Table of Contents
Advertisement
5.2 Managing Embedded Service Provider
Certificates
You can view and modify the private keys, certificate authority (CA) certificates, and certificate
containers associated with the embedded service provider. The embedded service provider module is
the J2EE Agent module that communicates with the Identity Server. This module handles all the
authentication requests that need to be forwarded to the Identity Server for verification.
1 In the Administration Console, click Devices > J2EE Agents > Edit.
2 To view the assigned certificates, click one of the following keystores in the Service Provider
Certificates section:
Signing: The signing certificate keystore. Click this link to access the keystore and replace the
signing certificate as necessary. The signing certificate is used to sign the assertion or specific
parts of the assertion.
Mutual SSL: The mutual SSL connector keystore. Click this link to access the keystore and
replace the certificate. This certificate is used for mutual SSL connections with the Identity
Server. If you set up services on the Identity Server that require mutual SSL, the Identity Server
uses this certificate to established the mutual SSL connection.
The Web Services Framework allows each service (such as a personal profile or employee
profile) defined on the Identity Server to specify various security mechanisms that are a
combination of transport-level and messages-level security as depicted in Liberty ID-WSF
specification. This can be selected by the administrator, depending upon the nature of data and
optimizations. If a service on the Identity Server specifies that any Web service consumer
(which includes the embedded service provider) must authenticate itself using a client
certificate, the Web service consumer needs to support mutual SSL. For information on how to
set up a profile to require mutual SSL, see
Access Manager 3.1 SP1 Identity Server
The Access Manager automatically populates this keystore with the certificate that you select
when enabling SSL between the agent and the Identity Server. If you replace this certificate,
you need to replace it with a certificate whose subject name (cn) matches the DNS name of the
agent.
Trusted Roots: The trusted root certificate container for CA certificates associated with the
agent. Click this link to access the trust store, where you can change the password or add
trusted roots to the container.
The embedded service provider must trust the certificate of the Identity Server that the agent
has been configured to trust. The public certificate of the CA that generated the Identity Server
certificate must be in this trust store. If you configured the Identity Server to use a certificate
generated by a CA other than the Access Manager CA, you must add the public certificate of
this CA to the Trusted Roots store.
3 Click OK, then click Update > OK.
5.3 Configuring SSL Certificate Trust
The Identity Server must be configured to trust the CA that created the SSL key pair certificate of
your application server. The public key of this CA needs to be added to the NIDP Trust Store of the
Identity Server. For instructions, see
Novell Access Manager 3.1 SP1 Administration Console
specify the IP address and port of your application server.
"Editing Web Service
Guide.
"Importing Public Key Certificates (Trusted
Guide, select the NIDP Trust Store, and
Configuring the Basic Features of a J2EE Agent
Descriptions" in the
Novell
Roots)" in the
77
Advertisement
Chapters
Table of Contents
