To Load the Root CA Certificate into the Federation Manager 2 Web Container (Deployment Example 2: Federation Using SAML v2)

Deployment Example 2: Federation Using SAML v2

Previous: To Load the Root CA Certificate into the Federation Manager 1 Web Container
Next: Chapter 7 Configuring SAMLv2 Metadata for the Federation Manager Servers

To Load the Root CA Certificate into the Federation Manager 2 Web Container

As a root user, log into the Federation Manager 2 host.

Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 2 web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config # view server.xml
Locate the following JAVA javahome entry. In this deployment example, it looks like this:
<JAVA javahome="/usr/jdk/entsys-j2se"
To find the JDK keystore file, append the following to the javahome path:
/jre/lib/security
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security
This directory contains the Federation Manager JDK trusted CA files.

Obtain a copy of the Access Manager 1 root CA certificate.

You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:
/net/slapd/export/share/cacert

Import the Access Manager 1 root CA certificate into the Federation Manager 2 JDK keystore.

The alias rootCA represents the name of the root CA certificate you want to import.

# cd /usr/jdk/entsys-j2se/jre/lib/security
# keytool -import -keystore cacerts -alias rootCA  
-file /net/slapd/export/share/cacert
Enter keystore password: changeit
Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
Trust this certificate? [no]: yes
Certificate was added to keystore.

To verify that the root CA certificate was successfully imported, run the list command:

# cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
# keytool -list -keystore cacerts -alias rootCA -rfc
Enter keystore password:  changeit
Alias name: rootCA
Creation date: Mar 9, 2007
Entry type: trustedCertEntry
 
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----