To Import the Certificate Authority Root Certificate into Web Server 2

The web policy agent on Protected Resource 2 connects to OpenSSO Enterprise through Load Balancer 2. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate to establish the SSL connection. For this reason, import the root certificate of the Certificate Authority (CA) that issued the Load Balancer 2 SSL server certificate into the policy agent certificate store.

Before You Begin

• Copy the same CA root certificate used in To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer to the pr-2 host machine. In this example, the file is /export/software/ca.cer.

• Backup cacerts before modifying it.

1. As a root user, log into the pr-2 host machine.

2. Import ca.cer, the CA root certificate, into cacerts, the certificate store.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:14:51 PDT 2008 18 07:66:19 PDT 2006 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate: [no] yes Certificate was added to keystore.

3. Verify that ca.cer was imported.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openSSLTestCA, Sep 20, 2008, trustedCertEntry,

4. Log out of the pr-2 host machine.