Product Documentation

    To create a new domain on SKFS, signing, JWT and SAML keystores need to be created for the new domain. Backing up for all the keystores, OpenLDAP and database is recommended in case a restore is required to the original state. 

     

    Prerequisites 

    • StrongKey FIDO Server (SKFS)
    • OpenJDK 21
    • Rocky 9.3

     

    Create a New Domain

    To create a new domain for SKFS, follow the outlined steps below. If uncertain about determining the next domain ID (DID), consult the section that explains how to identify the subsequent domain.

    1. Login as "strongkey" user and open a terminal.

    2. Take a backup for the database, openLDAP and keystores.

    3. Generate the default JWT, SAML and policy for the new DID.

      shell> keygen-sso.sh -did $DID -jwt -saml -policy

Example
shell> /usr/local/software/keygen-sso.sh -did 9 -jwt -saml -policy

Final Output Line:
SKFS Policy written to '/tmp/SKFS-FIDO-Policy-did9-keygen.txt'. 
Please use either the addpolicy api or the skfsadminclient tool to insert the policy into the database.

      NOTE:  The keygen-sso script generates a minimal policy for the new DID and saves the base64 encoded policy in the /tmp directory as SKFS-FIDO-Policy-did${DID}-keygen.txt. 

    4. Add the base64 encoded policy to the database. To find the next policy ID (PID),  please refer the section on how to find the PID:

      shell> mariadb --user=skfsdbuser --password=$MARIA_SKFSDBUSER_PASSWORD --database=skfs -e "insert into FIDO_POLICIES values (1,$DID,$NEXT_PID,'${fidoPolicy}','Active','',NOW(),NULL,NULL);"

Example
shell> mariadb --user=skfsdbuser -p --database=skfs -e "insert into FIDO_POLICIES values (1,9,9,'$(cat /tmp/SKFS-FIDO-Policy-did9-keygen.txt)','Active','',NOW(),NULL,NULL);"

    5. Regenerate the signing key for the new domain id (DID):

      shell> java -jar /usr/local/strongkey/keymanager/keymanager.jar regeneratesigningkey <did> <keystore location> <truststore location> <keystore password> <algo>

Example
shell> java -jar /usr/local/strongkey/keymanager/keymanager.jar regeneratesigningkey 9 /usr/local/strongkey/skfs/keystores/signingkeystore.bcfks /usr/local/strongkey/skfs/keystores/signingtruststore.bcfks Abcd1234! EC

    6. Add the DID to the database:

      shell> mariadb -u skfsdbuser -p${MARIA_SKFSDBUSER_PASSWORD} skfs -e "insert into domains VALUES ($DID, 'SKFS $DID', 'Active', 'Active', '', NULL, '', NULL, 'CN=SKFS Signing Key,OU=DID $DID,OU=SKFS EC Signing Certificate 1,O=StrongKey', 'https://$(hostname):8181/app.json', NULL);"

Example: 
shell> mariadb -u skfsdbuser -p skfs -e "insert into domains VALUES (9, 'SKFS 9', 'Active', 'Active', '', NULL, '', NULL, 'CN=SKFS Signing Key,OU=DID 9,OU=SKFS EC Signing Certificate 1,O=StrongKey', 'https://$(hostname):8181/app.json', NULL);"

    7. Create default SKFS users for the DID as "root" user. Move to the directory to where fidoserver distribution was extracted and run the following command:

      shell> /usr/local/software/create-SKFS-Users.sh
Usage: 
create-SKFS-Users.sh <did> <bind-pass> <skfs-user-pass> <skfs-ldif-path>    
Options:
did              The SKFS did to create.
bind-pass        The default bind password for ldap
skfs-user-pass   The desired password for the default ldap users that will be created.
skfs-ldif-path   The full path to the skfs.ldif file (This should be located in the SKFS installation directory)


Example
shell> /usr/local/software/create-SKFS-Users.sh 9 Abcd1234! Abcd1234! /usr/local/software/skfs.ldif

    8. Restart payara

      shell> sudo systemctl restart payara

    9. With the new Domain, the server is now able to execute FIDO Operations.

     NOTE:  If you want to restore/rollback to the previous state for any reason/error, follow the steps here to recover the database and keystores

    How to find the next domain (DID) and Policy ID (PID)

     Follow the steps below to find the next did:

    • In a terminal logged in as  “strongkey” user and type the following command and enter password:

      shell> mariadb -u skfsdbuser -p skfs -e "select did, name from domains order by did;"
    • Sample Output: 
      +-----+--------+
| did | name   |
+-----+--------+
|   1 | SKFS 1 |
|   2 | SKFS 2 |
|   3 | SKFS 3 |
|   4 | SKFS 4 |
|   5 | SKFS 5 |
|   6 | SKFS 6 |
|   7 | SKFS 7 |
|   8 | SKFS 8 |
+-----+--------+
8 rows in set (0.001 sec)

    • In a terminal logged in as “strongkey” user and type the following command and enter password::

      shell> mariadb -u skfsdbuser -p --database=skfs  -e "select max(pid) as nextPID from fido_policies;"
    • Sample Output 
      +---------+
| nextPID |
+---------+
|       9 |
+---------+


    As you can see in the example above the server already has 8 domains created so the next domain id would be 9.