To ensure authentication, Access Manager and OSP must share the trusted root of their SSL certificates. This section helps you create a new certificate for Access Manager then ensure that the trust stores have the correct certificates.
Access Manager cannot use its default SSL certificate, test-connector, to communicate with Identity Manager. Instead, you must create a certificate that includes the host name in the certificate subject field and assign it to Access Manager.
For more information, see “Security and Certificate Management” in the NetIQ Access Manager Administration Console Guide.
Open the Administration Console of Access Manager.
Click Security > Certificates.
Click New.
Specify a name for the new certificate. For example, hostname_ssl.
Click the edit button on the right side of the window.
For Common name, specify the DNS name of the server that hosts Access Manager, then click OK.
For Months valid, specify a value up to 99.
For Key size, specify 2048.
Select the newly-created certificate, then click Actions > Add certificate to Keystores....
Click the edit button on the right side of Keystores.
Select SSL connector, and then click OK.
Click OK.
Install the new certificate in the OSP trust store. For more information, see Section 45.2.2, Installing the Access Manager Certificate in the Identity Manager Trust Store.
The OSP trust store must include the security certificate for Access Manager.
To export the new SSL certificate, complete the following actions:
Under Security > Trusted Roots in the Administration Console of Access Manager, export the root certificate of the SSL certificate. Name the root certificate configCA.
Export the SSL server certificate.
For more information, see “Managing Trusted Roots and Trust Stores” in the NetIQ Access Manager Administration Console Guide.
Copy the exported certificate to the server where OSP is running.
Use the keytool available with Java to import the file into the cacerts keystore of the JRE.
For example, /opt/netiq/idm/jre/bin/keytool -keystore /opt/netiq/idm/jre/lib/security/cacerts -storepass <password> -importcert -trustcacerts -alias <NAM-cert> -file custom_location/<exported_file>
Install the OSP certificate in the Access Manager trust store.
For more information, see Section 45.2.3, Installing the SSL Server Certificate in the Access Manager Trust Store.
The Access Manager trust store must include the security certificate for OSP. For more information, see “Managing Trusted Roots and Trust Stores” in the NetIQ Access Manager Administration Console Guide.
Obtain the server certificate being used for SSL by the Tomcat instance running OSP.
Copy the SSL server certificate of the Tomcat instance that hosts OSP to the server where you installed Access Manager.
Open the Administration Console of Access Manager.
To import the certificate, click Security > NIDP Trust Store.
Click Add.
Select Trusted Root from Add dialog > Import.
Select the root certificate that you want to import and then click OK.
Ensure that OSP recognizes assertions of authentication from SAML.
For more information, see Section 45.4.2, Creating an Attribute Set for SAML.