Federation Security Services Guide › Signing and Encrypting Messages to Secure Federated Transactions › Modify the Key Database Using smkeytool

Modify the Key Database Using smkeytool

Smkeytool is a SiteMinder command-line utility that manages the key database (smkeydatabase). The smkeytool utility is installed with the Policy Server in the following locations:

• siteminder_home/bin (UNIX)
• siteminder_home\bin (Windows)

Use smkeytool to:

• Create and delete a key database

  You can only have one key database per Policy Server. After the database is created, you can add keys and certificates.

• Add and delete private keys
• Add and delete a partner certificate
• List all certificates stored in the key database
• Import root certificates of CAs
• Add client certificate keys

  If you are using a root or chain Certificate Authority (CA) at the relying party that is not listed in the smkeydatabase, add it to the smkeydatabase.

  For example, a signed VeriSign CA server-side certificate is used to SSL-enable the producer-side web server installed with the Web Agent Option Pack. To use this certificate for Basic over SSL authentication, add the VeriSign certificate to the smkeydatabase at the consumer. The addition of the certificate helps ensure that the consumer is communicating with a producer with a server-side certificate. The presence of the certificate also helps ensure that a trusted CA verified the certificate.

• Export key data from smkeydatabase
• Add, list, validate, and delete a Certificate Revocation List

Notes About Modifying Certificates

• If you are adding a private key/certificate pair or single certificate, delete the certificate metadata from the certificate file before trying to import it into the smkeydatabase. Import only the data starting with the --BEGIN CERTIFICATE-- marker and ending with the --END CERTIFICATE-- marker. Be sure to include the markers.
• If you add a new certificate to the key database or update an existing certificate, restart the Policy Server to see the change immediately. If you do not restart the Policy Server, it takes some time before the Policy Server and the key database synchronize. The amount of time for the key database to update depends on the configured frequency of database updates. You can configure database updates by adjusting the DBUpdateFrequencyMinutes parameter in the smkeydatabase.properties file.