Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Secure Socket Layer/Transport Layer Security

Secure Socket Layer/Transport Layer Security (SSL/TLS) can also be enabled to protect SOAP endpoints and secure communications between SAML v2 entities. When one SAML v2 entity initiates communication with a SAML v2 entity deployed in an SSL/TLS-enabled web container, the initiating entity is referred to as the SSL/TLS client and the replying entity is referred to as the SSL/TLS server.

Server Certificate Authentication

For SSL/TLS server authentication (the server needs to present a certificate to the client), the following properties need to be set in the Virtual Machine for the Java™ platform (JVM™) running the SSL/TLS client:

-Djavax.net.ssl.trustStore

Defines the full path to the file containing the server's CA certificate(s). 

-Djavax.net.ssl.trustStoreType

Takes a value of JKS (Java Key Store).

In addition, the client's CA certificate needs to be imported into the certificate store/database of the server's web container and marked as a trusted issuer of client certificates.

Client Certificate Authentication

For SSL/TLS client authentication (the client needs to present a certificate to the server), the following properties need to be set in the JVM software running the SSL/TLS client:

-Djavax.net.ssl.keyStore

Defines the full path to the keystore containing the client certificate and private key. This may be the same as that defined in Server Certificate Authentication.

-Djavax.net.ssl.keyStoreType

Takes a value of JKS.

-Djavax.net.ssl.keyStorePassword

Specifies the password to the keystore. 

On the SSL/TLS server side, the client's CA certificate needs to be imported into the web container's keystore and marked as a trusted issuer of client certificates.