Chapter 6 Setting Up the Service Provider Keystores

In this phase of the deployment, you create SAMLv2 metadata that is recognized by and required by the Liberty Identity protocols. Federation Manager provides sample templates that you can modify to suit your environment.

This chapter contains detailed information about the following groups of tasks:

• 6.1 Configuring the Keystore for Federation Manager 1

• 6.2 Configuring Federation Manager 1 to Recognize the New Keystores and Key Files

• 6.3 Configuring the Keystore for Federation Manager 2

• 6.4 Configuring Federation Manager 2 to Recognize the New Keystores and Key Files

• 6.5 Loading the Access Manager Root CA Certificates into the Federation Manager Servers

6.1 Configuring the Keystore for Federation Manager 1

Use the Java keytool command to create private keys for XML signing and SAML encryption. Once the keys and stored in a keystore, you extract a certificate request from the keystore, and then submit the request to a trusted Certificate Authority (CA). The trusted CA sends you a certificate which will be used for XML signing.

Use the following as your checklist for configuring the keystore for Federation Manager 1:

1. Obtain an XML Signing Certificate from a trusted certificate authority.

2. Obtain an Encryption Certificate from a trusted certificate authority.

To Obtain an XML Signing Certificate from a Trusted Certificate Authority

1. As a root user, log in to the Federation Manager 1 host.

2. Make a directory for creating a keystore. Example:

   # cd /etc/opt/SUNWam/ # mkdir config

3. Create a keystore with a private key.

   A keystore is a database for storing XML signing certificates, your private keys, and your public keys. For detailed information about keystores and about using the keytool utility to create and manage keystores, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

   Use the keytool utility that comes with JDK and is installed with Federation Manager. Example:

   # cd /etc/opt/SUNWam/config # which keytool /usr/jdk/instances/jdk/1.5.0_06/bin/keytool # keytool -genkey -alias LoadBalancer-9 -keyalg RSA -keysize 1024 -dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 -keystore fmkeystore Enter keystore password: password Enter key password for <LoadBalancer-9> (RETURN if same as keystore password): keypassword

   ---

   Note –

   The keystore password you specify here must be identical to the keystore password you specify when you install a copy of this certificate onto Federation Manager 2. The two Federation Managers will be recognized as a single entity.

   ---

4. Verify that the keystore and private key were created properly.

   You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.

   # cd /etc/opt/SUNWam/config # ls -lrt -rw-r--r-- 1 root root 1261 Nov 2 11:03 fmkeystore # keytool -list -keystore fmkeystore -alias LoadBalancer-9 -v # Enter keystore password: password Alias name: LoadBalancer-9 Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Qwner: CN=LoadBalancer-9.siroe.com, O=siroe.com Issuer: CN=LoadBalancer-9.siroe.com, O=siroe.com Serial number: 454a40c1 Valid from: Thu nov 02 11:02:25 PST 2006 until: Fri Nov 02 12:02:25 PDT 2007 Certificate fingerprints: MDS: 60:11:C7:01:51:D0:7C:BC:16:26:E7:C0:54:98:6D:9D SHA1: 37:E7:15:91:45:C0:EF:49:A1:CC:EF:9E:64:6C:E2:1E:52:90:3D:4E

5. Submit a request to a trusted certificate authority (CA) for an XML signing certificate.

   1. Create the request.

      # cd /etc/opt/SUNWam/config # keytool -certreq -alias LoadBalancer-9 -file fm.certreq -keystore fmkeystore Enter keystore password: password Enter key password for <LoadBalancer-9>: keypassword

   2. Verify that the request text was successfully generated.

      # vi fm.certreq -----BEGIN NEW CERTIFICATE REQUEST----- mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05 LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym 6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30 -----END OF NEW CERTIFICATE REQUEST-----

6. Follow the instructions provided by your Certificate Authority (CA) for submitting the fm.certreq file and sending the text to the CA.

