Access Manager can use multiple external certificates for signing SAML 2.0 service providers. The external certificates can be from a single or multiple external keystores or HSMs. However, the certificates must be exportable as Access Manager does not send payloads to be signed to an external device.
Perform the following steps to use multiple external signing certificates:
Configure certificates for Access Manager Identity Server.
Configure the externKeystore.properties file for multiple signing certificate:
The format is:
#KeyStore 1.
com.novell.nidp.extern.signing.providerClass.1=<SOME CLASS>
com.novell.nidp.extern.signing.providerName.1=<SOME PROVIDER NAME>
com.novell.nidp.extern.signing.keystoreType.1=<SOME KEYSTORE TYPE>
com.novell.nidp.extern.signing.keystoreName.1=<SOME KEYSTORE NAME>
com.novell.nidp.extern.signing.keystorePwd.1=<SOME PASSWORD>
#Aliases and key passwords.
com.novell.nidp.extern.signing.alias.1.1=<SOME ALIAS>
com.novell.nidp.extern.signing.keyPwd.1.1=<SOME PASSWORD>
com.novell.nidp.extern.signing.alias.1.2=<SOME ALIAS>
com.novell.nidp.extern.signing.keyPwd.1.2=<SOME PASSWORD>
:
:
com.novell.nidp.extern.signing.alias.1.n=<SOME ALIAS>
com.novell.nidp.extern.signing.keyPwd.1.n=<SOME PASSWORD>
#KeyStore 2.
com.novell.nidp.extern.signing.providerClass.2=<SOME CLASS>
com.novell.nidp.extern.signing.providerName.2=<SOME PROVIDER NAME>
com.novell.nidp.extern.signing.keystoreType.2=<SOME KEYSTORE TYPE>
com.novell.nidp.extern.signing.keystoreName.2=<SOME KEYSTORE NAME>
com.novell.nidp.extern.signing.keystorePwd.2=<SOME PASSWORD>
#Aliases and key passwords.
com.novell.nidp.extern.signing.alias.2.1=<SOME ALIAS>
com.novell.nidp.extern.signing.keyPwd.2.1=<SOME PASSWORD>
:
:
com.novell.nidp.extern.signing.alias.2.n=<SOME ALIAS>
com.novell.nidp.extern.signing.keyPwd.2.n=<SOME PASSWORD>
For Keystore parameters, the suffix is a single integer after the last period, for example, “.1” and “.2”.
For aliases and key passwords, the suffix contains two integers. First integer for the keystore and second for the key, separated by dots, such as “.1.1” or “.1.2” for keys of keystore 1 and “.2.1” for the key of keystore 2.
The default signing key is configured as one of the following:
com.novell.nidp.extern.signing.providerClass=<SOME CLASS> com.novell.nidp.extern.signing.providerName=<SOME PROVIDER NAME> com.novell.nidp.extern.signing.keystoreType=<SOME KEYSTORE TYPE> com.novell.nidp.extern.signing.keystoreName=<SOME KEYSTORE NAME> com.novell.nidp.extern.signing.keystorePwd=<SOME PASSWORD> com.novell.nidp.extern.signing.alias=<SOME ALIAS> com.novell.nidp.extern.signing.keyPwd=<SOME PASSWORD>
Or,
com.novell.nidp.extern.signing.providerClass.1=<SOME CLASS> com.novell.nidp.extern.signing.providerName.1=<SOME PROVIDER NAME> com.novell.nidp.extern.signing.keystoreType.1=<SOME KEYSTORE TYPE> com.novell.nidp.extern.signing.keystoreName.1=<SOME KEYSTORE NAME> com.novell.nidp.extern.signing.keystorePwd.1=<SOME PASSWORD> com.novell.nidp.extern.signing.alias.1.1=<SOME ALIAS> com.novell.nidp.extern.signing.keyPwd.1.1=<SOME PASSWORD>
Open the /opt/novell/nam/idp/conf/tomcat.conf file.
Add the following:
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.extern.config.file=[path-to-file]/externKeystore.properties"Restart services.
Assign the certificate to the service provider. The external keystore certificates are not listed in Administration Console.
To assign a certificate from the external keystore, select any one of the listed certificate and provide alias as name of the certificate to be assigned.
Reimport metadata and certificates.
Restart services. The certificate from external keystore is used to federate.
NOTE:This is a general configuration and may vary based on HSM providers.
This example provides steps to configure Java KeyStore (JKS) as an external keystore, add certificates in JKS, and assign it to a service provide for federation.
Run the following command to configure JKS as an external keystore and add a certificate:
keytool -keystore /tmp/namKeyStore/namKeyStore.jks -storepass password - genkeypair -alias namExtCert1 -keyalg RSA -keysize 2048 -validity 60 -keypass password
Provide: [Optional] First and Last Name Organizational Unit Organization City State Country-Code
Here, keytool is the command used to create a keystore namKeyStore.jks at /tmp/ namKeyStore/. A keypair with the alias namExtCert1 has been created and added to the keystore.
Run the following command to add another certificate to the keystore:
keytool -genkey -alias namExtCert2 -keyalg RSA -keypass password2 -storepass password -keystore /tmp/namKeyStore/namKeyStore.jks
Here, the keytool command is used to create a keypair with the alias namExtCert2 and add it to the namKeyStore.jks keystore.
Create a properties file, namKeyStore.properties at /tmp/namKeyStore/ and add the following content:
# KeyStore Type. com.novell.nidp.extern.signing.providerClass.1=sun.security.rsa.SunRsaSign com.novell.nidp.extern.signing.providerName.1=SunRsaSign com.novell.nidp.extern.signing.keystoreType.1=JKS # KeyStore name and password. com.novell.nidp.extern.signing.keystoreName.1=/tmp/namKeyStore/namKeyStore.jks com.novell.nidp.extern.signing.keystorePwd.1=password #Aliases and key passwords. com.novell.nidp.extern.signing.alias.1.1=namExtCert1 com.novell.nidp.extern.signing.keyPwd.1.1=password com.novell.nidp.extern.signing.alias.1.2=namExtCert2 com.novell.nidp.extern.signing.keyPwd.1.2=password2
Open the /opt/novell/nam/idp/conf/tomcat.conf file and add the following content:
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.extern.config.file=/tmp/namKeyStore/namKeyStore.properties"Restart services.
Go to Administration Console and assign the certificate to the service provider. See Step 2.