The Liberty Identity specification requires all XML files to be signed. You can obtain and use one certificate to use for both signing and encryption. Or as an alternative, you can obtain one certificate to use for signing, and obtain a second certificate to use for encryption. In this deployment, for illustration purposes, one certificate is used for signing, and a second certificate is used for encryption.
As a root user, log in to the Access Manager 1 host.
Go to the following directory:
/etc/opt/SUNWam/config
Create a keystore with a private key.
# keytool -genkey -alias LoadBalancer-3-enc -keyalg RSA -keysize 1024 -dname "cn=LoadBalancer-3.example.com,o=siroe.com" -validity 365 -keystore amkeystore Enter keystore password: passwordam Enter key password for <LoadBalancer-3-enc> (RETURN if same as keystore password): keypasswordam |
The key password you specify here must be identical to the key password you specify for the signing certificate.
Verify that the keystore and private key were created properly.
You should be able to see amkeystore in the following directory, and verify that the current date is within the certificate's valid date range.
# cd /etc/opt/SUNWam/config # ls -lrt -rw-r--r-- 1 root root 1261 Nov 2 11:03 amkeystore # keytool -list -keystore amkeystore -alias LoadBalancer-3-enc -v # Enter keystore password: passwordam Alias name: LoadBalancer-3-enc Creation date: Nov 7, 2006 Entry type: keyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=loadbalancer-3.example.com Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Serial number: 68f Valid from: Tue Nov 07 15:56:17 PST 2006 until: Tue Aug 03 16:56:17 PDT 2010 Certificate fingerprints: MD5: 69:9C:CF:F6:0D:7E:F4:A7:A8:C3:DC:CD:2F:EC:1A:F4 SHA1: 29:2F:71:98:6B:AD:4C:27:F2:53:08:94:E0:4B:AF:62:96:1F:B0:F0 Certificate[2]: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Serial number: 320 Valid from: Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MD5: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1: 9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A |
Submit a request for an encryption certificate.
Create the request.
# cd /etc/opt/SUNWam/config # keytool -certreq -alias LoadBalancer-3-enc -file am-enc.csr -keystore amkeystore Enter keystore password: passwordam Enter key password for <LoadBalancer-3-enc>: keypasswordam |
Verify that the request text was successfully generated.
# vi am-enc.csr -----BEGIN NEW CERTIFICATE REQUEST----- mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05 LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym 6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30 -----END OF NEW CERTIFICATE REQUEST----- |
Follow the instructions provided by your Certificate Authority (CA) for submitting the cert-enc.csr file and sending the text to the CA.
The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:
-----BEGIN CERTIFICATE----- MIIFJQYJKoZIhvcNAQcCoIIFFjCCBRICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIE 9jCCAmAwggIKoAMCAQICAgaKMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAc BgNVBAoTFVN1biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkg U2VydmljZXMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDYxMTAy MTkxMTM0WhcNMTAwNzI5MTkxMTM0WjA3MRIwEAYDVQQKEwlzaXJvZS5jb20xITAf BgNVBAMTGGxvYWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAozsGuaqGlLlZ5J6n+aXYACUhKFpb8f451GG5Eg6Vy862hIst lIb8KaAYARHk0lGjzwb26AiLXIWpDyOmf2hXR91po7oo/Vw/K9Qvqv/+7FDtCBp9 DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jIGMba/2eSJeRfsCAwEA AaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSME GDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4u Y29tMA0GCSqGSIb3DQEBBAUAA0EAf+gzgerEagmbtjnpzPXkEdILm3vOXp008VOG u8dZ2hcc2FytYkNbzAESjIw29fUBCSBCSmZQyuLku8jJX9ZxUjCCAo4wggI4oAMC AQICAgMgMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1biBN aWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAa BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDQwODE2MDcwMDAwWhcNMzIw ODE2MDcwMDAwWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC1NhbnRhIENsYXJhMR4wHAYDVQQKExVTdW4gTWljcm9zeXN0ZW1z IEluYy4xGjAYBgNVBAsTEUlkZW50aXR5IFNlcnZpY2VzMRwwGgYDVQQDExNDZXJ0 aWZpY2F0ZSBNYW5hZ2VyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKz8xQGAbn86 19ouxvx4QYtUbRI2AxwsteVlsrSumcG311DHshmnR8HqGZ4jgVN1SnR4YyAwo6jD Dduf6xDOaM8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFDugITflTCfsWyNLTXDl7cMDUKuuMB8GA1UdIwQYMBaA FDugITflTCfsWyNLTXDl7cMDUKuuMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQUFAANBAFR1D8PyX2k2E1PKx40ful6+hqjW2k+HmbTV7OcCGJY8JR7y4y/wCE28 a4p6nxYjgdiQDlvoC8aOI+i1elvf9jMxAA== -----END CERTIFICATE----- |
In this deployment example, the certificate text was saved in a text file named am-enc-cert.
Import the certificate into the Load Balancer 3 keystore.
# keytool -import -alias LoadBalancer-3-enc -keystore amkeystore -file am-enc-approved.cert Enter keystore password: passwordam Enter key password for <LoadBalancer-3-enc>: keypasswordam Top-level certificate in reply: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A ...is not trusted. Install reply anyway? [no]:yes |
Verify that the certificate is properly installed.
When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.
# keytool -list -keystore amkeystore -alias LoadBalancer-3-enc -rfc Enter keystore password: passwordam Alias name: LoadBalancer-3-enc Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2 |
Certificate text similar to the following is displayed:
-----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE----- |
Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.