The following procedure illustrates how to create a keystore file and default key entry using keytool.
Be sure to use the keytool provided with the JDK bundled with OpenSSO Enterprise. It is located in JAVA_HOME/bin/keytool. When installed using the Java Enterprise System installer, JAVA_HOME is /OpenSSO-baseSUNWam/java.
The italicized option values in the commands used in this procedure may be changed to reflect your deployment.
Generate a certificate using one of the following procedures.
Generate a keystore with a public and private key pair and a self-signed certificate for your server using the following command.
keytool -genkey -keyalg rsa -alias test -dname "cn=sun-unix,ou=SUN Java System Access Manager,o=Sun,c=US" -keypass 11111111 -keystore .mykeystore -storepass 11111111 -validity 180
This command will generate a keystore called .mykeystore in the directory from which it is run. A private key entry with the alias test is created and stored in .mykeystore. If you do not specify a path to the keystore, a file named .keystore will be generated in your home directory. If you do not specify an alias for the default key entry, mykey is created as the default alias. To generate a DSA key, change the value of -keyalg to dsa. This step generates a self-signed certificate.
Create a request and import a signed certificate from a CA (to authenticate your public key) using the following procedure.
Create a request to retrieve a signed certificate from a CA (to authenticate your public key) using the following command:
keytool -certreq -alias test -file request.csr -keypass 11111111 -keystore .mykeystore -storepass 11111111 -storetype JKS
.mykeystore must also contain a self-signed certificate authenticating the server's generated public key. This step will generate the certificate request file, request.csr, under the directory from which the command is run. By submitting request.csr to a CA, the requestor will be authenticated and a signed certificate authenticating the public key will be returned. Save this root certificate to a file named myroot.cer and save the server certificate generated in the previous step to a file named mycert.cer.
Import the certificate returned from the CA using the following command:
keytool -import -alias test -trustcacerts -file mycert.cer -keypass 11111111 -keystore .mykeystore -storepass 11111111
Import the certificates of any trusted sites (from which you will receive assertions, requests and responses) into your keystore using the following command:
keytool -import -file myroot.cer -keypass 11111111 -keystore .mykeystore -storepass 11111111
The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with -----BEGIN and bounded at the end by a string that starts with -----END.
Change to the /OpenSSO-base/SUNWam/bin directory and run the following command:
ampassword -e original password
This encrypts the password. The command will return something like AQICKuNVNc9WXxiUyd8j9o/BR22szk8u69ME.
Create a new file named .storepass and put the encrypted password in it.
Create a new file named .keypass and put the encrypted password in it.
Copy .mykeystore to the location specified in AMConfig.properties.
For example, if com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/lib/keystore.jks, copy .mykeystore to /etc/opt/SUNWam/lib/ and rename the file to keystore.jks.
Copy .storepass and .keypass to the location specified in AMConfig.properties.
For example, if com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass and com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass, copy both files to /etc/opt/SUNWam/config/.
Define a value for the com.sun.identity.saml.xmlsig.certalias property in AMConfig.properties.
For this example, the value would be test.
(Optional) If the private key was encrypted using the DSA algorithm, change xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1 in /OpenSSO-base/locale/amSAML.properties to xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#dsa-sha1.
(Optional) Change the canonicalization method for signing or the transform algorithm for signing by modifying amSAML.properties, located in /OpenSSO-base/locale/.
Change canonicalizationMethod=http://www.w3.org/2001/10/xml-exc-c14n# to any valid canonicalization method specified in Apache XML security package Version 1.0.5.
If this entry is deleted or left empty, we will use SAMLConstants.ALGO_ID_C14N_OMIT_COMMENTS (required by the XML Signature specification) will be used.
Change transformAlgorithm=http://www.w3.org/2001/10/xml-exc-c14n# to any valid transform algorithm specified in Apache XML security package Version 1.0.5.
If this entry is deleted or left empty, the operation will not be performed.
Restart OpenSSO Enterprise.