Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

ProcedureTo Secure Communications from the Service Provider Application

Create a request for a server certificate and import the certificate authority (CA) root certificate and server certificate to the keystore. This will secure communications initiated by the service provider application.

Before You Begin

Backup domain.xml before modifying it.

  1. Log in to the sae.sp-example.com host machine as a root user.

  2. Generate a private/public key pair and reference it with the alias, sae-sp.

    sae-sp will be used in a later step to retrieve the public key which is contained in a self-signed certificate.


    # cd /opt/SUNWappserver91/domains/domain1/config
    # keytool -genkey -noprompt -keyalg rsa -keypass changeit 
    -alias sae-sp -keystore keystore.jks -dname "CN=sae.sp-example.com, 
    OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
    -storepass changeit
    
  3. Verify that the key pair was successfully created and stored in the certificate store using the following command.


    # keytool -list -v -keystore keystore.jks -storepass changeit
    

    The output of this command lists a key entry with the alias sae-sp.


    Note –

    The output of this command may list more than one certificate based on the entries in the keystore.


  4. Generate a server certificate request.


    # keytool -certreq -alias sae-sp -keypass changeit 
    -keystore keystore.jks -storepass changeit file sae-sp.csr
    

    sae-sp.csr is the server certificate request.

  5. (Optional) Verify that sae-sp.csr was created.


    # ls -la sae-sp.csr
    
     -rw-r--r--   1 osso80adm staff        715 Apr  4 15:04 sae-sp.csr
  6. Send sae-sp.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named sae-sp.cer.

  7. Import ca.cer, the CA root certificate, into the certificate store.

    The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.


    # keytool -import -trustcacerts -alias OpenSSLTestCA 
    -file ca.cer -keystore keystore.jks -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
      MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
      SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate? [no]: Yes
    
    Certificate was added to keystore

    # keytool -import -trustcacerts -alias OpenSSLTestCA 
    -file ca.cer -keystore cacerts.jks -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
      MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
      SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate? [no]: Yes
    
    Certificate was added to keystore
  8. Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.


    # keytool -import -file sae-sp.cer -alias sae-sp 
    -keystore keystore.jks -storepass changeit
    
    Certificate reply was installed in keystore
  9. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.


    # keytool -list -alias sae-sp -v -keystore keystore.jks 
    -storepass changeit
    
    The certificate indicated by the alias "sae-sp" is signed by CA.
  10. Change the certificate alias from the default s1as to the new sae-sp in the domain.xml file for the domain1 domain.

    The Application Server configuration file is domain.xml.

    <http-listener acceptor-threads="1" address="0.0.0.0" 
    blocking-enabled="false" default-virtual-server="server" enabled="true" 
    family="inet" id="http-listener-2" port="1081" security-enabled="true" 
    server-name="" xpowered-by="true">
    <ssl cert-nickname="sae-sp" client-auth-enabled="false" ssl2-enabled="false"
    ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>