Editing the upgrade script allows the user to configure details for new updates.
The following configurables have been added to the upgrade-skfs.sh script:
DELETE_OLD_POLICIES : Setting this flag to true will only keep the earliest active policy per domain in the database and delete the others, otherwise other policies will be set to inactive.
AUTH_RETURN_RESPONSE_LEVEL : Property that determines level of authentication detail that is returned in the preauthenticate and authenticate web service responses.
JWT_KEYGEN_DN : The value of this variable determines the Base Distinguished Name ("DN") that will be used in the Subject DN of the JWT keypair to be created.
JWT_CN_LIST : The value of this variable is a comma separated list of Common Names ("CN"s) that will be used in the Subject DN of the JWT keypair to be created.
JWT_KEY_VALIDITY : Value to determine how long the JWT key is valid for (in days)
SAML_KEYGEN_DN : The value of this variable determines the Base Distinguished Name ("DN") that will be used in the Subject DN of the SAML keypair to be created.
SAML_CN_LIST: The value of this variable is a comma separated list of Common Names ("CN"s) that will be used in the Subject DN of the SAML keypair to be created.
SAML_KEY_VALIDITY : Value to determine how long the SAML key is valid for (in days)
In SKFS version 4.10.0, the JWT and SAML signing keys/certificates are being revamped such that for each domain in SKFS, a Root Certificate Authority (Root CA) is generated to issue certificates for 'N' number of SSO (SAML and/or JWT) signing keys, resembling a 2-tier PKI hierarchy. While prior to this version, each SSO key (JWT and SAML) had their own self-signed CA issuing their certificates, not all SSO certificates in a domain were issued by the same CA. This SKFS version will correct this by having a single Root CA that issues ALL SSO signing certificates for each domain. Generating new SSO signing keys will now use the existing domain's Root CA to issue the certificates for these keys, or create a new Root CA if the domain does not already have one.
This key generation change means that existing JWT and SAML signing keys/certificates will be replaced with new ones generated during the 4.10.0 upgrade. If you are using Citrix with the SKFS for SAML authentication, you will need to update the signing certificate used in your Citrix Gateway's SAML Policy. This certificate may be found in the /usr/local/strongkey/skfs/keystores/sso-keys/ directory.