Certificate and Private Key Usage by Federation Manager

Federation Manager Guide › Key and Certificate Management to Secure Federation Messages › Certificate and Private Key Usage by Federation Manager

Certificate and Private Key Usage by Federation Manager

Private keys and certificates are required for the following tasks:

Signing, verification, encryption, and decryption of entire assertions, or specific assertion content.
Back-channel authentication for artifact single sign-on. Federation Manager uses client certificates for this purpose.
Establishing SSL connections using SSL server certificates.

Private key/certificate pairs and single certificates for federation functions are stored in the certificate data store (CDS). The certificate data store is collocated with the policy store. Federation Manager systems that share a common view into the same policy store have access to the same keys, certificates, certificate revocation lists (CRL), and OCSP responders.

Manage the contents of the certificate data store using the Federation Manager UI.

SSL server certificates are stored on the web server where they are installed. SSL server certificates are not stored in the certificate data store.

Aliases to Reference Certificate Data Store Content

Each key/certificate pair, client certificate, and trusted certificate in the certificate data store must have a unique alias. The alias is the reference to any private key/certificate pair or single certificate in the certificate store. The certificate data store holds multiple key/certificate pairs and single certificates. In a federated environment there are multiple partners. For multiple partners, you can use a different pair for each partner.

If a signing alias is configured for signing assertions, the assertion generator uses the key associated with alias to sign assertions. If no signing alias is configured, the assertion generator uses the key with the following alias to sign assertions:

defaultenterpriseprivatekey

If the assertion generator does not find a default enterprise private key, it uses the first private key in the store to sign assertions.

Important! If you are going to store multiple keys, define the first key that you add with the following alias before adding subsequent keys:

defaultenterpriseprivatekey

A given Policy Server signs or signs and verifies responses. Add keys and certificates for signing and validation to the same certificate data store.

The following types of key/certificate pairs and single certificates are stored in the certificate data store:

Function	Private Key/Cert Pair	Certificate (public key)	CA Certificates	Client Certificate
Signs assertions, authentication requests, SLO requests and responses	X
Verifies signed assertions, authentication requests, and SLO requests/responses		X
Encrypts assertions, Name ID and attributes (SAML 2.0 only)		X
Decrypts assertions, Name ID and attributes (SAML 2.0)	X
Serves as a credential for client certificate authentication of the artifact back channel				X
Validates other certificates and certificate revocation lists			X
Use SSL connections to resolve web services variables			X