A trust store contains trusted roots, which are public certificates of known, trusted certificate authorities. Access Manager creates the trust stores listed below for the devices that it manages. The trust stores are created when you import a device into Administration Console. If you have not imported a particular device type, the trust store for that device type does not exist. If you have imported multiple devices of the same type, Administration Console creates an instance of the trust store for each device.
When a certificate has been created by a root CA, the trust store needs to contain only the public certificate of the CA. However, some certificates are created by an intermediate CA, which has been issued by a root CA. When intermediate CAs are involved, all the public certificates of the CAs in the chain need to be included in the trust store.
Administration Console creates a trust store in the file system of the device that is assigned to the trust store.
Linux: /opt/novell/devman/jcc/certs/<device>
Windows Server 2012 Identity Server: \Program Files\novell\devman\jcc\certs\ <device>
Windows Server 2012 Access Gateway Service: \Program Files\novell\devman\jcc\certs\<device>
The <device> can be idp (for Identity Server) or esp (for the Embedded Service Providers including Access Gateways).
To view the trust stores:
Click Security > Trusted Roots.
Select a trusted root, then click Add Trusted Roost to Trust Stores.
Click the Select Keystore icon.
The list can include the following trust stores:
Trust Store: This Identity Server trust store contains the trusted root certificates of all the providers that it trusts. Liberty and SAML 2.0 protocol messages that are exchanged between identity and service providers often need to be digitally signed. A provider uses the signing certificate included with the metadata of a trusted provider to validate signed messages from the trusted provider. The trusted root of the CA that created the signing certificate for the provider needs to be in this trust store.
To use SSL for exchanging messages between providers, each provider must trust the SSL certificate authority of the other provider. You must import the root certificate chain for the other provider. Failure to do so causes numerous system errors.
This trust store is also used to store the trusted root certificates of the user stores that it has been configured to use.
OCSP Trust Store: Identity Server uses this trust store for OCSP (Online Certificate Status Protocol) certificates. OCSP is a method used for checking the revocation status of a certificate. To use this feature, you must set up an OCSP server. Identity Server sends an OCSP request to the OCSP server to determine if a certain certificate has been revoked. The OCSP server replies with the revocation status. If this revocation checking protocol is used, Identity Server does not cache or store the information in the reply, but sends a request every time it needs to check the revocation status of a certificate. The OCSP reply is signed by the OCSP server. To verify that it was signed by the correct OCSP server, the OCSP server certificate needs to be added to this trust store.
ESP Trust Store (Access Gateway): Access Gateway ESP trust store contains the trusted root certificate of Identity Server that it has been configured to trust. It usually contains one certificate unless you configure Access Gateway to trust one Identity Server, and then modify Access Gateway to trust a different Identity Server. If you are using certificates generated by the Access Manager CA, the root certificate of this CA is automatically added to this trust store. If Identity Server is using a certificate generated by an external CA, you need to add the trusted root certificate of that CA to this trust store.
Proxy Trust Store: When SSL is set up between Access Gateway and its web servers, Access Gateway uses this trust store for the trusted root certificates of the web servers.
This trust store does not use the default location:
Access Gateway Appliance: /opt/novell/apache2/cacerts
Windows Access Gateway Service: \Program Files\Novell\apache\cacerts
Click Cancel twice.