Key Rotation Issue with Multiple Gluu Servers

By: Mursel Koseer user 20 Nov 2024 at 2:04 a.m. CST

9 Responses
Mursel Koseer gravatar
I am experiencing an issue with key rotation across our two Gluu servers. Here’s a summary of the problem: When the key rotation timer executes on one Gluu server, new public keys are successfully generated and stored in LDAP. Due to LDAP replication, these updated public keys are then synchronized to the second Gluu server as expected. However, I am concerned about the /etc/certs/ directory, particularly the pkcs12 keystore file, which contains the corresponding private keys. I want to ensure that both servers have the correct private key file synchronized. Could you clarify the following: Does Gluu automatically handle synchronization of the pkcs12 keystore file across multiple servers, or do I need to configure multi-master replication in the cluster manager to synchronize the /etc/certs/ directory between servers?
Gluu 4.5 Ubuntu 22.04
closed

Answers

By Mohib Zico Account Admin 20 Nov 2024 at 2:06 a.m. CST

Copy
Mohib Zico gravatar
Hi Mursel, How you built this cluster? Is it VM based or Cloud Native. if VM based, which doc you followed?

By Mursel Koseer user 20 Nov 2024 at 2:13 a.m. CST

Copy
Mursel Koseer gravatar
Hi Mohib We have two cluster managers for the same servers: one is set up on my local PC and the other on a Windows server. I did not follow any specific online documentation for this setup, as we had a backup configuration for the cluster manager in place.

By Mohib Zico Account Admin 20 Nov 2024 at 3:10 a.m. CST

Copy
Mohib Zico gravatar
I am not precisely sure how "two" cluster manager might work together BUT I am sharing what a standard procedure might look like... Cluster-Manager has a feature named [Key Rotation](https://gluu.org/docs/cm/4.4/deploy/#key-rotation) which you should use if you use VM based cluster with Cluster Manager. But if you use Cluster Manager's "Key Rotation" feature, you should keep oxAuth's key regeneration feature off. Screenshot attached.
Screenshot_from_2024-11-20_15-10-10.png

By Mursel Koseer user 20 Nov 2024 at 3:25 a.m. CST

Copy
Mursel Koseer gravatar
Okay I understand, When i go to the key rotation section of cluster manager, I get an error "Key generator .../keygen.jar was not found. Key rotation will not work unless the instructions are followed https://gluu.org/docs/cm/installation/#add-key-generator ". When navigating to the URL and following the instructions to download this jar. I am greeted with a login page to download. or when making the request in my server i get "Unauthorized". Why do we need these credentials and where can I find it?

By Mohib Zico Account Admin 20 Nov 2024 at 4:15 a.m. CST

Copy
Mohib Zico gravatar
Yes. https://github.com/GluuFederation/docs-gluu-server-prod/wiki/Getting-Access-to-Gluu-4-Binaries

By Mursel Koseer user 20 Nov 2024 at 4:21 a.m. CST

Copy
Mursel Koseer gravatar
Okay thanks, I will send an email for the access. I also found this link "https://gluu.org/docs/gluu-server/4.0/operation/replace-expired-jks-scim/#manually-generate-and-apply-key" to manually replace the keys, but I am missing the "org.gluu.oxauth.util.KeyGenerator" do you know where I can find or download this?

By Mohib Zico Account Admin 20 Nov 2024 at 6:52 a.m. CST

Copy
Mohib Zico gravatar
That should be inside `/opt/dist/gluu/oxauth-client-jar-with-dependencies.jar` You can try command like... `/opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp /opt/dist/gluu/oxauth-client-jar-with-dependencies.jar org.gluu.oxauth.util.KeyGenerator -keystore ......`

By Mursel Koseer user 21 Nov 2024 at 2:24 a.m. CST

Copy
Mursel Koseer gravatar
Okay it worked thanks, I have one last question. We're using key regeneration functionality and have two Gluu servers in our setup. In the cluster manager, we configured LDAP replication for both servers, which replicates the public keys correctly in LDAP. However, the corresponding private keys are not replicated. To address this, we added file system replication in the cluster manager to include the /etc/certs directory as well otherwise you will get mismatches right? Do you think this is a good approach? So that every server uses the same public/private keys.

By Mohib Zico Account Admin 27 Nov 2024 at 4:33 a.m. CST

Copy
Mohib Zico gravatar
Hi Mursel, >> To address this, we added file system replication in the cluster manager to include the /etc/certs directory as well otherwise you will get mismatches right? Yes, that' fine.

Post an answer