   The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:

   -----BEGIN CERTIFICATE----- MIIFJQYJKoZIhvcNAQcCoIIFFjCCBRICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIE 9jCCAmAwggIKoAMCAQICAgaKMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAc BgNVBAoTFVN1biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkg U2VydmljZXMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDYxMTAy MTkxMTM0WhcNMTAwNzI5MTkxMTM0WjA3MRIwEAYDVQQKEwlzaXJvZS5jb20xITAf BgNVBAMTGGxvYWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAozsGuaqGlLlZ5J6n+aXYACUhKFpb8f451GG5Eg6Vy862hIst lIb8KaAYARHk0lGjzwb26AiLXIWpDyOmf2hXR91po7oo/Vw/K9Qvqv/+7FDtCBp9 DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jIGMba/2eSJeRfsCAwEA AaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSME GDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4u Y29tMA0GCSqGSIb3DQEBBAUAA0EAf+gzgerEagmbtjnpzPXkEdILm3vOXp008VOG u8dZ2hcc2FytYkNbzAESjIw29fUBCSBCSmZQyuLku8jJX9ZxUjCCAo4wggI4oAMC AQICAgMgMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1biBN aWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAa BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDQwODE2MDcwMDAwWhcNMzIw ODE2MDcwMDAwWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC1NhbnRhIENsYXJhMR4wHAYDVQQKExVTdW4gTWljcm9zeXN0ZW1z IEluYy4xGjAYBgNVBAsTEUlkZW50aXR5IFNlcnZpY2VzMRwwGgYDVQQDExNDZXJ0 aWZpY2F0ZSBNYW5hZ2VyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKz8xQGAbn86 19ouxvx4QYtUbRI2AxwsteVlsrSumcG311DHshmnR8HqGZ4jgVN1SnR4YyAwo6jD Dduf6xDOaM8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFDugITflTCfsWyNLTXDl7cMDUKuuMB8GA1UdIwQYMBaA FDugITflTCfsWyNLTXDl7cMDUKuuMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQUFAANBAFR1D8PyX2k2E1PKx40ful6+hqjW2k+HmbTV7OcCGJY8JR7y4y/wCE28 a4p6nxYjgdiQDlvoC8aOI+i1elvf9jMxAA== -----END CERTIFICATE-----

   In this deployment example, the certificate text was saved in a text file named fm.certificate.

7. Import the root CA certificate.

   1. Submit a request to the Certificate Authority for a root CA certificate.

   2. After you receive the root CA certificate, copy the certificate to the following directory:

      /etc/opt/SUNWam/config

   3. Import the root CA certificate:

      # keytool -import -alias OpenSSL_CA_Cert -keystore fmkeystore -file ca.cert Enter keystore password: password ... Trust this certificate? [no]: yes Certificate was added to keystore.

8. After you receive the certificate from the trusted CA, import the certificate into the Load Balancer 9 keystore.

   The alias name that you specify here will be used later in the deployment when you configure the Federation protocols.

   # keytool -import -alias LoadBalancer-9 -keystore fmkeystore -file fm.certificate Enter keystore password: password Enter key password for <LoadBalancer-9>: keypassword Top-level certificate in reply: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A ...is not trusted. Install reply anyway? [no]:yes

9. Verify that the certificate is properly installed.

   When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.

   # keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc Enter keystore password: password Alias name: LoadBalancer-9 Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2

   Certificate text similar to the following is displayed:

   Certificate[1]: -----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE-----

   Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.

To Obtain an Encryption Certificate from a Trusted Certificate Authority

The Liberty Identity specification requires all XML files to be signed. You can obtain and use one certificate to use for both signing and encryption. Or as an alternative, you can obtain one certificate to use for signing, and obtain a second certificate to use for encryption. In this deployment, for illustration purposes, one certificate is used for signing, and a second certificate is used for encryption.

1. As a root user, log in to the Federation Manager 1 host.

   User Name:

   amadmin

   Password:

   11111111

2. Go to the following directory:

   /etc/opt/SUNWam/config

3. Create a keystore with a private key.

   # keytool -genkey -alias LoadBalancer-9-enc -keyalg RSA -keysize 1024 -dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 -keystore fmkeystore Enter keystore password: keypassword Enter key password for <LoadBalancer-9-enc> (RETURN if same as keystore password): keypassword

   ---

   Note –

   The key password you specify here must be identical to the key password you specify for the encryption certificate.

