A keystore is a location, such as a file, containing keys and certificates. Access Manager components can access the keystore to retrieve certificates and keys as needed. Keystores for Access Manager are already defined for the components.
The Administration Console creates a keystore in the file system of the device that is assigned to the keystore. The operating system of the device determines the location:
Linux: /opt/novell/devman/jcc/certs/<device>
Windows Server 2012 Identity Server: \Program Files (x86)\novell\devman\jcc\certs\ <device>
Windows Server 2012 Access Gateway Service: \Program Files\novell\devman\jcc\certs\<device>
The <device> can be idp (for the Identity Server) and esp (for the Embedded Service Providers, including Access Gateways).
To view the keystores:
In the Administration Console, click Security > Certificates.
Click the name of a certificate, then click Add Certificate to Keystores.
Click the Select Keystore icon.
Access Manager creates keystores for the following devices:
Click Cancel twice.
Access Manager creates the following keystores for each Identity Server cluster configuration:
Signing: Contains the certificate that is used for signing the assertion or specific parts of the assertion.
Encryption: Contains the certificate that is used to encrypt specific fields or data in assertions.
SSL Connector: Contains the certificate that the Identity Server uses for SSL connections. If multiple devices are installed on the same machine, the Identity Server uses the COMMON_TOMCAT_CLUSTER keystore.
Provider Introductions SSL Connector: Contains the certificate that you configure when you set up the Identity Server to provide introductions to service providers that are trusted members of a service domain. The subject name of this certificate needs to match the DNS name of the service domain.
Consumer Introductions SSL Connector: Contains the certificate that you configure when you set up the Identity Server to consume authentications provided by other identity providers that are trusted members of a service domain. The subject name of this certificate needs to match the DNS name of the service domain.
Access Manager creates the following keystores for each Access Gateway or cluster:
Signing: Contains the certificate that is used for signing logout requests from the Access Gateway/ESP to the Identity Server.
Encryption: Contains the certificate that is used to encrypt specific fields or data in assertions.
ESP Mutual SSL: Contains the certificate that is used for SSL when you have established SSL communication between the Access Gateway and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.
Proxy Key Store: Contains the certificate that is used for SSL when you have enabled SSL between a reverse proxy and the browsers. The public key (trusted root) of the certificate authority that created the certificate needs to be in browser’s trust store for the SSL connection to work without warnings. If you create multiple reverse proxies and enable them for SSL, each reverse proxy needs a certificate, and the subject name of the certificate needs to match the DNS name of the reverse proxy.
This keystore does not use the default location:
Access Gateway Appliance: /opt/novell/apache2/certs
3.1 SP4 Access Gateway Service: /opt/novell/apache2/certs
Windows Access Gateway Service: \Program Files\Novell\apache\certs
Access Manager creates the following keystore when the Identity Server is installed on the Administration Console.
COMMON_TOMCAT_CLUSTER: Contains the certificate that is used for SSL connections.