Setting Up SSL
The following steps must be followed in order to configure the SAML system support SSL mutual authentication over the SAML back-channel.
-
An SSL server key pair (SKP) must be obtained and imported into eDirectory.
-
An SSL client key pair (CKP) must be obtained and imported into eDirectory.
-
The SKP must be made available in PKCS#12 format and imported into the iChain server.
-
The SKP must be configured for use as the SSL server key pair on the appropriate iChain accelerator.
-
The CKP must be made available to the SAML extension server in PCKS#12 or Java Key Store (JKS) format.
-
The SAML extension server must be configured to use the provided CKP as its SSL Client certificate.
-
The public key certificate associated with the SKP must be exported and sent the Trusted Affiliates.
-
The public key certificate associated with the CKP must be exported and sent to the Trusted Affiliates.
-
Your partner site must send you its SSL public key certificate, which you must import into your trust store.
-
The appropriate settings must be made on the Trusted Affiliate who will be communicating with your site over SSL-M (mutual).
SSL Key Pair Generation
You can use the Novell Certificate Server snap-ins to generate your SSL key pair. If you choose to do this, the steps required are nearly identical to those followed to generate the data signing key. The only difference is on the Create Server Certificate page, rather than selecting the Signature option as you did when you were generating the signature key pair, you should select the SSL or TLS button, as shown in Figure 98.
See Creating a Signing Key Pair for the steps to generate the data signing key.
Also, when you are generating the SSL Server Certificate, the Subject Name of the certificate must match the host name of the server. For instance, if you were generating an SSL Server certificate for www.novell.com, the CN in the Subject Name on the certificate must be .CN=www.novell.com.
Figure 98SSL or TLS Button
