19.1.2 Using Access Manager Certificates

By default, all Access Manager components (Identity Server and Access Gateway) trust the local CA. However, the browsers are not set up to trust the Access Manager CA. You need to import the public key of the trusted root certificate (configCA) into the browsers to establish the trust.

This section discusses the following procedures:

Configuring Secure Communication on Identity Server

Identity Server comes with a the test-connector certificate. This procedure shows you how to replace this certificate by completing the following tasks:

  • Enable SSL on Identity Server (changing from HTTP to HTTPS)

  • Create a certificate

  • Replace the test-connector certificate with the newly created certificate

To configure SSL on Identity Server:

  1. Click Devices > Identity Servers.

  2. In the Configuration column, click Edit.

  3. Change Protocol to HTTPS (the system changes the port to 8443), click Apply, then click OK at the warning.

  4. Copy the domain name of your Identity Server configuration to the clipboard, or take note of the name. It must match the common name of the new certificate.

  5. Click the SSL Certificate icon, then click OK at the warning if you clicked Apply when you changed the protocol to HTTPS.

    If you did not click Apply, then click Cancel and click Apply before returning to this option

    The Keystore configuration page appears.

  6. In the Certificates section, click Replace.

  7. In the Replace dialog box, click the Select Certificate icon next to the Certificate field.

  8. On the Select Certificate page, click New.

  9. Click Use local certificate authority.

    This option creates a certificate signed by the local CA (or Organizational CA), and creates the private key.

  10. Fill in the following fields:

    Certificate name: A name that you can associate with this certificate. For easy reference, you might want to paste the domain name of Identity Server configuration in this field.

    For information about how to modify the default values before clicking OK, see Section 15.0, Creating Certificates.

    Subject: Click the Edit Subject icon. In the Common Name field, paste the domain name of the base URL of Identity Server configuration. This value cannot be an IP address or begin with a number, to ensure that trust does not fail between providers.

    If you are going to be using Windows CardSpace, fill in values for the other common attributes.

  11. Click OK.

  12. To accept the default values in the other fields, click OK twice.

    The new certificate is displayed on the Select Certificate page.

  13. Verify that the new certificate is selected, then click OK.

  14. Click OK on the Replace dialog box.

  15. Click Restart Now to restart Tomcat, as prompted.

  16. Click Close on the Keystore page.

    • If your Identity Server and Administration Console are on the same machine, you need to log in to Administration Console again.

    • If your Identity Server is on another machine, click OK.

  17. To verify the health of Identity Server, click Devices > Identity Servers.

  18. To update the embedded service provider of Access Gateway to use the new URL, click Devices > Access Gateways > Update.

    If you do not receive the option to update Access Gateway, select Access Gateway, then click Actions > Service Provider > Restart Service Provider > OK.

    Restarting the service provider reestablishes the trust between Access Gateway and the new base URL for Identity Server.

  19. Verify that the trusted relationship between Identity Server and Access Gateway has been reestablished.

    1. Enter the URL to a protected resource on Access Gateway.

    2. Complete one of the following: