The Secure Sockets Layer (SSL) protocol can be enabled in Federation Manager to secure communications between SAML entities for SOAP binding. In SAML transactions, when one SAML entity talks to a second SAML entity deployed on an SSL-enabled web container, the former is referred to as the SSL client, and the latter is referred to as the SSL server. In Federation Manager, a SAML entity uses a Java keystore for its database of key entries and trusted certificate entries. A key entry is used for cryptographic purposes and consists of an entity's identity and its private key. It is stored in a keystore. A trusted certificate entry is used when making decisions about trust and contains a public key and an entity's identity. It is generally stored in a separate keystore called a truststore (although both types of entries may be stored in one file). To enable SSL in Federation Manager you must perform several modifications; for example, pointing to the specific .keystore and .truststore files.
The Java Virtual Machine (JVM) running the SSL client needs to have two system properties set. You set JVM system properties with a -D option on the Java command line. The properties that need to be set are:
-Djavax.net.ssl.trustStoreType=JKS
-Djavax.net.ssl.trustStore=full-path-to-truststore-file where full-path-to-truststore-file is the full path to a Java .truststore file that contains the server side Certificate Authority (CA) certificate(s).
A keystore file can be manually created
using the keytool
utility
which comes with the Java Development Kit (JDK). Following this, the
CA certificate can be imported into the file, again using keytool
.
If the client is going to present a certificate to the server, the following SSL-related configurations must also be performed. On the client side, the following three properties need to be set.
-Djavax.net.ssl.keyStore=full-path-to-keystore-file
The keyStore should contain the client certificate. This keystore could be the same as the trustStore previously defined.
-Djavax.net.ssl.keyStoreType=JKS
-Djavax.net.ssl.keyStorePassword=password-for-keystore-file
On the server side, the client certificate needs to be imported
to the server side keystore. The server side keystore shares the same
file as the XML signature keystore, and follows the same rule that
both passwords should be encrypted using ampassword
utility. The location and passwords of the server side
keystore are specified by the following properties in the AMConfig.properties file:
com.sun.identity.saml.xmlsig.keystore=
com.sun.identity.saml.xmlsig.storepass=
com.sun.identity.saml.xmlsig.keypass=