Knowledge Partner
Knowledge Partner
201 views

OSP 6.3.x (IDG3.5.x) and the osp.jks

Just ran in install of OSP 6.3.0 and looked at the keystore it
generated. This looks pretty different than in 3.0.1 or the older
Identity Apps OSP.

I get 29 entries now? Use to be but a one.

osp-sign, May 1, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1):
21:98:7B:FD:96:30:BE:F9:A3:A4:B5:DA:36:79:BF:19:19:1A:55:C7
osp-crypt, May 1, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1):
44:76:96:CF:74:AA:A6:33:45:A4:E9:D1:72:79:98:5A:75:13:9A:D4
osp-tls, May 1, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1):
1A:5E:F3:13:E1:74:9F:67:29:56:8F:08:CB:DC:B0:9B:F1:FC:69:14
symmetrickey-hmacsha256-114, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha256-115, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha256-125, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha256-126, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha256-127, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha1-114, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha1-115, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha1-125, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha1-126, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha1-127, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha384-114, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha384-115, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha384-125, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha384-126, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha384-127, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha512-114, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha512-115, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha512-125, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha512-126, May 1, 2019, SecretKeyEntry,
symmetrickey-hmacsha512-127, May 1, 2019, SecretKeyEntry,
symmetrickey-aes-121, May 1, 2019, SecretKeyEntry,
symmetrickey-aes-122, May 1, 2019, SecretKeyEntry,
symmetrickey-aes-123, May 1, 2019, SecretKeyEntry,
symmetrickey-aes-117, May 1, 2019, SecretKeyEntry,
symmetrickey-aes-118, May 1, 2019, SecretKeyEntry,
symmetrickey-aes-119, May 1, 2019, SecretKeyEntry,

So this is new, in the past, we only needed a single cert, selfsigned,
we could name anything. So I would make a 10-20 year cert and get NAM to
trust it for SAML so I never have to recreate it.

This looks much more complicated, any idea what is going on here?

I get the move to three certs for OSP, sign, crypt and tls. TLS for the
comms channel. sign and crypt for SAML. I guess before we used the
single one for all three.

What is up with the 26 symmetrickey's it generates.


I see in the ism-configuration.properties that there are now three
definitions for keys to use, and keystores.

com.netiq.idm.osp.oauth-tls-keystore.file =
/opt/netiq/idm/apps/osp/osp.pkcs12


com.netiq.idm.osp.oauth-truststore.file =
/opt/netiq/idm/apps/osp/osp-truststore.pkcs12


Am I to read that, the signing/cert/tls keys are in one keystore, and
then the Public keys belong in the osp-truststore.pkcs12 file? (Which is
currently empty for me, which would make sense).

This would make sense in terms of segregating the private from public keys.

I think the docs talk about this, a little less clearly than I would like:
https://www.netiq.com/documentation/identity-governance-35/install-guide/data/b19v92l7.html#b19xs8lb

So I read that as, the certs for lDAP/Audit/SMTP go into the
osp-truststore.pkcs12 file and similar one in tomcat/conf.

Hmm, interesting stuff. Looks like I could reset that back to use a
single cert if I so decided... My issue is that this means in two years
I need to recreate 3 certs not one, not sure I see how to renew these
certs anywhere in the docs yet...




0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.