To create a new domain on SKFS, signing, JWT and SAML keystores needs to be created for the new domain. Taking a back up for all the keystores, OpenLDAP and database is recommended in case a restore is required to the original state.
Prerequisites
- StrongKey FIDO Server (SKFS)
- OpenJDK 21
- Rocky 9.3
Create a New Domain
Follow the steps to create a new domain for SKFS. If unsure of the next domain Id (DID), please refer the section on how to find the next domain.
-
Login as "strongkey" user and open a terminal
- Take a backup for the database, openLDAP and keystores.
-
Generate the default JWT, SAML and policy for the new DID
shell> keygen-sso.sh -did $DID -jwt -saml -p -policy Example shell> /usr/local/software/keygen-sso.sh -did 9 -jwt -saml -policyNOTE: The keygen-sso script generates a minimal policy for the new DID and saves the base64 encoded policy in the /tmp directory as SKFS-FIDO-Policy-did${DID}-keygen.txt.
-
Add the base64 encoded policy to the database. To find the next policy ID (PID), please refer the section on how to find the PID:
shell> mariadb --user=skfsdbuser --password=$MARIA_SKFSDBUSER_PASSWORD --database=skfs -e "insert into FIDO_POLICIES values (1,$DID,$NEXT_PID,'${fidoPolicy}','Active','',NOW(),NULL,NULL);" Example shell> mariadb --user=skfsdbuser -p --database=skfs -e "insert into FIDO_POLICIES values (1,9,9,'$(cat /tmp/SKFS-FIDO-Policy-did9-keygen.txt)','Active','',NOW(),NULL,NULL);"
-
Regenerate the signing key for the new domain id (DID):
shell> java -jar /usr/local/strongkey/keymanager/keymanager.jar regeneratesigningkey <did> <keystore location> <truststore location> <keystore password> <algo> Example shell> java -jar /usr/local/strongkey/keymanager/keymanager.jar regeneratesigningkey 9 /usr/local/strongkey/skfs/keystores/signingkeystore.bcfks /usr/local/strongkey/skfs/keystores/signingtruststore.bcfks Abcd1234! EC
-
Add the DID to the database:
shell> mariadb -u skfsdbuser -p${MARIA_SKFSDBUSER_PASSWORD} skfs -e "insert into domains VALUES ($DID, 'SKFS $DID', 'Active', 'Active', '', NULL, '', NULL, 'CN=SKFS Signing Key,OU=DID $DID,OU=SKFS EC Signing Certificate 1,O=StrongKey', 'https://$(hostname):8181/app.json', NULL);" Example: shell> mariadb -u skfsdbuser -p skfs -e "insert into domains VALUES (9, 'SKFS 9', 'Active', 'Active', '', NULL, '', NULL, 'CN=SKFS Signing Key,OU=DID 9,OU=SKFS EC Signing Certificate 1,O=StrongKey', 'https://$(hostname):8181/app.json', NULL);"
-
Create default SKFS users for the DID:
shell> /usr/local/software/create-SKFS-Users.sh Usage: create-SKFS-Users.sh Options: did The SKFS did to create. bind-pass The default bind password for ldap skfs-user-pass The desired password for the default ldap users that will be created. skfs-ldif-path The full path to the skfs.ldif file (This should be located in the SKFS installation directory) Example shell> /usr/local/software/create-SKFS-Users.sh 9 Abcd1234! Abcd1234! /usr/local/software/skfs.ldif
-
Restart payara
shell> sudo systemctl restart payara -
You can now use the new Domain to perform FIDO Operations.
NOTE: If you want to restore/rollback to the previous state for any reason/error, follow the steps here to recover the database and keystores
How to find the next domain (DID) and Policy ID (PID)
Follow the steps below to find the next did:
-
In a terminal logged in as “strongkey” user and type the following command and enter password:
shell> mariadb -u skfsdbuser -p skfs -e "select did, name from domains order by did;" - Sample Output:
+-----+--------+ | did | name | +-----+--------+ | 1 | SKFS 1 | | 2 | SKFS 2 | | 3 | SKFS 3 | | 4 | SKFS 4 | | 5 | SKFS 5 | | 6 | SKFS 6 | | 7 | SKFS 7 | | 8 | SKFS 8 | +-----+--------+ 8 rows in set (0.001 sec) -
In a terminal logged in as “strongkey” user and type the following command and enter password::
shell> mariadb -u skfsdbuser -p --database=skfs -e "select max(pid) as nextPID from fido_policies;" - Sample Output
+---------+ | nextPID | +---------+ | 9 | +---------+
As you can see in the example above the server already has 8 domains created so the next domain id would be 9.