Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

ProcedureTo Import a Root Certificate and a Server Certificate to Directory Server 2

Before You Begin

You should already have a root certificate from the CA of your choice. Send any server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Log in to the host machine as a root user.

  2. Generate a request for a server certificate signed by a CA.

    # cd /var/opt/mps/serverroot/ds6/bin
    # ./dsadm request-cert -S ", 
    OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
     ST=California, C=US" -F ascii -o ds2.csr /var/opt/mps/idp-users

    ds2.csr is the certificate request.

  3. Send ds2.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named ds2.cer.

  4. Add ds2.cer, the CA-signed server certificate, to the certificate store.

    # ./dsadm add-cert /var/opt/mps/idp-users ds2 ds2.cer
  5. (Optional) Verify that the certificate was successfully added.

    # ./dsadm list-certs /var/opt/mps/idp-users

    A list of certificates for the idp-users instance is displayed including the defaultCert and ds2.

  6. Add ca.cer, the root certificate, to the certificate store.

    # ./dsadm add-cert --ca /var/opt/mps/idp-users CA-cert ca.cer
  7. (Optional) Verify that the root certificate was successfully added.

    # ./dsadm list-certs -C /var/opt/mps/idp-users | grep CA-cert
    2007/09/20 11:41  2010/06/17 11:41  n,CN=openssltestca,OU=am,
    O=sun,L=santa clara,ST=california,C=us  Same as issuer
  8. Configure the Directory Server instance to use the imported certificates.

    # ./dsconf set-server-prop -h 
    -p 1489 ssl-rsa-cert-name:ds2
    Enter "cn=Directory Manager" password: dsmanager
    Before setting SSL configuration, export Directory Server data.
    Do you want to continue [y/n] ?  y
    Directory Server must be restarted for changes to take effect.
  9. Restart the Directory Server instance.

    # ./dsadm stop /var/opt/mps/idp-users
    # ./dsadm start /var/opt/mps/idp-users
    Server started: pid=5472
  10. Run ldapsearch on Directory Server 2 to verify that the directory entries can be accessed through the secure port.

    # cd /var/opt/mps/serverroot/dsrk6/bin
    # ./ldapsearch -h -p 1736 
    -Z -P /var/opt/mps/idp-users/alias/slapd-cert8.db 
    -b "" -s base "(objectclass=*)"
    version: 1
    namingContexts: dc=company,dc=com
    supportedExtension: 2.16.840.1.113730.3.5.7
    supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
    supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

    This confirms that the Directory Server instance can be accessed through the secure port.

  11. Log out of the host machine.