The first step in protecting the ClaimsWS service is verifying the prerequiites.
Verify the following prerequisites before protecting the Claims WS service with SSL:
Agent-for-SharePoint_home\ca_sps_env.sh
The next step in protecting the ClaimsWS service is creating a JCEKS key store and private key.
The JCEKS key store is a repository for the certificates and their related private keys. The certificates that you create are stored in the JCEKS key store. Creating a key store also creates a server certificate. This process requires the following information:
Follow these steps:
Agent_for_SharePoint_home\SSL\keys
Indicates the directory where the CA SiteMinder Agent for SharePoint is installed.
Default: (Windows) [32-bit] C:\Program Files\CA\Agent-for-SharePoint
Default: (Windows) [64-bit] C:\CA\Agent-for-SharePoint
Default: (UNIX/Linux) /opt/CA/Agent-for-SharePoint
keytool -genkeypair -keyalg RSA -keystore .\ServerCert.jceks -alias Alias_Name -storetype JCEKS -storepass keystore_password
The following table lists the prompts from the JCEKS keytool utility and sample responses:
Keytool Prompt: |
Sample Response: |
Purpose: |
What is your First and Last Name? |
agentforsharepointserver.example.com |
Fully qualified domain name (FQDN) of the server hosting your Agent for SharePoint. |
What is your Organizational Unit? |
support |
Department or group name |
What is your Organization? |
example |
Name of your organization |
What is your City or Locality? |
Your City |
City or Town |
What is your State? |
YS |
Two-letter state or province abbreviation |
What is your Country Code? |
YC |
Two-letter country code |
The keytool utility displays a confirmation resembling the following example:
Is the following correct: cn=agentforsharepointserver.example.com,ou=support,o=example,l=Your City,st=YS,c=YC
The keystore and private key are created.
The next step in protecting the ClaimsWS service involves creating a certificate signing request for the server certificate in your JCEKS key store.
A signing request submits the certificate to a certificate authority. The certificate authority validates (signs) the certificate. Certificates that are signed third-party certificate authorities are considered more secure than self-signed certificates.
Self-singed certificates are acceptable for evaluation or testing environments.
To submit a certificate signing request, you need the following information:
Follow these steps:
keytool -certreq -v -alias Alias_Name -sigalg MD5withRSA -file .\file_name_of_certificate_request.csr -keypass keystore_password -keystore ServerCert.jceks -storepass keystore_password -storetype JCEKS
The keytool utility produces a certificate signing request similar to the following example:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQHEwpGcmFtaW5n aGFtMQswCQYDVQQKEwJDQTEPMA0GA1UECxMGU01URVNUMSAwHgYDVQQDExdzbXNwczIwMTAuc210 ... ... ... dsrZKqtNaqym7DrkSql7LsUGcsACUp1K4PU6t3P16CKvagspJ18zwTqTRpkGtbu6emvEwpcQveuW k27YooCZ4XDzFxtpAnv9EIl7L4N4QHHxXCa8kIULOdGtJ4vD -----END NEW CERTIFICATE REQUEST-----
Note: This procedure demonstrates submitting a request to a Microsoft Active Directory Certificate Services certificate authority.
https://fully_qualilfied_domain_name_of_server_running_active_directory_certificate_services/certsrv
Note: An example of such a URL is http://certificateauthority.example.com/certsrv.
Note: Under the type of certificate needed drop-down list, verify that Client Authentication Certificate appears.
A confirmation dialog appears.
The request is submitted. Note your request ID for future reference.
The next step in protecting the ClaimsWS service is having a certificate authority process your request.
After the certificate authority receives your certificate signing request, they will process the request and will return the signed certificate.
Some organizations use third-party certificate authorities to sign their certificate requests. Other organizations could possibly have an internal group that operates a certificate authority.
The following procedure demonstrates the process for approving a certificate with Microsoft Active Directory Certificate services:
Follow these steps:
Certificate administrators approve or reject certificate requests. Certificate administrator privileges are separate from the Administrator privileges in the Windows operating environment. Not all users who have accounts on the computer hosting Active Directory Certificate services have sufficient privileges to approve or reject certificates.
Use this procedure if you have certificate administrator privileges. Otherwise, ask the certificate administrator in your organization to issue the certificate for you.
Follow these steps:
The certsrv snap-in appears.
A list of pending certificate requests appears.
The certificate is issued.
Continue with the next step of downloading and importing the certificate.
The next step in protecting the ClaimsWS service is downloading and importing the certificate chain.
After your certificate has been signed, download and install the following items to the server hosting your Agent for SharePoint:
The certificate chain validates your certificate to the web browsers of your users.
This process requires the following information:
Follow these steps:
Agent_for_SharePoint_home/SSL/keys
keytool -importcert -v -noprompt -alias Alias_Name -file .\certnew.p7b -keypass keystore_password -keystore ServerCert.jceks -storepass keystore_password -storetype JCEKS
The next step in protecting the ClaimsWS service is defining the key store and SSL ports.
After downloading and importing the certificate chain to the server hosing the Agent for SharePoint, add the following settings:
These settings are defined in the server.conf file.
Follow these steps:
Agent_for_SharePoint_home\proxy-engine\conf\server.conf
Locate the following section of the file:
<localapp>
#local.https.port=port_number
local.https.port=2525
#local.https.keyStoreFileName="tomcat.keystore"
local.https.keyStoreFileName="ServerCert.jceks"
The next step of protecting the ClaimsWS service involves generating an SSLConfig.properties file for the keystore.
Follow these steps:
GenerateSSLConfig -keystorepass keystore_password
Important! Do not enable client authentication yet.
Starting or stopping the Agent for SharePoint involves the following separate procedures:
Copyright © 2013 CA.
All rights reserved.
|
|