Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

ProcedureTo Import a Certificate Authority Root Certificate to Protected Resource 1

The Certificate Authority (CA) root certificate enables the J2EE policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to establish trust with the certificate chain that is formed from the CA to the certificate.

Before You Begin

Copy the same CA root certificate used in To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2 to the /export/software directory on the host machine.

  1. As a root user, log into the host machine.

  2. Change to the directory where cacerts, the certificate store is located.

    # cd /usr/local/bea/jdk150_06/jre/lib/security.

    Tip –

    Backup cacerts before modifying it.

  3. Import ca.cer, the CA root certificate.

    # /usr/local/bea/jdk150_06/bin/keytool -import -trustcacerts 
      -alias OpenSSLTestCA -file /export/software/ca.cer 
      -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit
    Owner:, CN=OpenSSLTestCA, OU=Sun,
    O=Sun,L=Santa Clara, ST=California C=US
    Issuer:, CN=OpenSSLTestCA, OU=Sun,
    O=Sun,L=Santa Clara, ST=California C=US
    Serial number: 97dba0aa26db6386
    Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19
    PST 2009
    Certificate fingerprints:
    MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06
    SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70
    Trust this certificate: [no] yes
    Certificate was added to keystore.
  4. Verify that ca.cer was successfully imported.

    # /usr/local/bea/jdk150_06/bin/keytool -list 
      -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts 
      -storepass changeit | grep -i openssl
    OpenSSLTestCA, Sep 15, 2008, trustedCertEntry,
  5. Log out of the pr1 host machine.