Creating SKFS SSO PKI in a SAKA Environment

In a standalone SKFS environment, the server will always load SSO keys from file; all SSO keys must be generated from the keygen-sso.sh script bundled with the SKFS distribution. However, if the server is not running a standalone SKFS in a SAKA environment, as of version 4.12.0, this key generation responsibility has been moved from the keygen-sso.sh script (although it will still exist within our SKFS and SAKA distributions) to the Domain Setup (New-Domain-Setup-Wizard.sh) and Domain Replication (Secondary-SAKA-Replication-Final.sh) wizards.

Before delving into how keys are generated, it may be worth knowing how keys are loaded in the server. 

On server restart, one of the first things the SKFS does is load SSO keys. This creates maps of all JWT and SAML keys and certificates to be held in memory and used when JWT and/or SAML is enabled.

Per domain, these keys and certificates can be loaded from one of two ways: token numbers and on-file keystores.

If the server is running in a standalone SKFS, the server will only load keys from the on-file keystore. This file can be located at:

$STRONGKEY_HOME/skfs/keystores/ssosigningkeystore.bcfks

In the case of a non-standalone SKFS in a SAKA deployment, the server may either:

• Load keys from token numbers. These token numbers are created when encrypting a base64 encoded BCFIPS keystores. Usually, this is done during the Domain Setup wizard.
• Load keys from on-file sso keystore. This capability has been kept for non-standalone environments, although the SSO key generation will now primarily be done through the use of wizards.