Deployment Example 2: Federation Using SAML v2

6.5 Loading the Access Manager Root CA Certificates into the Federation Manager Servers

In this procedure you import a root CA certificate from Access Manager 1 into the JDK trusted CA certificate for the Federation Manager servers. This step is not necessary if you are using one of the root CA certificates that come with JDK by default. The JDK default root CA certificates come from Verisign, Thwarte, and other major certificate issuers. In this deployment example, root CA certificates were obtained from certificate issuers that JDK does not recognize by default. So in this deployment example, the following procedure is necessary to establish trust among the local SSO provider (Federation Manager) and remote SSO providers (such as Access Manager).

  1. Load the root CA certificate into the Federation Manager 1 web container.

  2. Load the root CA certificate into the Federation Manager 2 web container.

ProcedureTo Load the Root CA Certificate into the Federation Manager 1 Web Container

  1. As a root user, log into the Federation Manager 1 host.

  2. Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 1 web container.


    #cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config
    # view server.xml

    Locate the following JAVA javahome entry. In this deployment example, it looks like this:


    <JAVA javahome="/usr/jdk/entsys-j2se"

    To find the JDK keystore file, append the following to the javahome path:


    /jre/lib/security

    For example, in this deployment example, the JDK keystore is in the following directory:


    /usr/jdk/entsys-j2se/jre/lib/security

    This directory contains the Federation Manager trusted CA files.

  3. Obtain a copy of the Access Manager 1 root CA certificate.

    You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

    In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:


    /net/slapd/export/share/cacert
  4. Import the Access Manager root CA certificate into the Federation Manager JDK keystore.

    The alias rootCA represents the name of the root CA certificate you want to import.


    # cd /usr/jdk/entsys-j2se/jre/lib/security
    # keytool -import -keystore cacerts -alias rootCA  
    -file /net/slapd/export/share/cacert
    Enter keystore password: changeit
    Owner: CN=Certificate Manager, OU=Identity Services, 
    O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
    Issuer: CN=Certificate Manager, OU=Identity Services, 
    O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
    Serial number:320
    Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
    Certificate fingerprints:
    			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
    			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
    Trust this certificate? [no]: yes
    Certificate was added to keystore.
  5. To verify that the root CA certificate was successfully imported, run the list command:


    # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
    # keytool -list -keystore cacerts -alias rootCA -rfc
    Enter keystore password:  changeit
    Alias name: rootCA
    Creation date: Mar 9, 2007
    Entry type: trustedCertEntry
     
    -----BEGIN CERTIFICATE-----
    MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
    EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
    dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
    dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
    UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
    biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
    E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
    /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
    o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
    J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
    BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
    HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
    -----END CERTIFICATE-----

ProcedureTo Load the Root CA Certificate into the Federation Manager 2 Web Container

  1. As a root user, log into the Federation Manager 2 host.

  2. Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 2 web container.


    #cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config
    # view server.xml

    Locate the following JAVA javahome entry. In this deployment example, it looks like this:


    <JAVA javahome="/usr/jdk/entsys-j2se"

    To find the JDK keystore file, append the following to the javahome path:


    /jre/lib/security

    For example, in this deployment example, the JDK keystore is in the following directory:


    /usr/jdk/entsys-j2se/jre/lib/security

    This directory contains the Federation Manager JDK trusted CA files.

  3. Obtain a copy of the Access Manager 1 root CA certificate.

    You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

    In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:


    /net/slapd/export/share/cacert
  4. Import the Access Manager 1 root CA certificate into the Federation Manager 2 JDK keystore.

    The alias rootCA represents the name of the root CA certificate you want to import.


    # cd /usr/jdk/entsys-j2se/jre/lib/security
    # keytool -import -keystore cacerts -alias rootCA  
    -file /net/slapd/export/share/cacert
    Enter keystore password: changeit
    Owner: CN=Certificate Manager, OU=Identity Services, 
    O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
    Issuer: CN=Certificate Manager, OU=Identity Services, 
    O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
    Serial number:320
    Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
    Certificate fingerprints:
    			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
    			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
    Trust this certificate? [no]: yes
    Certificate was added to keystore.
  5. To verify that the root CA certificate was successfully imported, run the list command:


    # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
    # keytool -list -keystore cacerts -alias rootCA -rfc
    Enter keystore password:  changeit
    Alias name: rootCA
    Creation date: Mar 9, 2007
    Entry type: trustedCertEntry
     
    -----BEGIN CERTIFICATE-----
    MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
    EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
    dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
    dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
    UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
    biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
    E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
    /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
    o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
    J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
    BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
    HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
    -----END CERTIFICATE-----