test

Deployment Example 2: Federation Using SAML v2

ProcedureTo Obtain an XML Signing Certificate from a Trusted Certificate Authority

  1. As a root user, log in to the Federation Manager 1 host.

  2. Make a directory for creating a keystore. Example:


    # cd /etc/opt/SUNWam/
# mkdir config

  3. Create a keystore with a private key.

    A keystore is a database for storing XML signing certificates, your private keys, and your public keys. For detailed information about keystores and about using the keytool utility to create and manage keystores, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

    Use the keytool utility that comes with JDK and is installed with Federation Manager. Example:


    # cd /etc/opt/SUNWam/config
# which keytool
 /usr/jdk/instances/jdk/1.5.0_06/bin/keytool
# keytool -genkey -alias LoadBalancer-9 -keyalg RSA -keysize 1024 
-dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 
-keystore fmkeystore
Enter keystore password: password
Enter key password for <LoadBalancer-9>
			  (RETURN if same as keystore password): keypassword
    Note –

    The keystore password you specify here must be identical to the keystore password you specify when you install a copy of this certificate onto Federation Manager 2. The two Federation Managers will be recognized as a single entity.

  4. Verify that the keystore and private key were created properly.

    You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.


    # cd /etc/opt/SUNWam/config
# ls -lrt
-rw-r--r--		1 root		root		1261 Nov 2 11:03  fmkeystore
# keytool -list -keystore fmkeystore -alias LoadBalancer-9 -v
# Enter keystore password: password
Alias name: LoadBalancer-9
Creation date: Nov 2, 2006
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Qwner: CN=LoadBalancer-9.siroe.com, O=siroe.com
Issuer: CN=LoadBalancer-9.siroe.com, O=siroe.com
Serial number: 454a40c1
Valid from: Thu nov 02 11:02:25 PST 2006 until: Fri Nov 02 12:02:25 PDT 2007
Certificate fingerprints:
			MDS:  60:11:C7:01:51:D0:7C:BC:16:26:E7:C0:54:98:6D:9D
			SHA1: 37:E7:15:91:45:C0:EF:49:A1:CC:EF:9E:64:6C:E2:1E:52:90:3D:4E

  5. Submit a request to a trusted certificate authority (CA) for an XML signing certificate.

    1. Create the request.


      # cd /etc/opt/SUNWam/config
# keytool -certreq -alias LoadBalancer-9 -file fm.certreq -keystore fmkeystore
Enter keystore password: password
Enter key password for <LoadBalancer-9>: keypassword

    2. Verify that the request text was successfully generated.


      # vi fm.certreq
-----BEGIN NEW CERTIFICATE REQUEST-----
mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05
LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh
KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv
qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA
AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx
ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym
6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30
-----END OF NEW CERTIFICATE REQUEST-----

  6. Follow the instructions provided by your Certificate Authority (CA) for submitting the fm.certreq file and sending the text to the CA.

    The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:


    -----BEGIN CERTIFICATE-----
MIIFJQYJKoZIhvcNAQcCoIIFFjCCBRICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIE
9jCCAmAwggIKoAMCAQICAgaKMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAc
BgNVBAoTFVN1biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkg
U2VydmljZXMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDYxMTAy
MTkxMTM0WhcNMTAwNzI5MTkxMTM0WjA3MRIwEAYDVQQKEwlzaXJvZS5jb20xITAf
BgNVBAMTGGxvYWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAozsGuaqGlLlZ5J6n+aXYACUhKFpb8f451GG5Eg6Vy862hIst
lIb8KaAYARHk0lGjzwb26AiLXIWpDyOmf2hXR91po7oo/Vw/K9Qvqv/+7FDtCBp9
DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jIGMba/2eSJeRfsCAwEA
AaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSME
GDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4u
Y29tMA0GCSqGSIb3DQEBBAUAA0EAf+gzgerEagmbtjnpzPXkEdILm3vOXp008VOG
u8dZ2hcc2FytYkNbzAESjIw29fUBCSBCSmZQyuLku8jJX9ZxUjCCAo4wggI4oAMC
AQICAgMgMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1biBN
aWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAa
BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDQwODE2MDcwMDAwWhcNMzIw
ODE2MDcwMDAwWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FDASBgNVBAcTC1NhbnRhIENsYXJhMR4wHAYDVQQKExVTdW4gTWljcm9zeXN0ZW1z
IEluYy4xGjAYBgNVBAsTEUlkZW50aXR5IFNlcnZpY2VzMRwwGgYDVQQDExNDZXJ0
aWZpY2F0ZSBNYW5hZ2VyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKz8xQGAbn86
19ouxvx4QYtUbRI2AxwsteVlsrSumcG311DHshmnR8HqGZ4jgVN1SnR4YyAwo6jD
Dduf6xDOaM8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFDugITflTCfsWyNLTXDl7cMDUKuuMB8GA1UdIwQYMBaA
FDugITflTCfsWyNLTXDl7cMDUKuuMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
AQUFAANBAFR1D8PyX2k2E1PKx40ful6+hqjW2k+HmbTV7OcCGJY8JR7y4y/wCE28
a4p6nxYjgdiQDlvoC8aOI+i1elvf9jMxAA==
-----END CERTIFICATE-----

    In this deployment example, the certificate text was saved in a text file named fm.certificate.

  7. Import the root CA certificate.

    1. Submit a request to the Certificate Authority for a root CA certificate.

    2. After you receive the root CA certificate, copy the certificate to the following directory:


      /etc/opt/SUNWam/config

    3. Import the root CA certificate:


      # keytool -import -alias OpenSSL_CA_Cert -keystore fmkeystore -file ca.cert
Enter keystore password: password
...
Trust this certificate? [no]: yes
Certificate was added to keystore.

  8. After you receive the certificate from the trusted CA, import the certificate into the Load Balancer 9 keystore.

    The alias name that you specify here will be used later in the deployment when you configure the Federation protocols.


    # keytool -import -alias LoadBalancer-9 -keystore fmkeystore 
-file fm.certificate
Enter keystore password: password
Enter key password for <LoadBalancer-9>: keypassword

Top-level certificate in reply:

Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A

...is not trusted.  Install reply anyway? [no]:yes

  9. Verify that the certificate is properly installed.

    When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.


    # keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc
Enter keystore password: password
Alias name: LoadBalancer-9
Creation date: Nov 2, 2006
Entry type: keyEntry
Certificate chain length: 2

    Certificate text similar to the following is displayed:


    Certificate[1]:
-----BEGIN CERTIFICATE-----
MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp
cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB
EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V
tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw
DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR
MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e
nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
-----END CERTIFICATE-----
Certificate[2]:
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----

    Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.