Open the system configuration object for editing and set security.nonrepudiation.signedApprovals=true
For instructions on editing the system configuration object, see Editing Identity Manager Configuration Objects.
If you are using PKCS11 you must also set security.nonrepudiation.defaultKeystoreType=PKCS11
If you are using a custom PKCS11 Key provider, you must also set security.nonrepudiation.defaultPKCS11KeyProvider=your provider name
Please refer to the following items in the REF kit for more information on when you need to need to write a custom provider:
com.sun.idm.ui.web.applet.transactionsigner.DefaultPKCS11KeyProvider (Javadoc) REF/transactionsigner/SamplePKCS11KeyProvider
The REF (Resource Extension Facility) kit is provided in the /REF directory on your product CD or with your install image.
Add your certificate authority's (CA) certificates as trusted certificates. To do this, you must first obtain a copy of the certificates.
For example, if you are using a Microsoft CA, follow steps similar to these:
Add the certificate to Identity Manager as a trusted certificate:
From the Administrator interface, select Security, and then select Certificates. Identity Manager displays the Certificates page.
In the Trusted CA Certificates area, click Add. Identity Manager displays the Import Certificate page.
Browse to and then select the trusted certificate, and then click Import.
The certificate now displays in the list of trusted certificates.
Add your CA’s certificate revocation list (CRL):
In the CRLs area of the Certificates page, click Add.
Enter the URL for the CA’s CRL.
The certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked or are not valid.
The URL for the CA’s CRL may be http or LDAP.
Each CA has a different URL where CRLs are distributed; you can determine this by browsing the CA certificate’s CRL Distribution Points extension.
Click Test Connection to verify the URL.
Sign applets/ts2.jar using jarsigner.
Refer to http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/jarsigner.html for more information. The ts2.jar file provided with Identity Manager is signed using a self-signed certificate, and should not be used for production systems. In production, this file should be re-signed using a code-signing certificate issued by your trusted CA.