   ---

4. Verify that the keystore and private key were created properly.

   You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.

   # cd /etc/opt/SUNWam/config # ls -lrt -rw-r--r-- 1 root root 1261 Nov 2 11:03 fmkeystore # keytool -list -keystore fmkeystore -alias LoadBalancer-9-enc -v # Enter keystore password: password Alias name: LoadBalancer-9-enc Creation date: Nov 7, 2006 Entry type: keyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=loadbalancer-9.siroe.com Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Serial number: 68f Valid from: Tue Nov 07 15:56:17 PST 2006 until: Tue Aug 03 16:56:17 PDT 2010 Certificate fingerprints: MD5: 69:9C:CF:F6:0D:7E:F4:A7:A8:C3:DC:CD:2F:EC:1A:F4 SHA1: 29:2F:71:98:6B:AD:4C:27:F2:53:08:94:E0:4B:AF:62:96:1F:B0:F0 Certificate[2]: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Serial number: 320 Valid from: Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MD5: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1: 9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A

5. Submit a request for an encryption certificate.

   1. Create the request.

      # cd /etc/opt/SUNWam/config # keytool -certreq -alias LoadBalancer-9-enc -file cert-enc.csr -keystore fmkeystore Enter keystore password: password Enter key password for <LoadBalancer-9-enc>: keypassword

   2. Verify that the request text was successfully generated.

      # vi cert-enc.csr -----BEGIN NEW CERTIFICATE REQUEST----- mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05 LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym 6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30 -----END OF NEW CERTIFICATE REQUEST-----

6. Follow the instructions provided by your Certificate Authority (CA) for submitting the cert-enc.csr file and sending the text to the CA.

   The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:

   -----BEGIN CERTIFICATE----- MIIFJQYJKoZIhvcNAQcCoIIFFjCCBRICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIE 9jCCAmAwggIKoAMCAQICAgaKMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAc BgNVBAoTFVN1biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkg U2VydmljZXMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDYxMTAy MTkxMTM0WhcNMTAwNzI5MTkxMTM0WjA3MRIwEAYDVQQKEwlzaXJvZS5jb20xITAf BgNVBAMTGGxvYWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAozsGuaqGlLlZ5J6n+aXYACUhKFpb8f451GG5Eg6Vy862hIst lIb8KaAYARHk0lGjzwb26AiLXIWpDyOmf2hXR91po7oo/Vw/K9Qvqv/+7FDtCBp9 DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jIGMba/2eSJeRfsCAwEA AaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSME GDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4u Y29tMA0GCSqGSIb3DQEBBAUAA0EAf+gzgerEagmbtjnpzPXkEdILm3vOXp008VOG u8dZ2hcc2FytYkNbzAESjIw29fUBCSBCSmZQyuLku8jJX9ZxUjCCAo4wggI4oAMC AQICAgMgMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1biBN aWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAa BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDQwODE2MDcwMDAwWhcNMzIw ODE2MDcwMDAwWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC1NhbnRhIENsYXJhMR4wHAYDVQQKExVTdW4gTWljcm9zeXN0ZW1z IEluYy4xGjAYBgNVBAsTEUlkZW50aXR5IFNlcnZpY2VzMRwwGgYDVQQDExNDZXJ0 aWZpY2F0ZSBNYW5hZ2VyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKz8xQGAbn86 19ouxvx4QYtUbRI2AxwsteVlsrSumcG311DHshmnR8HqGZ4jgVN1SnR4YyAwo6jD Dduf6xDOaM8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFDugITflTCfsWyNLTXDl7cMDUKuuMB8GA1UdIwQYMBaA FDugITflTCfsWyNLTXDl7cMDUKuuMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQUFAANBAFR1D8PyX2k2E1PKx40ful6+hqjW2k+HmbTV7OcCGJY8JR7y4y/wCE28 a4p6nxYjgdiQDlvoC8aOI+i1elvf9jMxAA== -----END CERTIFICATE-----

   In this deployment example, the certificate text was saved in a text file named fm-enc.

