test

Deployment Example 2: Federation Using SAML v2

9.5 Loading the Federation Manager Root CA Certificates into the Access Manager Servers

In this procedure you import a root CA certificate from Federation Manager 1 into the JDK trusted CA certificate for Access Manager 1. This step is not necessary if you are using one of the root CA certificates that come with JDK by default. The JDK default root CA certificates come from Verisign, Thwarte, and other major certificate issuers. In this deployment example, root CA certificates were obtained from certificate issuers that JDK does not recognize by default. So in this deployment example, the following procedure is necessary to establish trust among the local SSO provider (Federation Manager) and remote SSO providers (such as Access Manager).

Use the following as your checklist for loading the Federation Manager root CA certificates onto the Access Manager web containers:

  1. Load the root CA certificate into the Access Manager 1 web container.

  2. Load the root CA certificate into the Access Manager 2 web container.

ProcedureTo Load the Root CA Certificate into the Access Manager 1 Web Container

  1. As a root user, log into the Access Manager 1 host.

  2. Locate the JAVAHOME directory and JDK keystore directory for the Access Manager 1 web container.


    #cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/config
# view server.xml

    Locate the following JAVA javahome entry. In this deployment example, it looks like this:


    <JAVA javahome="/usr/jdk/entsys-j2se"

    To find the JDK keystore file, append the following to the javahome path:


    /jre/lib/security

    For example, in this deployment example, the JDK keystore is in the following directory:


    /usr/jdk/entsys-j2se/jre/lib/security

    This directory contains the Access Manager JDK trusted CA files.

  3. Obtain a copy of the Federation Manager 1 JDK root CA certificate.

    You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

    In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Access Manager 1:


    /net/slapd/export/share/cacert

  4. Import the Federation Manager root CA certificate into the Access Manager JDK keystore.

    The alias rootCA represents the name of the root CA certificate you want to import. 


    # cd /usr/jdk/entsys-j2se/jre/lib/security
# keytool -import -keystore cacerts -alias rootCA  
-file /net/slapd/export/share/cacert
Enter keystore password: changeit
Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
Trust this certificate? [no]: yes
Certificate was added to keystore.

  5. To verify that the root CA certificate was successfully imported, run the list command:


    # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
# keytool -list -keystore cacerts -alias rootCA -rfc
Enter keystore password:  changeit
Alias name: rootCA
Creation date: Mar 9, 2007
Entry type: trustedCertEntry
 
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----

ProcedureTo Load the Root CA Certificate into the Access Manager 2 Web Container

  1. As a root user, log into the Access Manager 2 host.

  2. Locate the JAVAHOME directory and JDK keystore directory for the Access Manager 2 web container.


    #cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/config
# view server.xml

    Locate the following JAVA javahome entry. In this deployment example, it looks like this:


    <JAVA javahome="/usr/jdk/entsys-j2se"

    To find the JDK keystore file, append the following to the javahome path:


    /jre/lib/security

    For example, in this deployment example, the JDK keystore is in the following directory:


    /usr/jdk/entsys-j2se/jre/lib/security

    This directory contains the Access Manager JDK trusted CA files.

  3. Obtain a copy of the Federation Manager 1 root CA certificate.

    You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

    In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Access Manager 1:


    /net/slapd/export/share/cacert

  4. Import the Federation Manager root CA certificate into the Access Manager JDK keystore.

    The alias rootCA represents the name of the root CA certificate you want to import. 


    # cd /usr/jdk/entsys-j2se/jre/lib/security
# keytool -import -keystore cacerts -alias rootCA  
-file /net/slapd/export/share/cacert
Enter keystore password: changeit
Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
Trust this certificate? [no]: yes
Certificate was added to keystore.

  5. To verify that the root CA certificate was successfully imported, run the list command:


    # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
# keytool -list -keystore cacerts -alias rootCA -rfc
Enter keystore password:  changeit
Alias name: rootCA
Creation date: Mar 9, 2007
Entry type: trustedCertEntry
 
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----