Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

ProcedureTo Import a Root Certificate and a Server Certificate to Directory Server 1

Before You Begin

You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Log in to the host machine as a root user.

  2. Generate a request for a server certificate signed by a CA.

    # cd /var/opt/mps/serverroot/ds6/bin
    # ./dsadm request-cert -S ", 
    OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
     ST=California, C=US" -F ascii -o ds1.csr /var/opt/mps/idp-users

    ds1.csr is the certificate request.

  3. Send ds1.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named ds1.cer.

  4. Add ds1.cer, the CA-signed server certificate, to the certificate store.

    # ./dsadm add-cert /var/opt/mps/idp-users ds1 ds1.cer
  5. (Optional) Verify that the certificate was successfully added.

    # ./dsadm list-certs /var/opt/mps/idp-users

    A list of certificates for the idp-users instance is displayed including the defaultCert and ds1.

  6. Add ca.cer, the root certificate, to the certificate store.

    # ./dsadm add-cert --ca /var/opt/mps/idp-users CA-cert ca.cer
  7. (Optional) Verify that the root certificate was successfully added.

    # ./dsadm list-certs -C /var/opt/mps/idp-users | grep CA-cert
    2007/09/20 11:41  2010/06/17 11:41  n,CN=openssltestca,OU=am,
    O=sun,L=santa clara,ST=california,C=us  Same as issuer
  8. Configure the Directory Server instance to use the imported certificates.

    # ./dsconf set-server-prop -h 
    -p 1489 ssl-rsa-cert-name:ds1
    Enter "cn=Directory Manager" password: dsmanager
    Before setting SSL configuration, export Directory Server data.
    Do you want to continue [y/n] ?  y
    Directory Server must be restarted for changes to take effect.
  9. Restart the Directory Server instance.

    # ./dsadm stop /var/opt/mps/idp-users
    # ./dsadm start /var/opt/mps/idp-users
    Server started: pid=5472
  10. Run ldapsearch on Directory Server 1 to verify that the directory entries can be accessed through the secure port.

    # cd /var/opt/mps/serverroot/dsrk6/bin
    # ./ldapsearch -h -p 1736 
    -Z -P /var/opt/mps/idp-users/alias/slapd-cert8.db 
    -b "" -s base "(objectclass=*)"
    version: 1
    namingContexts: dc=company,dc=com
    supportedExtension: 2.16.840.1.113730.3.5.7
    supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
    supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

    This confirms that the Directory Server instance can be accessed through the secure port.

  11. Log out of the host machine.