|
|
|
The Signature and Encryption step in the Partnership wizard lets you define how Federation Manager uses private keys and certificates to do the following:
Note: For SAML 2.0 POST binding, the IdP is required to sign assertions.
There can be multiple private keys and certificates in the key database. If you have multiple federated partners, you can use a different key pair for each partner.
Note: For a Federation Manager system operating in FIPS_COMPAT or FIPS_MIGRATE mode, all FIPS and non-FIPS certificate and key entries in the key database are available in the respective pull-down lists. If your Federation Manager system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.
To configure signing options
By completing this field, you are indicating which private key the relying party uses to sign authentication requests and single logout requests and responses.
Note: Click Help for a description of fields, controls, and their respective requirements.
Select the algorithm that best suits your application.
RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.
SiteMinder uses the algorithm you select for all signing functions.
By completing this field, you are indicating which certificate the relying party uses to verify signed assertions or single logout requests and responses. If there is no certificate in the database, click Import to import one.
Restart the services according to your platform:
Windows
Use the Federation Manager stop and start shortcuts. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.
UNIX
a. Open up a command window.
b. Navigate to federation_manager_home, the directory where you installed Federation Manager.
c. Run the following script: ca_federation_env.ksh.
d. Enter the following commands:
fedmanager.sh stop
fedmanager.sh start
If you do not run the environment script, you have to navigate to the directory federation_mgr_homewhere the start and stop scripts are located.
Note:
Do not stop and start the services as the root user.
You have to activate a partnership for all configuration changes to take affect and for the partnership to become available for use. Restarting the services is not sufficient
If you are using Federation Manager in a test environment, you may want to disable signature processing to simplify testing. Click the Disable Signature Processing checkbox to accomplish this.
Important! Signature processing must be enabled in a SAML 2.0 production environment.
To configure encryption options
Note: To use the AES-256 bit encryption block algorithm, install Sun's Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp.
This private key decrypts any encrypted assertion data. If there is no certificate in the database, click Import to import one or click Generate to create a key pair and generate a certificate request.
Restarting the services, requires the following:
Use the Federation Manager stop and start shortcuts as follows:
a. Open up a command window.
b. Navigate to federation_manager_home, the directory where you installed Federation Manager.
c. Run the following script: ca_federation_env.ksh.
d. Enter the following commands:
fedmanager.sh stop
fedmanager.sh start
Note: If you do not run the environment script, you have to navigate to the directory federation_mgr_home/config where the start and stop scripts are located.
The signing and encryption configuration is complete.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |