Federation Security Services Guide › Deploy Federation Using a Manual Configuration › Add Functionality to the Federation Deployment › Protect the Target Resource at the SP › Add a CA Certificate for an SSL Back Channel at the SP

Add a CA Certificate for an SSL Back Channel at the SP

For artifact single sign-on, if Basic over SSL is the authentication scheme protecting the Artifact Resolution Service, add a certificate to the smkeydatabase of the Service Provider.

The smkeydatabase holds the certificate authority certificate that establishes an SSL connection between the Service Provider and the Identity Provider. The certificate secures the back channel that the assertion is sent across. Protect the Artifact Resolution Service and secure the back channel so the Service Provider knows that a trusted authority secures the SSL connection.

A set of common root certificates are shipped with the default smkeydatabase. To use root certificate for web servers that are not in the key store, import the necessary root certificates into the smkeydatabase.

For this deployment, the alias is sampleAppCertCA and the certificate of the CA is docCA.crt.

Use the SiteMinder smkeytool utility to modify the database.

To add a certificate to the smkeydatabase

1. Open a command window.
2. Verify that the Certificate Authority certificate is already in the database by entering:

   smkeytool -listcerts

   Look for an entry type of CertificateAuthorityEntry.

3. If the CA certificate is not present, import a new CA certificate by entering:

   smkeytool -addCert -alias <alias> -infile <cert_file> -trustcacert

   For this deployment, the command is:

   smkeytool -addCert -alias sampleAppCertCA -infile docCA.crt -trustcacert

4. When asked if you trust the certificate, enter YES.

   The certificate is added to smkeydatabase.

5. Restart the Policy Server to see the smkeydatabase changes immediately.
6. Enable the Artifact Binding for SAML Authentication at the SP.