[OPENIDM-15342] Procedure to setup CA-signed cert should include updating openidm.https.keystore.cert.alias Created: 27/Aug/20  Updated: 16/Oct/20  Resolved: 13/Oct/20

Status: Closed
Project: OpenIDM
Component/s: documentation
Affects Version/s: 7.0.0, 6.5.0.4
Fix Version/s: 7.1.0, 7.0.1

Type: Bug Priority: Major
Reporter: Wei-Yee Lum Assignee: Lana Frost
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Verified Version/s:
Story Points: 0.5
Sprint: 2020.14 - IDM
Support Ticket IDs:
Epic Link: Doc sustaining 7.1

 Description   

In https://backstage.forgerock.com/docs/idm/7/security-guide/import-signed-cert.html
You can use existing CA-signed certificates to secure connections and data
...
If you specified an alias other than openidm-localhost for the new certificate, edit your secrets.json file to reference that alias.
...

{ "secretId" : "idm.jwt.session.module.encryption", "types": [ "ENCRYPT", "DECRYPT" ], "aliases": [ "my-new-key", "&\{openidm.https.keystore.cert.alias|openidm-localhost}

" ]
}
 

  • Jetty uses the cert referenced in boot.properties openidm.https.keystore.cert.alias (by default openidm-localhost).
  • If an alias other than "openidm-localhost" is used for CA-signed cert, openidm.https.keystore.cert.alias needs to be updated (otherwise Jetty still presents the openidm-localhost cert).
  • And if openidm.https.keystore.cert.alias is updated, there should be no need to update secrets.json..


 Comments   
Comment by Lana Frost [ 13/Oct/20 ]

Fixed on master:
https://stash.forgerock.org/projects/OPENIDM/repos/openidm-docs/pull-requests/3013/overview
https://ea.forgerock.com/docs/idm/security-guide/import-signed-cert.html

Fixed on 7.0.x:
https://stash.forgerock.org/projects/OPENIDM/repos/openidm-docs/pull-requests/3015/overview

Comment by Michal Orlik [ 15/Oct/20 ]

LGTM 7.0.x

Comment by Julian Keller [ 16/Oct/20 ]

 7.1.0

Generated at Wed Nov 25 08:24:56 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.