Your Identity Server cluster configuration must be configured for HTTPS. For configuration information, see Enabling SSL Communication
in the Novell Access Manager 3.1 SP2 Setup Guide.
CardSpace requires high encryption. However, export laws prevent Access Manager from shipping with the high encryption library for JRE. To add this library, see Section 8.2.1, Enabling High Encryption.
Clients need to be configured with a CardSpace client. See Section 8.2.2, Configuring the Client Machines for CardSpace.
Enable the Liberty Personal Profile. The default attribute set created for CardSpace is dependent upon this profile.
Click
> > > . Select the , then click > . Update the Identity Server.(Recommended) Enable Identity Server logging while you are setting up CardSpace. Set the Component File Logger Levels of STS and CardSpace to debug. For more information, see Section 14.3, Configuring Component Logging.
(Optional) If you are configuring an Identity Server to be an identity provider with managed cards, you need a second Identity Server configured to be a relying party.
To enable high encryption, you need to replace the US_export_policy.jar and local_policy.jar files. The Identity Server that is going to be the relying party and the Identity Server that is going to be the identity provider need to be enabled for high encryption.
Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 (jce_policy-6.zip).
Extract the files.
Copy the US_export_policy.jar and local_policy.jar files to the security directory for the JRE. They should replace the existing files:
Linux Identity Server: /opt/novell/java/jre/lib/security
Windows Server 2003 Identity Server: \Program Files\Novell\jre\lib \security
Windows Server 2008 Identity Server: \Program Files (x86)\Novell\jre\lib \security
Restart Tomcat.
Linux Identity Server: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows Identity Server: Enter the following commands:
net stop Tomcat5
net start Tomcat5
The client machines require a CardSpace card selector application. They also need to be configured to trust the machine that is acting as an identity provider.
Windows clients require the Microsoft .NET Framework 3.5 service pack, and Internet Explorer needs to be configured to trust the identity providers that supply managed cards.
(Conditional) Install the Microsoft .NET Framework 3.5 service pack.
For Windows 7 and Vista clients, this is included with the operating system.
For XP clients, you need to download and install it:
Download the package. See Microsoft .NET Framework 3.5
Install the package.
To verify that it has been installed, click
> , then search for a Microsoft .NET Framework 3.5 entry.(Conditional) If you are using Access Manager generated certificates, you need to install the trusted root certificate of the Identity Server CA so that Internet Explorer trusts the Identity Server.
You must be an administrator user to complete these steps.
In Internet Explorer, enter the base URL of the Identity Server.
Click
.In the URL line, click
> .The Certificate Information page displays information about the Identity Server server certificate.
Click
, select the root CA certificate, then click .The Certificate Information page displays information about the root CA certificate.
Click
> .Select
, then click .Select to
, scroll to the , open it, select , then click .Click
> > .Close the browser.
To verify that the correct certificate was installed, open the browser, then enter the base URL of the Identity Server.
The certificate error should not appear in the URL line.
The following instructions are for Linux clients running SUSE Linux Enterprise Server (SLES) 10. They explain how to use the Bandit DigitalMe card selector, including how to download it, install it, and configure it so that it trusts the Identity Server.
Verify that you have updated Firefox to 2.x or later. DigitalMe does not work with Firefox 1.5.x.
In Firefox, access the Bandit Card site by entering the following URL:
http://cards.bandit-project.org
Click
, then select to download the selector for OpenSUSE.Scroll to the bottom of the page, and install the Firefox add-on.
Click
.If you haven’t enabled the Bandit site to install plug-ins, click
, then enable the site and install the add-on.Download the appropriate selector for your OS. For SLES 10 with 32-bit hardware, select
and save it as a file.Close Firefox.
Open the download and install it.
Export the public key certificates of the Identity Server. You need both the CA and server certificates.
The following instructions explain how to log in to the Administration Console from the client machine with DigitalMe and export the certificates to the required directory.
From a browser on the DigitalMe machine, log into the Administration Console.
Click
> .Click the name of the Identity Server certificate, then click
> .Select to save the file to disk, then click
.Click
, then click .Click the name of the trusted root (the default name is
), then select to > .Select to save the file to disk, then click
.Copy the two certificate files to the following directory:
/usr/share/digitalme/certs
From the Application Browser, start the DigitalMe card selector.
At the prompt to create a default keying, enter a password, reenter the password, then click
.