7. Import the certificate into the Load Balancer 9 keystore.

   # keytool -import -alias LoadBalancer-9-enc -keystore fmkeystore -file fm-enc Enter keystore password: password Enter key password for <LoadBalancer-9-enc>: keypassword Top-level certificate in reply: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A ...is not trusted. Install reply anyway? [no]:yes

8. Verify that the certificate is properly installed.

   When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.

   # keytool -list -keystore fmkeystore -alias LoadBalancer-9-enc -rfc Enter keystore password: password Alias name: LoadBalancer-9-enc Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2

   Certificate text similar to the following is displayed:

   -----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE-----

   Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.

6.2 Configuring Federation Manager 1 to Recognize the New Keystores and Key Files

The XML signature provider, the XML encryption provider, and the Federation Manager servers use the keystore configuration in the AMConfig.properties file for signing purposes. By default, Federation Manager supports multiple XML signature algorithms. In this deployment example, you explicitly specify the RSA signature algorithm by setting the appropriate property in the AMConfig.properties file.

Be sure that you are using the recommended version of the keytool utility. Example:

# which keytool
/usr/jdk/instances/jdk/1.5.0_06/bin/keytool

Use the following as your checklist for configuring Federation Manager 1:

1. Create the Federation Manager 1 keystore passwords.

2. Modify the AMConfig.properties file.

To Create the Federation Manager 1 Keystore Passwords

1. Create a .storepass file.

   # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e password >/etc/opt/SUNWam/config/.storepass

2. Create a .keypass file.

   # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e keypassword >/etc/opt/SUNWam/config/.keypass

To Modify the AMConfig.properties File

1. Go to the following directory:

   /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/

   Make a backup of the AMConfig.properties file before you make changes.

2. In AMConfig.properties, set the following properties as in this example:

   com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/fmkeystore com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass com.sun.identity.saml.xmlsig.certalias=LoadBalancer-9 ... com.sun.identity.jss.donotInstallAtHighestPriorty=true

3. Uncomment the following property, and set the value as in this example:

   com.sun.identity.saml.xmlsig.xmlSigAlgorithm= http://www.w3.org/2000/09/xmldsig#rsa-sha1

   Save the file.

4. Regenerate and redeploy the Federation Manager 1 WAR file.

   See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.

6.3 Configuring the Keystore for Federation Manager 2

The XML signing certificates must be identical on both Federation Manager instances. This ensures that when the SAMLv2 metadata is published, the metadata represents both Federation Manager instances as a single entity. In this procedure you copy the XML signing certificate from Federation Manager 1 and install the certificate on Federation Manager 2.

To Install the Federation Manager 1 XML Signing Certificate on Federation Manager 2

1. As a root user, log in to the Federation Manager 2 host.

2. Make a directory for creating a keystore. Example:

   # cd /etc/opt/SUNWam # mkdir config

3. Copy into this directory the keystore files that were created for Federation Manager 1.

4. Verify that the certificate is properly installed.

   When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.

   # keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc Enter keystore password: password Alias name: LoadBalancer-9 Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2

   Certificate text similar to the following is displayed:

   Certificate[1]: -----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE-----

   Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.

6.4 Configuring Federation Manager 2 to Recognize the New Keystores and Key Files

The XML signature provider, the XML encryption provider, and the Federation Manager servers use the keystore configuration in the AMConfig.properties file for signing purposes. By default, Federation Manager supports multiple XML signature algorithms. In this deployment example, you explicitly specify the RSA signature algorithm by setting the appropriate property in the AMConfig.properties file.

Use the following as your checklist for configuring Federation Manager 2 to recognize the new keystores and key files:

1. Create the Federation Manager 2 keystore passwords.

2. Modify the AMConfig.properties file.

To Create the Federation Manager 2 Keystore Passwords

1. Create a .storepass file.

   # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e password >/etc/opt/SUNWam/config/.storepass

2. Create a .keypass file.

   # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e keypassword >/etc/opt/SUNWam/config/.keypass

To Modify the AMConfig.properties File

1. Go to the following directory:

   /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/

   Make a backup of the AMConfig.properties file before you make changes.

