Previous Topic: Smkeytool Examples for Windows PlatformsNext Topic: Migrate AM.keystore and Update smkeydatabase

Federation Security Services GuideSigning and Encrypting Messages to Secure Federated TransactionsModify the Key Database Using smkeytoolSmkeytool Examples for UNIX Platforms

Smkeytool Examples for UNIX Platforms

The following are examples of using smkeytool to manage the smkeydatabase.

Example: Create a key database

This example shows the command for creating the key database:

smkeytool.sh -createDB -password siteminderdb

Example: Add a private key/certificate pair

The following example adds a private key/certificate pair to the smkeydatabase. The syntax is the same regardless of whether the key/certificate pair is used for signing and verification or encryption and decryption.

If you run smkeytool from the directory containing the private key/certificate pair, do not specify a directory path in the command line. The command syntax is as follows:

smkeytool.sh -addPrivkey -password keypswd -alias privkey1 -keyfile privkey.pkcs8 -certfile sample.crt

If you run smkeytool from a directory that does not contain the private key/certificate pair, specify the full path to the directory with the pair. The command syntax is as follows:

smkeytool.sh -addPrivkey -alias privkey1 -keyfile "export/ca/siteminder/certs/
sampleprivkey.pkcs8" -certfile "export/ca/siteminder/certs/sample.crt"

Example: Add a standalone certificate

This example command adds only a certificate to the smkeydatabase. This certificate can be associated with a private key/certificate pair, but this command only adds the certificate.

If you run the smkeytool from the directory containing the certificate, do not specify a directory path in the command line. The command syntax is as follows:

smkeytool.sh -addCert -password keypswd -alias sp2cert -certfile samplefile.crt

If you run smkeytool from the directory that does not contain the certificate, specify the full path to directory with the certificate. The syntax is as follows:

smkeytool.sh -addCert -alias sp2cert -certfile "export/ca/siteminder/certs/samplefile.crt"

Example: Add a trusted CA certificate

This example shows the commands required to add a trusted Certificate Authority (CA) certificate. For federated communication, SiteMinder can use a trusted CA for securing the back channel for HTTP-Artifact single sign-on.

Important! Obtain a CA certificate from a Certificate Authority before adding a trusted certificate.

To add a trusted CA certificate

  1. Verify whether the certificate exists in the relying party database by entering: 
    smkeytool.sh -listCerts
  2. Add the CA certificate by entering: 
    smkeytool.sh -addCert -alias -sp1cacert -infile /opt/netegrity/siteminder/certs/sampleCARoot.cer -trustcacert
  3. (Optional) Restart the Policy Server to see the change to the key database immediately.
  4. If you do not restart the Policy Server, it takes some time before the Policy Server and database synchronize. SiteMinder updates the key database based on the value of the DBUpdateFrequencyMinutes parameter in the smkeydatabase.properties file. You can adjust the frequency by modifying this parameter.