Get the
ldap_truststore_pass
from backend secret and saveldap_truststore_pass
in a file calledldap_truststore_pass
kubectl get secret gluu -o json -n gluu | grep '"ldap_truststore_pass":' | sed -e 's#.*:\(\)#\1#' | tr -d '"' | tr -d "," | tr -d '[:space:]' > ldap_truststore_pass
-
Base64 decode the
ldap_truststore_pass
and save the decodedldap_truststore_pass
in a file calledldap_truststore_pass_decoded
base64 -d ldap_truststore_pass > ldap_truststore_pass_decoded
-
Use
ldap_truststore_pass_decoded
to unlock/etc/certs/opendj.pkcs12
in opendj pod.keytool -list -v -keystore /etc/certs/opendj.pkcs12 --storepass ldap_truststore_pass_decoded
Services start order#