2. In AMConfig.properties, set the following properties as in this example:

   com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/fmkeystore com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass com.sun.identity.saml.xmlsig.certalias=LoadBalancer-9 ... com.sun.identity.jss.donotInstallAtHighestPriorty=true

3. Uncomment the following property, and set the value as in this example:

   com.sun.identity.saml.xmlsig.xmlSigAlgorithm= http://www.w3.org/2000/09/xmldsig#rsa-sha1

   Save the file.

4. Regenerate and redeploy the Federation Manager 2 WAR file.

   See To Regenerate and Redeploy the Federation Manager 2 WAR File.

6.5 Loading the Access Manager Root CA Certificates into the Federation Manager Servers

In this procedure you import a root CA certificate from Access Manager 1 into the JDK trusted CA certificate for the Federation Manager servers. This step is not necessary if you are using one of the root CA certificates that come with JDK by default. The JDK default root CA certificates come from Verisign, Thwarte, and other major certificate issuers. In this deployment example, root CA certificates were obtained from certificate issuers that JDK does not recognize by default. So in this deployment example, the following procedure is necessary to establish trust among the local SSO provider (Federation Manager) and remote SSO providers (such as Access Manager).

1. Load the root CA certificate into the Federation Manager 1 web container.

2. Load the root CA certificate into the Federation Manager 2 web container.

To Load the Root CA Certificate into the Federation Manager 1 Web Container

1. As a root user, log into the Federation Manager 1 host.

2. Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 1 web container.

   #cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config # view server.xml

   Locate the following JAVA javahome entry. In this deployment example, it looks like this:

   <JAVA javahome="/usr/jdk/entsys-j2se"

   To find the JDK keystore file, append the following to the javahome path:

   /jre/lib/security

   For example, in this deployment example, the JDK keystore is in the following directory:

   /usr/jdk/entsys-j2se/jre/lib/security

   This directory contains the Federation Manager trusted CA files.

3. Obtain a copy of the Access Manager 1 root CA certificate.

   You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

   In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:

   /net/slapd/export/share/cacert

4. Import the Access Manager root CA certificate into the Federation Manager JDK keystore.

   The alias rootCA represents the name of the root CA certificate you want to import.

   # cd /usr/jdk/entsys-j2se/jre/lib/security # keytool -import -keystore cacerts -alias rootCA -file /net/slapd/export/share/cacert Enter keystore password: changeit Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A Trust this certificate? [no]: yes Certificate was added to keystore.

5. To verify that the root CA certificate was successfully imported, run the list command:

   # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security # keytool -list -keystore cacerts -alias rootCA -rfc Enter keystore password: changeit Alias name: rootCA Creation date: Mar 9, 2007 Entry type: trustedCertEntry -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE-----

To Load the Root CA Certificate into the Federation Manager 2 Web Container

1. As a root user, log into the Federation Manager 2 host.

2. Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 2 web container.

   #cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config # view server.xml

   Locate the following JAVA javahome entry. In this deployment example, it looks like this:

   <JAVA javahome="/usr/jdk/entsys-j2se"

   To find the JDK keystore file, append the following to the javahome path:

   /jre/lib/security

   For example, in this deployment example, the JDK keystore is in the following directory:

   /usr/jdk/entsys-j2se/jre/lib/security

   This directory contains the Federation Manager JDK trusted CA files.

3. Obtain a copy of the Access Manager 1 root CA certificate.

   You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

   In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:

   /net/slapd/export/share/cacert

4. Import the Access Manager 1 root CA certificate into the Federation Manager 2 JDK keystore.

   The alias rootCA represents the name of the root CA certificate you want to import.

   # cd /usr/jdk/entsys-j2se/jre/lib/security # keytool -import -keystore cacerts -alias rootCA -file /net/slapd/export/share/cacert Enter keystore password: changeit Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A Trust this certificate? [no]: yes Certificate was added to keystore.

5. To verify that the root CA certificate was successfully imported, run the list command:

   # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security # keytool -list -keystore cacerts -alias rootCA -rfc Enter keystore password: changeit Alias name: rootCA Creation date: Mar 9, 2007 Entry type: trustedCertEntry -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE-----