Certificate validation requires the Trust Anchors Store (.amtruststore).
Conditions for Security Token Service Certificate Validation (OSTS Certificate Validation Criteria)
X.509
X.509v3
PKCS#7
A SAML Assertion must be validated.
Security Token Service is configured to validate the signing certificate of a SAML Issuing Authority.
Table 44-4 lists the successful validation requirements.
Table 44-4 Successful Certificate Validation Requirements
Certificates Must ... | How ... |
---|---|
Be linked to a trusted anchor: |
|
Not be revoked:
|
The revocation status of a certificate can be decided by checking:
|
You need to perform the following tasks to manage this store and validation:
The Trust Anchors keystore is managed using the keytool command.
Certificates added to the keystore are detected by the Certificate Validation module.
Note:
Notification is performed by using the JMX Notification Framework and may take some time, depending on the notification refreshing time (60 seconds by default).
Prerequisites for Managing the Trust Anchors Store (amtruststore)
See Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password.
To manage the Trust Anchors Store (amtruststore)
The Security Token Service configuration stores the OCSP/CDP settings. You can add or remove certificate revocation lists (CLRs) to check the revocation status of a certificate, perform the following operations.
You need to have your Certificate Revocation List ready so you can import it.
Optionally, if a particular deployment requires a set of trust anchors separate from that of Access Manager, another keystore can be configured as the trusted certificate store for Security Token Service.
This can be done by having the Administrator perform the following tasks.
Note:
You can deploy a custom keystore for a Trusted Certificate.
To deploy a custom keystore: