Sun Java System Federation Manager 7.0 User's Guide

Enabling SSL Communication between SAML Entities

The Secure Sockets Layer (SSL) protocol can be enabled in Federation Manager to secure communications between SAML entities for SOAP binding. In SAML transactions, when one SAML entity talks to a second SAML entity deployed on an SSL-enabled web container, the former is referred to as the SSL client, and the latter is referred to as the SSL server. In Federation Manager, a SAML entity uses a Java keystore for its database of key entries and trusted certificate entries. A key entry is used for cryptographic purposes and consists of an entity's identity and its private key. It is stored in a keystore. A trusted certificate entry is used when making decisions about trust and contains a public key and an entity's identity. It is generally stored in a separate keystore called a truststore (although both types of entries may be stored in one file). To enable SSL in Federation Manager you must perform several modifications; for example, pointing to the specific .keystore and .truststore files.

The Java Virtual Machine (JVM) running the SSL client needs to have two system properties set. You set JVM system properties with a -D option on the Java command line. The properties that need to be set are:

If the client is going to present a certificate to the server, the following SSL-related configurations must also be performed. On the client side, the following three properties need to be set.

On the server side, the client certificate needs to be imported to the server side keystore. The server side keystore shares the same file as the XML signature keystore, and follows the same rule that both passwords should be encrypted using ampassword utility. The location and passwords of the server side keystore are specified by the following properties in the file: