Hello Community,

I have a quick question for you guys : we are migrating from TFIM to ISAM9 our federations. In the case I have a certificate (created on my own) to sign my SAML tokens and this certificate is used by two federations.

Is it possible to setup a fail over certificate mechanism ? Like this when one certificate is going to expire, the only thing needed is to setup an additional certificate. When one partner update, it will automatically switch to the old one without impacting the other partner who will update the certificate later.

I do not think this is possible, so as an alternative question : when you have hundred of federation, how do you manage certificate management for signing and encryption ? Of course the most automated the solution is the better.

Thank you very much,

------------------------------
Christophe Agostini
------------------------------

Hello Christophe,

In TFIM that was actually the default behavior.

Please review the 'Key Selection Criteria' in the TFIM Documentation:

https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/config/concept/KeySelectionCriteria.html

The same thing is offered in ISAM 9.0.X :
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/reference/ref_aac_advcfgprop.html#aac_advcfgprop__d179e2698


kess.keySelectionCriteriaSpecify which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If there are multiple keys or certificates with the same Subject DN as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:

only.alias

Select the key or certificate with the specified alias. This is the default.

longest.lifetime

Select the key or certificate with the longest lifetime.

shortest.lifetime

Select the key or certificate with the shortest lifetime.

Data type: StringExample: only.alias

----
This only works if the certificate maintains the same Distinguished name.

The failover also only happens when the certificate in use actually expires, so if the Partner switches before the cert is actually expired you'll experience errors.

There's not any built in functionality that I know of to achieve an instantaneous failover.

If you need to manage certificates then using the REST API is the best way to do it after you've gotten the hang of it.

For example, updating a certificate would take some scripting but at a high level it'd be like

1) Import the public key

2) Recurse through the certificates to find the label (assuming you didn't assign it one)

3) Get the Certificate ID and Keystore ID

4) Update the Federation/Partner to edit the certificate/keystore ID

We have REST API to get all that information, the trick is putting it together in a shell script.

There's also the Ansible playbook available to help with automation.

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Fri September 27, 2019 11:20 AM
From: Christophe Agostini
Subject: Federation : certificate fail-over

Hello Community,

I have a quick question for you guys : we are migrating from TFIM to ISAM9 our federations. In the case I have a certificate (created on my own) to sign my SAML tokens and this certificate is used by two federations.

Is it possible to setup a fail over certificate mechanism ? Like this when one certificate is going to expire, the only thing needed is to setup an additional certificate. When one partner update, it will automatically switch to the old one without impacting the other partner who will update the certificate later.

I do not think this is possible, so as an alternative question : when you have hundred of federation, how do you manage certificate management for signing and encryption ? Of course the most automated the solution is the better.

Thank you very much,

------------------------------
Christophe Agostini
------------------------------

Hello Jack,

Thanks for the great answer. However as you mention this does not work in the case when the main (and soon to be expired) certificate  is still valid.

My point is : if you have hundred of federations, with people and servers with their own SLA , TimeZone, etc... How do you suggest to manage certificate replacement ? Our process are fully automated thanks to Ansible / Python / RestApi combo. But how can we be proactive and automatically switch certificate when our partner starts using the new one, without having to run a command ? 

If you have partners located in Asia, Europe and America it is tricky (and time consuming) to coordinate everyone when you want to switch certificate.

------------------------------
Christophe Agostini
------------------------------

Original Message:
Sent: Fri September 27, 2019 11:40 AM
From: JACK YARBOROUGH
Subject: Federation : certificate fail-over

Hello Christophe,

In TFIM that was actually the default behavior.

Please review the 'Key Selection Criteria' in the TFIM Documentation:

https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/config/concept/KeySelectionCriteria.html

The same thing is offered in ISAM 9.0.X :
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/reference/ref_aac_advcfgprop.html#aac_advcfgprop__d179e2698


kess.keySelectionCriteriaSpecify which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If there are multiple keys or certificates with the same Subject DN as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:

only.alias

Select the key or certificate with the specified alias. This is the default.

longest.lifetime

Select the key or certificate with the longest lifetime.

shortest.lifetime

Select the key or certificate with the shortest lifetime.

Data type: StringExample: only.alias

----
This only works if the certificate maintains the same Distinguished name.

The failover also only happens when the certificate in use actually expires, so if the Partner switches before the cert is actually expired you'll experience errors.

There's not any built in functionality that I know of to achieve an instantaneous failover.

If you need to manage certificates then using the REST API is the best way to do it after you've gotten the hang of it.

For example, updating a certificate would take some scripting but at a high level it'd be like

1) Import the public key

2) Recurse through the certificates to find the label (assuming you didn't assign it one)

3) Get the Certificate ID and Keystore ID

4) Update the Federation/Partner to edit the certificate/keystore ID

We have REST API to get all that information, the trick is putting it together in a shell script.

There's also the Ansible playbook available to help with automation.

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Fri September 27, 2019 11:20 AM
From: Christophe Agostini
Subject: Federation : certificate fail-over

Hello Community,

I have a quick question for you guys : we are migrating from TFIM to ISAM9 our federations. In the case I have a certificate (created on my own) to sign my SAML tokens and this certificate is used by two federations.

Is it possible to setup a fail over certificate mechanism ? Like this when one certificate is going to expire, the only thing needed is to setup an additional certificate. When one partner update, it will automatically switch to the old one without impacting the other partner who will update the certificate later.

I do not think this is possible, so as an alternative question : when you have hundred of federation, how do you manage certificate management for signing and encryption ? Of course the most automated the solution is the better.

Thank you very much,

------------------------------
Christophe Agostini
------------------------------