Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

SAML certificate renewal are not being replicated immediately on my Liferay PaaS cluster.

Written By

Alfonso Abad

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Issue

  • SAML certificate renewal are not being replicated immediately on my Liferay PaaS  cluster.

Environment

  • Liferay PaaS

Resolution

  • This happens when the traditional keystore storage method is used, that is, a .jks file is created on the $[Liferay-home]/data folder and is expected to be replicated on every node of the cluster.
  • However a cluster on Liferay Cloud works different, since the persistent data is a NFS volume mounted on the container and FileWatcher depends that changes are made on the kernel level to notify the SO of any change.
  • Therefore the certificate renewal does not generate the change notification and is not replicated on every node. While using this traditional storage method, a restart of said node will refresh its certificate.
  • For Liferay Cloud, we recommend to use the Document and Media storage for the keystore.
    This is how you can enable it:
    1. Go to Control Panel > Configuration > System Settings
    2. On the Security section go to SSO
    3. Go to SAML Keystore Manager implementation configuration
    4. Select the Document Library Keystore Manager
    5. Create a new SAML certificate.

Additional Information

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?