4.2 Managing Embedded Service Provider Certificates

You can view and modify the private keys, certificate authority (CA) certificates, and certificate containers associated with the embedded service provider. The embedded service provider module is the J2EE Agent module that communicates with the Identity Server. This module handles all the authentication requests that need to be forwarded to the Identity Server for verification.

  1. In the Administration Console, click Access Manager > J2EE Agents > Edit.

  2. To view the assigned certificates, click one of the following keystores in the Service Provider Certificates section:

    Signing: The signing certificate keystore. Click this link to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.

    Mutual SSL: The mutual SSL connector keystore. Click this link to access the keystore and replace the certificate. This certificate is used for mutual SSL connections with the Identity Server. If you set up services on the Identity Server that require mutual SSL, the Identity Server uses this certificate to established the mutual SSL connection.

    The Web Services Framework allows each service (such as a personal profile or employee profile) defined on the Identity Server to specify various security mechanisms that are a combination of transport-level and messages-level security as depicted in Liberty ID-WSF specification. This can be selected by the administrator, depending upon the nature of data and optimizations. If a service on the Identity Server specifies that any Web service consumer (which includes the embedded service provider) must authenticate itself using a client certificate, the Web service consumer needs to support mutual SSL. For information on how to set up a profile to require mutual SSL, see Editing Web Service Descriptions in the Novell Access Manager 3.0 SP4 Administration Guide.

    The Access Manager automatically populates this keystore with the certificate that you select when enabling SSL between the agent and the Identity Server. If you replace this certificate, you need to replace it with a certificate whose subject name (cn) matches the DNS name of the agent.

    Trusted Roots: The trusted root certificate container for CA certificates associated with the agent. Click this link to access the trust store, where you can change the password or add trusted roots to the container.

    The embedded service provider must trust the certificate of the Identity Server that the agent has been configured to trust. The public certificate of the CA that generated the Identity Server certificate must be in this trust store. If you configured the Identity Server to use a certificate generated by a CA other than the Access Manager CA, you must add the public certificate of this CA to the Trusted Roots store.

  3. Click OK, then click Update > OK.