Federation Security Services Guide › Configure SiteMinder as a SAML 1.x Consumer › Enable Client Certificate Authentication for the Back Channel(optional) › Add a Client Certificate to smkeydatabase

Add a Client Certificate to smkeydatabase

When you are adding a client certificate to the key database, note the following:

• The value of dname, which specifies the Consumer name, can be any attribute from the Consumer subject DN. The Policy Server at the producer site can use its certificate mapping functionality to map the Consumer to a local user directory entry.
• The value for alias associated with the private key is the same as the value of the Affiliate Name field. The Attribute Name field is in the Scheme Setup section of SAML Artifact Authentication scheme dialog. The attribute of the Consumer subject DN, represented in the example by the CN value also reflects the Affiliate Name value.

  For example, if you entered CompanyA as the Affiliate Name, then alias is Company A. The attribute is CN=CompanyA, OU=Development, O=CA, L=Waltham, ST=MA, C=US

• To refer to the existing key store entry, subsequent keytool commands use the same alias.
• The value for password is same as the value of the Password field specified in the Scheme Setup dialog for the SAML Artifact Authentication Scheme.

To create and store a client certificate in the smkeydatabase file at the Consumer

1. Open a command window.
2. If necessary, create a key database by entering:

   smkeytool -createDB -password fedDB

3. Generate a key-pair combination.

   For example, to create a private key using the PKCS8 format enter:

   smkeytool -addPrivKey -alias CompanyA -keyfile idp1pkey.pkcs8 -certfile idp1.crt -password smdb

   This example assumes that you are running smkeytool from the directory where the certificate and key are located, so there are no file paths necessary.

   The certificate is now added to the smkeydatabase.

4. Restart the Policy Server to see the smkeydatabase changes immediately.