Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

ProcedureTo Import the Certificate Authority Root Certificate into Application Server 2

The CA root certificate enables the J2EE policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to establish trust with the certificate chain that is formed from the CA to the certificate.

Before You Begin

Copy the same CA root certificate used in To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer to the /export/software directory on the pr-2 host machine.

  1. As a root user, log into the pr–2 host machine.

  2. Change to the directory where the cacerts certificate store is located.

    # cd /usr/local/bea/jdk150_06/jre/lib/security.

    Tip –

    Backup cacerts before modifying it.

  3. Import ca.cer, the CA root certificate.

    # /usr/local/bea/jdk150_06/bin/keytool -import -trustcacerts 
      -alias OpenSSLTestCA -file /export/software/ca.cer 
      -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit
    Owner:, CN=OpenSSLTestCA, OU=Sun,
    O=Sun,L=Santa Clara, ST=California C=US
    Issuer:, CN=OpenSSLTestCA, OU=Sun,
    O=Sun,L=Santa Clara, ST=California C=US
    Serial number: 97dba0aa26db6386
    Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19
    PST 2009
    Certificate fingerprints:
    MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06
    SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70
    Trust this certificate: [no] yes
    Certificate was added to keystore.
  4. Verify that ca.cer was successfully imported.

    # /usr/local/bea/jdk150_06/bin/keytool -list 
      -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts 
      -storepass changeit | grep -i openssl
    OpenSSLTestCA, Sep 15, 2008, trustedCertEntry,
  5. Log out of the pr–2 host machine.