Deployment Example 2: Federation Using SAML v2

ProcedureTo Load the Root CA Certificate into the Access Manager 2 Web Container

  1. As a root user, log into the Access Manager 2 host.

  2. Locate the JAVAHOME directory and JDK keystore directory for the Access Manager 2 web container.

    #cd /opt/SUNWwbsvr/
    # view server.xml

    Locate the following JAVA javahome entry. In this deployment example, it looks like this:

    <JAVA javahome="/usr/jdk/entsys-j2se"

    To find the JDK keystore file, append the following to the javahome path:


    For example, in this deployment example, the JDK keystore is in the following directory:


    This directory contains the Access Manager JDK trusted CA files.

  3. Obtain a copy of the Federation Manager 1 root CA certificate.

    You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

    In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Access Manager 1:

  4. Import the Federation Manager root CA certificate into the Access Manager JDK keystore.

    The alias rootCA represents the name of the root CA certificate you want to import.

    # cd /usr/jdk/entsys-j2se/jre/lib/security
    # keytool -import -keystore cacerts -alias rootCA  
    -file /net/slapd/export/share/cacert
    Enter keystore password: changeit
    Owner: CN=Certificate Manager, OU=Identity Services, 
    O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
    Issuer: CN=Certificate Manager, OU=Identity Services, 
    O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
    Serial number:320
    Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
    Certificate fingerprints:
    			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
    Trust this certificate? [no]: yes
    Certificate was added to keystore.
  5. To verify that the root CA certificate was successfully imported, run the list command:

    # cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
    # keytool -list -keystore cacerts -alias rootCA -rfc
    Enter keystore password:  changeit
    Alias name: rootCA
    Creation date: Mar 9, 2007
    Entry type: trustedCertEntry
    -----END CERTIFICATE-----