KB Article #174027

Information about PassPort SSO keystore

Problem


Information about PassPort SSO keystore

Resolution

 

The SSO Agent needs to mutual authenticate with Passport as well as with other components. PassPort delivers SSO Agent and the PassPort server with default sets of certificates that a customer must change before going into production:

a)      sso/webapps/ROOT/truststore.jks

This keystore is used to validate server certificate (your component server). It must contain the public root certificate signing the Component server SSL certificate, as trustedCertEntry. The default truststore is “truststore.jks” and its password is "axway*".

Generation conditions:

-          Keystore type: JKS

-          Basic constraint: CA = TRUE

-          KeyUsage: Certificate Sign, CRL Sign

-          KeyLength: Must be at least 2048 bit (for Root CAs, 4096 bit is recommended)

-          Type : SSL CA, S/MIME CA, Object Signing CA

 

b)      sso/webapps/ROOT/sso.jks

This keystore contains the SSO agent client SSL certificate and private key. This certificate will be presented upon SSL handshake with your component server if it requires client authentication, which will attempt to validate this certificate. The root certificate signing the SSO agent SSL certificate must be in the server trusted keystore. The default keystore is "sso.jks” and has “axway*” password.

These default keystores can be changed from the sso/wbapps/ROOT/WEB-INF/web.xml file, or customer certificates can be deployed directly into the existing keystores and the current web.xml configuration is kept unchanged. Bellow is the web.xml extract with the keystore and truststore parametrization:

   <context-param>

       <param-name>keyStore</param-name>

       <param-value>sso.jks</param-value>

   </context-param>

   <context-param>

       <param-name>keyStorePwd</param-name>

       <param-value>axway*</param-value>

   </context-param>

   <context-param>

       <param-name>trustStore</param-name>

       <param-value>truststore.jks</param-value>

   </context-param>

   <context-param>

       <param-name>trustStorePwd</param-name>

       <param-value>axway*</param-value>

   </context-param>

Generation conditions:

-          Must be an EndUser certificate (CA= FALSE)

-          Extended KeyUsage : TLS Web server authentication

-          KeyUsage: Digital Signature, Non-repudiation, Key enciphment

-          KeyLength: 2048 bit (1024 bit is already considered a weak key length)

-          Type : SSL Client, S/MIME

 

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.