Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Identity Server 2004Q2 Administration Guide 

Chapter 3
Configuring Identity Server in SSL Mode

Using Secure Socket Layer (SSL) with simple authentication guarantees confidentiality and data integrity. To enable Identity Server in SSL, mode you would typically:

  1. Configure Identity Server with a secure web container
  2. Configure Identity Server to a secure Directory Server

The following sections describe these steps:


Configuring Identity Server With a Secure Sun Java System Web Server

To configure Identity Server in SSL mode with Sun Java System Web Server, see the following steps:

  1. In the Identity Server console, go to the Service Configuration module and select the Platform service. In the Server List attribute, remove the http:// protocol, and add the https:// protocol. Click Save.

  2. Note

    Be sure to click Save. If you don’t, you will still be able to proceed with the following steps, but all configuration changes you have made will be lost and you will not be able to log in as administrator to fix it.


Step 2 through Step 25 describe the Sun Java System Web Server.

  1. Log on to the Web Server console. The default port is 58888.
  2. Select the Web Server instance on which Identity Server is running, and click Manage.
  3. This displays a pop-up window explaining that the configuration has changed. Click OK.

  4. Click on the Apply button located top right corner of the screen.
  5. Click Apply Settings.
  6. The Web Server should automatically restart. Click OK to continue.

  7. Stop the select Web Server instance.
  8. Click the Security Tab.
  9. Click on Create Database.
  10. Enter the new database password and click OK.
  11. Ensure that you write down the database password for later use.

  12. Once the Certificate Database has been created, click on Request a Certificate.
  13. Enter the data in the fields provided in the screen.
  14. The Key Pair Field Password field is the same as you entered in Step 9. In the location field, you will need to spell out the location completely. Abbreviations, such as CA, will not work. All of the fields must be defined. In the Common Name field, provide the hostname of your Web Server.

  15. Once the form is submitted, you will see a message such as:
  16. --BEGIN CERTIFICATE REQUEST---

    afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdflasdf

    alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl

    --END CERTIFICATE REQUEST--

  17. Copy this text and submit it for the certificate request.
  18. Ensure that you get the Root CA certificate.

  19. You will receive a certificate response containing the certificate, such as:
  20. --BEGIN CERTIFICATE---

    afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdflasdf

    alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl

    --END CERTIFICATE---

  21. Copy this text into your clipboard, or save the text into a file.
  22. Go to the Web Server console and click on Install Certificate.
  23. Click on Certificate for this Server.
  24. Enter the Certificate Database password in the Key Pair File Password field.
  25. Paste the certificate into the provided text field, or check the radio button and enter the filename in the text box. Click Submit.
  26. The browser will display the certificate, and provide a button to add the certificate.

  27. Click Install Certificate.
  28. Click Certificate for Trusted Certificate Authority.
  29. Install the Root CA Certificate in the same manner described in Step 16 through Step 21.
  30. Once you have completed installing both certificates, click on the Preferences tab in the Web Server console.
  31. Select Add Listen Socket if you wish to have SSL enabled on a different port. Then, select Edit Listen Socket.
  32. Change the security status from Disabled to Enabled, and click OK to submit the changes.

Step 26 through Step 28 describe Identity Server.

  1. Open the AMConfig.properties file. By default, the location of this file is etc/opt/SUNWam/config.
  2. Replace all of the protocol occurrences of http:// to https://, except for the Web Server Instance Directory. This is also specified in AMConfig.properties, but must remain the same.
  3. Save the AMConfig.properties file.
  4. In the Web Server console, click the ON/OFF button for the Identity Server hosting web server instance.
  5. The Web Server displays a text box in the Start/Stop page.

  6. Enter the Certificate Database password in the text field and select Start.


Configuring Identity Server with a Secure Sun Java System Application Server

Setting up Identity Server to run on an SSL-enabled Sun Java System Application server is a two-step process. First, secure the Application Server instance to the installed Identity Server, then configure Identity Server itself.

Setting Up Application Server With SSL

To Secure the Application Server Instance:

  1. Log into the Sun Java System Application Server console as an administrator by entering the following address in your browser:
  2. http://fullservername:port

    The default port is 4848.

  3. Enter the username and password you entered during installation.
  4. Select the Application Server instance on which you installed (or will install) Identity Server. The right frame displays that the configuration has changed.
  5. Click Apply Changes.
  6. Click Restart. The Application Server should automatically restart.
  7. In the left frame, click Security.
  8. Click the Manage Database tab.
  9. Click Create Database, if it is not selected.
  10. Enter the new database password and confirm, then click the OK button. Make sure that you write down the database password for later use.
  11. Once the Certificate Database has been created, click the Certificate Management tab.
  12. Click the Request link, if it is not selected.
  13. Enter the following Request data for the certificate
    1. Select it if this is a new certificate or a certificate renewal. Many certificates expire after a specific period of time and some certificate authorities (CA) will automatically send you renewal notification.
    2. Specify the way in which you want to submit the request for the certificate.
    3. If the CA expects to receive the request in an E-mail message, check CA E-mail and enter the E-mail address of the CA. For a list of CAs, click List of Available Certificate Authorities.

      If you are requesting the certificate from an internal CA that is using the Sun Java System Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate server's program that handles certificate requests.

    4. Enter the password for your key-pair file (this is the password you specified in Step 9).
    5. Enter the following identification information:
    6. Common Name. The full name of the server including the port number.

      Requestor Name. The name of the requestor.

      Telephone Number. The telephone number of the requestor

      Common Name. The fully qualified name of the Sun Java System Application Server on which the digital certificate will be installed.

      E-mail Address. The E-mail address of the administrator.

