Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

4.4 Enabling Secure Communication for the Directory Server User Data Instances

By default, when an instance of Directory Server is created, its SSL port is secured with a self-signed certificate named defaultCert. A self-signed certificate contains a public and private key; the public key is signed by the private key. The idp-users instances, though, need to use a server certificate signed by a certificate authority (CA) to allow for secure communication between the instances and the soon-to-be-installed load balancer. This entails installing a CA root certificate and a server certificate (signed by the CA root certificate) on both Directory Server host machines. Use the following list of procedures as a checklist for completing this task.

To Import a Root Certificate and a Server Certificate to Directory Server 1

Before You Begin

You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Generate a request for a server certificate signed by a CA.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm request-cert -S "CN=ds1.idp-example.com, 
OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
 ST=California, C=US" -F ascii -o ds1.csr /var/opt/mps/idp-users

ds1.csr is the certificate request.

Send ds1.csr to the CA of your choice.

The CA issues and returns a certified server certificate named ds1.cer.

Add ds1.cer, the CA-signed server certificate, to the certificate store.
# ./dsadm add-cert /var/opt/mps/idp-users ds1 ds1.cer

(Optional) Verify that the certificate was successfully added.
# ./dsadm list-certs /var/opt/mps/idp-users
A list of certificates for the idp-users instance is displayed including the defaultCert and ds1.

Add ca.cer, the root certificate, to the certificate store.

# ./dsadm add-cert --ca /var/opt/mps/idp-users CA-cert ca.cer

(Optional) Verify that the root certificate was successfully added.

# ./dsadm list-certs -C /var/opt/mps/idp-users | grep CA-cert

CA-cert
2007/09/20 11:41  2010/06/17 11:41  n  
E=nobody@nowhere.com,CN=openssltestca,OU=am,
O=sun,L=santa clara,ST=california,C=us  Same as issuer

Configure the Directory Server instance to use the imported certificates.

# ./dsconf set-server-prop -h ds1.idp-example.com 
-p 1489 ssl-rsa-cert-name:ds1

Enter "cn=Directory Manager" password: dsmanager

Before setting SSL configuration, export Directory Server data.

Do you want to continue [y/n] ?  y

Directory Server must be restarted for changes to take effect.

Restart the Directory Server instance.

# ./dsadm stop /var/opt/mps/idp-users
# ./dsadm start /var/opt/mps/idp-users

Server started: pid=5472

Run ldapsearch on Directory Server 1 to verify that the directory entries can be accessed through the secure port.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds1.idp-example.com -p 1736 
-Z -P /var/opt/mps/idp-users/alias/slapd-cert8.db 
-b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass:top
namingContexts: dc=company,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
:
supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

This confirms that the Directory Server instance can be accessed through the secure port.

Log out of the ds1.idp-example.com host machine.

To Import a Root Certificate and a Server Certificate to Directory Server 2