The default jbid_test_keystore.jks is useful for testing purpose, but in production you need to generate and use your own keystore as follows:
Generate your file using the keytool command:
keytool -genkey -alias secure-key -keyalg RSA -keystore secure-keystore.jksYou will be asked to enter a keystore password and a key password. Remember them to use in next steps.
Install your file to PLATFORM_*/standalone/configuration/gatein/saml2/ if you are configuring eXo Platform SP/IDP.
Install it to WEB-INF/classes/
inside PLATFORM_*/standalone/deployments/idp-sig.war if you are configuring idp-sig.war.
Modify picketlink configuration file to provide your keystore password and a key password. The picketlink configuration file is:
PLATFORM_SP/standalone/configuration/gatein/saml2/picketlink-sp.xml
if you are configuring eXo Platform SP.
PLATFORM_IDP/standalone/configuration/gatein/saml2/picketlink-idp.xml
if you are configuring eXo Platform IDP.
WEB-INF/picketlink.xml
inside PLATFORM_*/standalone/deployments/idp-sig.war
if you are configuring idp-sig.war.
The following configuration is for SP, similar for IDP and idp-sig.war:
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="${gatein.sso.picketlink.keystore}"/>
<Auth Key="KeyStorePass" Value="keystore pass"/>
<Auth Key="SigningKeyPass" Value="key pass"/>
<Auth Key="SigningKeyAlias" Value="secure-key"/>
<ValidatingAlias Key="${gatein.sso.sp.host}" Value="secure-key"/>
</KeyProvider>
On Windows, you should use the absolute link to the keystore file, instead of using ${gatein.sso.picketlink.keystore}.