I was trying to see what happens during upgrade with the secret stores when the advanced server properties to change the SAML2 keystore location were in place. These properties and how to use them have never been really documented, so I have tried my best here.
Questions that started this Jira:
- Should upgrade work with the advanced server properties? Are the properties supposed to work with SAML2?
- What are those properties meant to change, exactly? Keystores for SAML signing assertions? Keystores for SAMLsigning metadata? Both? What about encryption?
Did 2 types of tests:
- Configure Java Home to JDK 1.8+
- Install AM 220.127.116.11
- Configure a hosted IDP, add a remote SP and a CoT. Add one signing and encryption key from the default keystore to the IDP.
I used the keys we configure by default nowadays-- But the error messages I get seem to make me think they are wrong? Tested with "test" in both and it didn't work either. I may be doing this wrong all the way.
- Copy the original keystore and its files to a different name:
- Add the advanced server properties that let you change the keystore location for SAML:
- Restart AM, check it works. I've seen that, if the above config is not ok or readable, there are logs written in the debug files. So check they are clean.
- Stop tomcat and configure J11
- Upgrade to 7
- Install AM 18.104.22.168 with J11
- Do not configure any SAML provider! (not that you can with J11)
- Copy the original keystore and its files to a different name
- Add the advanced server properties that let you change the keystore location for SAML
- Upgrade to 7
Sure, this is a silly scenario. Nobody should have the properties set if they don't have SAML configured-- but it is an easy way to see what would happen-- and if I could upgrade at all, based on my problem above.
One thing I realized is that, even though the adv. properties are saved, they don't show in the configuration screen when you reload/reboot. I know, strange. But the upgrade process knows about it, as you will see in the screenshot below:
Not sure. Store configuration making sense with the advanced server properties configuration? If those should be honored, which I'm not sure at this point.
- The saml metadata signing points to the keystore in the adv server property.
- Adv server properties are not showing (but are they really removed? They weren't showing in 6.5 either...)
- The default keystore is still the AM keystore. But it is the one that has the default global saml2 secret ID configured.