      Organization Name. The name of your organization. The certificate authority may require any host names entered in this attribute belong to a domain registered to this organization.

      Organizational Unit Name. The name of your division, department, or other operational unit of your organization.

      Locality Name (city). The name of your city or town.

      State Name. The name of the state or province in which your organization operates if your organization is in the United States or Canada, respectively. Do not abbreviate.

      Country Code. The two-letter ISO code for your country. For example, the code for the United States is US.

  14. Click the OK button. A message will be displayed, for example:
  15. --BEGIN NEW CERTIFICATE REQUEST---

    afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdfla

    alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl

    --END NEW CERTIFICATE REQUEST--

  16. Copy all of this text to a file and click OK. Make sure that you get the Root CA certificate.
  17. Select a CA and follow the instructions on that authority's web site to get a digital certificate. You can get the certificate from CMS, Verisign or Entrust.net
  18. After you receive your digital certificate from the certificate authority, you can copy the text into your clipboard, or save the text into a file.
  19. Go to the Sun Java System Application Server console and click on the Install link.
  20. Select Certificate For This Server.
  21. Enter the Certificate Database password in the Key Pair File Password field. (It is the same password you entered in Step 9).
  22. Paste the certificate into the provided text field, Message text (with headers), or enter the filename in the Message that is in this file text box. Select the appropriate radio button.
  23. Click OK button. The browser displays the certificate, and provides a button to add the certificate.
  24. Click Add Server Certificate.
  25. Install the Root CA Certificate in the same manner described in Step 10 through Step Step 22. However, in Step 18, select Certificate for Trusted Certificate Authority.
  26. Once you have completed installing both certificates, expand the HTTP Server node in the left frame
  27. Select HTTP Listeners under HTTP Server.
  28. Select http-listener-1. The browser displays the socket information.
  29. Change the value of the port used by http-listener-1 from the value entered while installing application server, to a more appropriate value such as 443.
  30. Select SSL/TLS Enabled.
  31. Select Certificate Nickname.
  32. Specify the Return server. This should match the common name specified in Step 12.
  33. Click Save.
  34. Select the Application Server instance on which you will install the Sun Java System Identity Server software. The right frame shows that the configuration has changed.
  35. Click Apply Changes.
  36. Click Restart. The application server should automatically restart.

Configuring Identity Server in SSL Mode

To configure Identity Server in SSL mode:

  1. In the Identity Server console, go to the Service Configuration module and select the Platform service. In the Server List attribute, add the same URL with the HTTPS protocol and an SSL-enabled port number. Click Save.

  2. Note

    If a single instance of Identity Server is listening on two ports (one in Http and one in Https) and you try to access Identity Server with a stalled cookie, Identity Server will become unresponsive. This is not a supported configuration.


  3. Open the AMConfig.properties file from the following default location:
  4. /etc/opt/SUNWam/config.

  5. Replace all of the protocol occurrences of http:// to https:// and change the port number to an SSL-enabled port number.
  6. Save the AMConfig.properties file.
  7. Restart the Application Server.


Configuring Identity Server to Directory Server in SSL Mode

To provide secure communications over the network, Identity Server includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of the Secure Sockets Layer (SSL). In order to enable SSL communication, you must first configure the Directory Server in SSL mode and then connect Identity Server to Directory Server. The basic steps are as follows:

  1. Obtain and install a certificate for your Directory Server, and configure the Directory Server to trust the certification authority’s (CA) certificate.
  2. Turn on SSL in your directory.
  3. Configure the authentication, policy and platform services to connect to an SSL-enabled Directory Server.
  4. Configure Identity Server to securely connect to the Directory Server backend.

Configuring Directory Server in SSL Mode

In order to configure the Directory Server in SSL mode, you must obtain and install a server certificate, configure the Directory Server to trust the CA’s certificate and enable SSL. Detailed instructions on how to complete these tasks are included in Chapter 11, “Managing Authentication and Encryption” in the Directory Server Administration Guide. This document can be found in the following location:

You can also download a PDF of the manual from the following location:

http://docs.sun.com/coll/DirectoryServer_04q2

If your Directory Server is already SSL-enabled, go to the next section for details on connecting Identity Server to Directory Server.

Connecting Identity Server to the SSL-enabled Directory Server

Once the Directory Server has been configured for SSL mode, you need to securely connect Identity Server to the Directory Server backend. To do so:

  1. In the Identity Server Console, go to the LDAP Authentication service in the Service Configuration module.
    1. Change the Directory Server port to the SSL port.
    2. Select the Enable SSL Access to LDAP Server attribute.
  2. Go to the Membership Authentication service in the Service Configuration module.
    1. Change the Directory Server port to the SSL port.
    2. Select the Enable SSL Access to LDAP Server attribute.
  3. Go to the Policy Configuration Authentication service in the Service Configuration module.
    1. Change the Directory Server port to the SSL port.
    2. Select the Enable LDAP SSL attribute.
  4. Open the serverconfig.xml in a text editor. The file is in the following location:
  5. etc/opt/SUNWam/config

    1. In the <Server> element, change the following values:
    2. port - enter the port number of the secure port to which Identity Server listens (636 is the default).

      type- change SIMPLE to SSL.

    3. Save and close serverconfig.xml.
  6. Open the AMConfig.properties file from the following default location:
  7. IdentityServer_base/SUNWam/config.

    Change the following properties:

    1. Directory Port = 636 (if using the default)
    2. ssl.enabed = true
    3. Save AMConfig.properties.
  8. Restart the server


Previous      Contents      Index      Next     


Copyright 2004 Sun Microsystems, Inc. All rights reserved.