Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

7.4 Enabling Secure Communication for the Directory Server User Data Instances

By default, when an instance of Directory Server is created (in this case, sp-users), its SSL port is secured with a self-signed certificate named defaultCert. A self-signed certificate contains a public and private key; the public key is signed by the private key. The sp-users instances, though, need to use a server certificate signed by a certificate authority (CA) to allow for secure communication between the instances and the soon-to-be-installed user data load balancer. This entails installing the server certificate signed by the CA and the root certificate confirming the signature of the CA on both Directory Server host machines. Use the following list of procedures as a checklist for completing this task.

To Install a Root Certificate and a Server Certificate on Directory Server 1

Before You Begin

You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Generate a request for a server certificate signed by a CA.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm request-cert -S "CN=ds1.sp-example.com, 
OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
 ST=California, C=US" -F ascii -o ds-1.csr /var/opt/mps/sp-users

ds-1.csr is the certificate request.

Send ds-1.csr to the CA of your choice.

The CA issues and returns a certified server certificate named ds-1.cer.

Add ds-1.cer, the CA-signed server certificate, to the certificate store.
# ./dsadm add-cert /var/opt/mps/sp-users server-cert ds-1.cer

Add ca.cer, the CA root certificate, to the certificate store.

# ./dsadm add-cert --ca /var/opt/mps/sp-users opensslCA ca.cer

(Optional) Verify that the CA root certificate was successfully added.

# ./dsadm list-certs -C /var/opt/mps/sp-users | grep opensslCA

opensslCA
2008/02/06 00:00  2017/02/06 00:00  n  
CN=Certificate Manager,OU=opensso,O=Identity,C=US
Same as issuer

Configure the Directory Server instance to use the imported certificates.

# ./dsconf set-server-prop -h ds1.sp-example.com 
-p 1489 ssl-rsa-cert-name:server-cert

Enter "cn=Directory Manager" password: dsmanager

Before setting SSL configuration, export Directory Server data.

Do you want to continue [y/n] ?  y

Directory Server must be restarted for changes to take effect.

Restart the Directory Server instance.

Directory Server needs to be restarted to use the new certificates.

# ./dsadm stop /var/opt/mps/sp-users

Directory Server instance '/var/opt/mps/sp-users' stopped

# ./dsadm start /var/opt/mps/sp-users

Directory Server instance '/var/opt/mps/sp-users' started: pid=11591

Run ldapsearch on Directory Server 1 to verify that the directory entries can be accessed through the secure port.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds1.sp-example.com -p 1736 
-Z -P /var/opt/mps/sp-users/alias/slapd-cert8.db 
-b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass:top
namingContexts: o=spusers.com
supportedExtension: 2.16.840.1.113730.3.5.7
:
supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

This confirms that the Directory Server instance can be accessed through the secure port.

Log out of the ds1.sp-example.com host machine.

To Install a Root Certificate and a Server Certificate on Directory Server 2