Secure Socket Layer/Transport Layer Security (SSL/TLS) can also be enabled to protect SOAP endpoints and secure communications between SAML v2 entities. When one SAML v2 entity initiates communication with a SAML v2 entity deployed in an SSL/TLS-enabled web container, the initiating entity is referred to as the SSL/TLS client and the replying entity is referred to as the SSL/TLS server.
For SSL/TLS server authentication (the server needs to present a certificate to the client), the following properties need to be set in the Virtual Machine for the Java™ platform (JVM™) running the SSL/TLS client:
-Djavax.net.ssl.trustStore |
Defines the full path to the file containing the server's CA certificates. |
-Djavax.net.ssl.trustStoreType |
Takes a value of JKS (Java Key Store). |
In addition, the client's CA certificate needs to be imported into the certificate store/database of the server's web container and marked as a trusted issuer of client certificates.
For SSL/TLS client authentication (the client needs to present a certificate to the server), the following properties need to be set in the JVM software running the SSL/TLS client:
-Djavax.net.ssl.keyStore |
Defines the full path to the keystore containing the client certificate and private key. This may be the same as that defined in Server Certificate Authenticaion.. |
-Djavax.net.ssl.keyStoreType |
Takes a value of JKS. |
-Djavax.net.ssl.keyStorePassword |
Specifies the password to the keystore. |
On the SSL/TLS server side, the client's CA certificate needs to be imported into the web container's keystore and marked as a trusted issuer of client certificates.