Product Documentation

    Domain Setup Wizard (New-Domain-Setup-Wizard)

    A new "Create Domain SSO PKI" page has been added to the new Domain Setup wizard which is responsible for creating the SSO PKI for the newly created encryption domain. This PKI consists of a Root CA and multiple JWT and SAML leaf certificates, resembling a 1-tier PKI hierarchy.

     

    [Image of page in new domain wizard]

     

    Upon reaching this "Create Domain SSO PKI" page, the domain administrator will have a chance to change the subject DNs of the Root CA, JWT, and SAML certificates. By default, they will be:

    CN=StrongKey FIDO Server RootCA,OU=DID {DID},O=StrongKey
    CN=SKFS JWT Issuer {COUNT},OU=DID {DID},O=StrongKey
    CN=SKFS SAML Issuer {COUNT},OU=DID {DID},O=StrongKey 

    Upon SSO PKI creation, the "{DID}" keyword for each subject DN will be replaced with the domain ID of the newly created encryption domain.

    Similarly, the "{COUNT}" keyword will be replaced with the certificate number. By default, 3 certs are created per SSO type. If the "{COUNT}" keyword has been removed, only a single certificate for the respective SSO type will be created instead.

    If the "RSA SAML Keys" checkbox is checked on SSO PKI creation, the SAML key algorithm will use RSA instead of EC.

    Unless a specific SSO requirement has been made for the SKFS, it is recommended that the values in each text field stay default.

     

    When the "Create" button is clicked, a number of things happen:

    • SSO PKI creation. Below are the default values for each key/cert that is created:

      Root CA:
              DN: CN=StrongKey FIDO Server RootCA, OU=DID ${DID}, O=StrongKey
              Duration: 20y
              Key algo: ECDSA
              Key size: 521 bits
              Sign algo: SHA512 with ECDSA

      JWT Leaf Certs:
              DN: CN=SKFS JWT Issuer ${COUNT}, OU=DID ${DID}, O=StrongKey
              Duration: 10y
              Key algo: ECDSA
              Key size: 384 bits
              Sign algo: SHA256 with ECDSA

      SAML (EC) Leaf Certs:
              DN: CN=SKFS SAML Token Issuer ${COUNT}, OU=DID ${DID}, O=StrongKey
              Duration: 10y
              Key algo: ECDSA
              Key size: 384 bits
              Sign algo: SHA256 with ECDSA

      SAML (RSA) Leaf Certs:
              DN: CN=SKFS SAML Token Issuer ${COUNT}, OU=DID ${DID}, O=StrongKey
              Duration: 10y
              Key algo: RSA
              Key size: 2048 bits
              Sign algo: SHA256 with RSA

    • Create SKFS FIDO Policy. This creates and populates a minimal SKFS FIDO policy with certificate details from the newly created SSO PKI.

    • Keystore encryption. The keystore that contains all of these newly created keys is converted to base64 and split into blocks of 10,000 characters (The max number of character that can be encrypted with KeyAppliance). The KeyAppliance (KA) then uses the new domain to encrypt these base64 blocks and return a list of token numbers for the SSO PKI keystore base64.

    • Set escrowed keystore base64 tokens to SKFS properties. The SKFS properties file on the system is searched for the "skfs.cfg.property.sso.keystore.encrypted.tokens" property. If not found, it will be added with an initial entry of: 
      [new did]:[token]-[token]-....
      If this property does exist, then it is appended to a list of entries. Ex. If creating a 2nd domain, the new property may look something like this: 
      skfs.cfg.property.sso.keystore.encrypted.tokens=1:1000000000000123-1000000000000456,2:1000000000000002-1000000000000003
    • Write property to file for replication. The wizard will write the "skfs.cfg.property.sso.keystore.encrypted.tokens" property value for the new domain to a {DID}-domainEscrowedSSOKeystore.properties file in the same location the domain administrator keystore was saved to. This will be used to set the property in the Domain Replication wizard.

    • Write certificates to the on-file truststore. If the SKFS SSO truststore used is found on the appliance in its appropriate location (/usr/local/strongauth/skfs/keystores/ssosigningtruststore.bcfks), it is loaded and the certificates generated during this wizard are added to it. If no truststore is found, it will be created and populated with the new certificates.

    • Write CSR files. When the SSO PKI is created, the CSR files are kept for use in an external PKI. These files are written to the usual .csr location on the appliance (/usr/local/strongauth/strongkeylite/etc/).

     

    Domain Replication Wizard (Secondary-SAKA-Replication-Final.sh)

    Similar to the Domain Setup wizard, the Domain Replication wizard has also received a new page. The new "Import SSO property" page has been added to the new Domain Replication wizard which is responsible for simply setting the skfs property value that was set during the Domain Setup wizard on the primary appliance.

     

    [Image of domain SSO replication page]

     

    In this page, simply click the "Browse" button and path to the location of the {DID}-domainEscrowedSSOKeystore.properties file that should be in the same directory as the new domain administrator keystore.