In a standalone SKFS environment, the server will always load SSO keys from file; all SSO keys must be generated from the keygen-sso.sh script bundled with the SKFS distribution. However, if the server is not running a standalone SKFS in a SAKA environment, as of version 4.12.0, this key generation responsibility has been moved from the keygen-sso.sh script (although it will still exist within our SKFS and SAKA distributions) to the Domain Setup (New-Domain-Setup-Wizard.sh) and Domain Replication (Secondary-SAKA-Replication-Final.sh) wizards.
Before delving into how keys are generated, it may be worth knowing how keys are loaded in the server.
On server restart, one of the first things the SKFS does is load SSO keys. This creates maps of all JWT and SAML keys and certificates to be held in memory and used when JWT and/or SAML is enabled.
Per domain, these keys and certificates can be loaded from one of two ways: token numbers and on-file keystores.
If the server is running in a standalone SKFS, the server will only load keys from the on-file keystore. This file can be located at:
$STRONGKEY_HOME/skfs/keystores/ssosigningkeystore.bcfks
In the case of a non-standalone SKFS in a SAKA deployment, the server may either: