To generate a keystore file containing the key pair for SAML SP signing request, run the following command:
keytool -keystore <keystorefile> -genkey -alias <aliasname> -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730
Example:
keytool -keystore cot.jks -genkey -alias sp-signing -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730
A cot.jks keystore file is created. The file contains a keypair with the alias as sp-signing.
Save the generated file on the file system (for example, the conf directory in Tomcat) of a machine where the BMC Helix Single Sign-On server is installed.
Reconfigure the Tomcat server.xml file by adding a new connector port, for example, x443 for TLS connection.
Example:
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="300" scheme="https" secure="true" maxHttpHeaderSize="32768" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat _RSSO\conf\keystore.jks" keystorePass="changeit" />
Restart the Tomcat server.
(HA mode) Save the keystore file on each BMC Helix SSO server node in a cluster on the same file directory and make sure you restart the Tomcat server.
If your SP signing certificate has expired, perform the following tasks to update the certificate on the BMC Helix SSO server and at the identity provider side:
Important
Perform the following steps on the system where the BMC Helix SSO server is installed.
Locate the cot.jks file and create a backup of the file.
To delete the alias 'sp-signing’ from the existing cot.jks file, run the following command:
keytool -delete -alias test2 -keystore cot.jks
To create a new keypair with alias ‘test2’ in the existing cot.jks file, run the following command:
keytool -keystore cot.jks -genkey -alias test2 -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730
To export ‘test2’ certificate in the PEM format, run the following command:
keytool -export -keystore cot.jks -alias test2 -file test2.pem –rfc
The system creates a test2.pem file.
If you have BMC Helix SSO deployed in a high availability mode, and AD FS configured as the IdP, to achieve a zero-down time when you update the signing certificate, perform the following steps:
Update the SP metadata at the IdP side.
Important
You must not delete the old signing certificate.
Add Comment