Previous Topic: Select the Artifact Binding at the IdP

Next Topic: Enable the Artifact Binding for SAML Authentication at the SP

Add a CA Certificate for an SSL Back Channel at the SP

For artifact single sign-on, if Basic over SSL is the authentication scheme protecting the Artifact Resolution Service, you must add a certificate to the Service Provider's smkeydatabase.

The smkeydatabase holds the certificate authority certificate that establishes an SSL connection between the Service Provider and the Identity Provider. The certificate secures the back channel that the assertion is sent across. The Artifact Resolution Service needs to be protected and the back channel need to be secure so the Service Provider knows the SSL connection is secured by a trusted authority.

A set of common root certificates are shipped with the default smkeydatabase. To use root certificate for web servers that are not in the key store, import the necessary root certificates into the smkeydatabase.

For this deployment, the alias is sampleAppCertCA and the certificate of the CA is docCA.crt.

Use the SiteMinder smkeytool utility to modify the database.

To add a certificate to the smkeydatabase

  1. Open a command window.
  2. Check whether the Certificate Authority certificate is already in the database by entering:

    smkeytool -listcerts

    Look for an entry type of CertificateAuthorityEntry.

  3. If the CA certificate is not present, import a new CA certificate by entering:

    smkeytool -addCert -alias <alias> -infile <cert_file> -trustcacert

    For this deployment, the command is:

    smkeytool -addCert -alias sampleAppCertCA -infile docCA.crt -trustcacert

  4. When asked if you trust the certificate, enter YES.

    The certificate is added to smkeydatabase.

  5. Restart the Policy Server to see the smkeydatabase changes immediately.
  6. Enable the Artifact Binding for SAML Authentication at the SP.


Copyright © 2010 CA. All rights reserved. Email CA about this topic