Disable SecToken validation in nevisAuth
Scenarios where disabling the SecToken is recommended
For security reasons, the SecToken is always checked/re-verified by default for every request entering nevisAuth in step-up scenarios. This can pose an issue for certificate rollover scenarios where key material has changed and nevisAuth has been restarted. For such scenarios, Nevis recommends disabling the SecToken validation in nevisAuth by adjusting the configuration.
Scenarios where disabling the SecToken is required
Disabling the SecToken validation is required in complex certificate rollover/renewal scenarios where multiple components are affected and zero downtime deployment must be ensured. Otherwise, the signer verification may fail after changing the signing certificates. This is due to the complexity of changing key material across components and restarting the components with new keys as nevisAuth is not able to trust additional certifications that are not based on the current keystore. Because the SecToken is validated in other components as well apart from nevisAuth itself, the security impact of disabling the SecToken is negligible.
How to disable the SecToken
You can disable the SecToken validation in the nevisAuth esauth4.xml file, with the following command:
<esauth-server instance="I1" validateSecToken="disable">