Previous Topic: SSL Administration for Federation SystemNext Topic: How to Migrate SSL Keys and Certificates

CA SiteMinder® Federation Standalone GuideSSL Administration for Federation SystemSSL Administration for the Apache Web Server and the UI

SSL Administration for the Apache Web Server and the UI

Enable SSL for the following purposes:

The embedded Apache web server lets the federation system handle SSL federation traffic and secure the back channel for HTTP-Artifact single sign-on. The embedded Tomcat web server allows secured access to the UI.

To enable SSL for the Apache and Tomcat web servers, complete the following process:

  1. Create a certificate request for a server certificate.
  2. Import the certificate that is issued by the Certificate Authority (CA).
  3. Activate SSL in the Administrative UI. Locate the settings in Infrastructure, SSL Configuration.

Note: CA SiteMinder® Federation Standalone installations operating in FIPS Migrate or FIPS-only modes have FIPS-compatible encryption key algorithms available for certificates.

How to Enable SSL for the Apache Web Server and the UI

The procedure for enabling SSL for the embedded Apache web server and the Administrative UI is the same.

Note: If you enable SSL, it affects all URLs for all services, even the Base URL parameter. This means that all service URLs must begin with https://.

To enable SSL communication:

  1. Request a server certificate.
  2. Specify the CA certificate that signs the server certificate.
  3. Upload the signed certificate to the system.

    After the certificate is successfully uploaded, the CA SiteMinder® Federation Standalone activates the SSL connection.

In addition to these required steps, you can do the following:

Request an SSL Server Certificate

The first step in establishing an SSL connection is to complete a server certificate request. You send the completed request to a trusted Certificate Authority (CA), who returns a signed server certificate.

Important! Request an SSL Server certificate.

Follow these steps:

  1. From the Administrative UI, select Infrastructure, SSL Configuration.

    The SSL Configuration dialog opens. In the SSL Configuration Status field, the status reads Server cert not requested.

  2. Click Request to create a certificate request.
  3. Complete the fields in the Certificate Request dialog and click Save.

    Certain fields have required values that are already assigned to them. In the Requester Name field, there is a suggested default value, but you can change it. The Requester Name value must be the fully qualified domain name that is associated with the server where CA SiteMinder® Federation Standalone is deployed.

    Note: Click Help for a description of fields, controls, and their respective requirements.

When the certificate request is created, CA SiteMinder® Federation Standalone generates a private key. The private key is stored in an internal file location.

After the request is generated, send the server certificate request to the designated CA that signs the certificate.

Based on the generated certificate request, the Certificate Authority issues a certificate. The validity duration of the certificate validity duration is equal to one of the following values:

Upload the Signed Server Certificate

After you complete a certificate request, the SSL Configuration Status field reads Server cert requested, not signed, indicating that the certificate request is waiting to be signed. CA SiteMinder® Federation Standalone accepts a base-64 encoded PEM certificate or a full PKCS #7 certificate/chain response.

After you receive the signed certificate from the CA, the certificate must be uploaded to the storage location.

Note: Click Help for a description of fields, controls, and their respective requirements.

To upload the signed server certificate

  1. Begin at the same SSL Configuration where you started the request.
  2. Select the signed certificate response in the Signed Certificate Response field. Click Browse to locate the file.

    Note: Only one key and certificate pair is needed for the SSL features because SSL does not support more than one pair.

  3. Identify the CA that signed the SSL certificate from the pull-down menu in the CA Certificate field.

    If the CA certificate is not in the key store, import a copy of the CA certificate used to sign the SSL certificate request. Import the certificate by clicking Import and completing the import steps.

  4. Click Apply to upload the server certificate to CA SiteMinder® Federation Standalone.

    A confirmation message is displayed and the SSL Configuration changes to reflect that the certificate is now updated.

  5. Restart the federation services according to your operating environment.

After the server certificate is uploaded to the system, CA SiteMinder® Federation Standalone updates the certificate and activates SSL. Assuming that the certificate upload was successful, the SSL Configuration Status reads SSL Active. The button in the configuration group box changes to Deactivate.

The UI also indicates whether the uploaded certificate is FIPS-approved or not.

Deactivate SSL

You can deactivate the SSL configuration if you no longer require SSL. For example, if back channel authentication is no longer required or you no longer want an SSL connection to the UI you can deactivate SSL.

Note: If you reconfigure a Windows system with SSL enabled, deactivate the SSL configuration before reconfiguring your system. Reactivate SSL after the reconfiguration is complete.

Follow these steps:

  1. Begin at the SSL Configuration dialog.
  2. Click Deactivate in the Embedded web server or Administrative UI section.

    A confirmation prompt is displayed asking if you want to disable SSL.

  3. Click Yes to complete the deactivation.
  4. For the Administrative UI only, delete the tomcat.keystore file manually. This file is located in the following directory:

    federation_install_dir/secure-proxy/SSL/keys

    Deactivating SSL for the Administrative UI does not delete the corresponding key store file. If you change the UI SSL certificate for any reason, the certificate is not updated, which results in CA SiteMinder® Federation Standalone using the wrong certificate. Deleting the Tomcat key store helps ensure that any updates you make to the SSL certificate are reflected.

  5. Restart the federation services according to your operating environment.

The SSL connection is no longer active and the SSL Configuration Status setting changes to Server cert signed by CA, SSL ready. The certificate and key files remain so you can re-enable SSL.

Reactivate SSL

If you deactivate SSL for any reason, reactivate it. By enabling SSL, CA SiteMinder® Federation Standalone generates a FIPS-compatible private key for the server certificate.

Note: If the Status setting reads Server cert signed by CA, SSL ready, activate the SSL connection.

Follow these steps:

  1. Begin at the SSL Configuration dialog.
  2. Click Activate in the Embedded web server SSL configuration group box.

    The SSL Configuration Status setting changes to SSL Active and a confirmation message is displayed in the dialog.

  3. Restart the federation services according to your operating environment.

SSL is now enabled. You do not have to modify the SSL configuration until the certificate expires.

Replace or Resubmit a Certificate Signing Request for SSL

You can retrieve a copy of a certificate signing request associated with the private key/certificate pair in use by the Apache server or the UI. The ability to get a copy of the certificate signing request is useful if you delete the request file or you do not save the file. A copy of the request is also useful for resubmitting the request at a later date before the signed certificate expires.

The Retrieve function lets you obtain a copy of the certificate signing request.

Note: The Retrieve option is only available if a certificate has been requested and you have not deleted the SSL configuration by using the Restart button.

To retrieve a certificate signing request

  1. From the UI, select Infrastructure, SSL Configuration.

    The SSL Configuration dialog opens.

  2. Click Retrieve.

    A File Download dialog opens, prompting you to open or save the file.

  3. Save the file.

The signing request is now retrieved and the UI returns to the SSL Configuration dialog.

Remove SSL from the Embedded Apache Server and the UI

The Restart feature lets you disable the existing SSL configuration and delete all files associated with the SSL configuration. Specifically, it deletes the private key and server certificate and the original server request file.

To disable SSL and remove related files

  1. Log in to the Administrative UI.
  2. Select Infrastructure, SSL Configuration.

    The SSL Configuration dialog opens.

  3. Click Restart in the group box for the feature that does not require SSL.

    A prompt to confirm the restart is displayed.

  4. Click Yes.

    The SSL configuration is removed from the system.

  5. Restart the federation services according to your operating environment.

    Restarting the services lets the Apache web server and the UI return to non-SSL operation. Subsequent HTTPS requests that come in to CA SiteMinder® Federation Standalone will fail. With SSL removed, all service URLs now have to start with http.