This documentation supports the 18.02 version of Remedy Single Sign-On.

To view the latest version, select the version from the Product version menu.

Updating the SP signing certificate

To update the Remedy Single Sign-On (Remedy SSO) service provider (SP) certificate, perform the following tasks:

Note

The paths specified in the following steps are for Windows OS. You need to find out the corresponding path in the Linux OS.

The file name for the java keystore should be cot.jks.

Updating the java keystore cot.jks file

Perform the following steps on the system where the Remedy Single Sign-On (Remedy SSO) server is installed.

  1. Go to the <tomcat>\rsso\WEB-INF\classes directory.
  2. Locate the cot.jks file and take a backup of the file.
  3. Run the keytool command to delete the alias ‘sp-signing’ from the existing cot.jks file.
    keytool -delete -alias sp-signing -keystore cot.jks

  4. Create a new keypair with alias ‘test2’ in the existing cot.jks file.
    keytool -keystore cot.jks -genkey -alias test2 -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730

  5. Export ‘test2’ certificate in the PEM format.
    keytool -export -keystore cot.jks -alias test2 -file test2.pem –rfc
    The system creates a test2.pem file.

  6. Take a backup of the updated cot.jks file.

If you have other Remedy Single Sign-On (Remedy SSO) server instances in the same cluster, replace the cot.jks file in the <tomcat>\rsso\WEB-INF\classes folder with the updated cot.jks file.

Updating the signing certificate in Remedy SSO Admin console

  1. Log in to the Remedy SSO Admin console.
  2. Go to General->Advanced tab.
  3. Open the file test2.pem in a text editor.
  4. Remove the first line (-----BEGIN CERTIFICATE-----) and the last line (-----END CERTIFICATE-----).
  5. Remove the newline delimiter (\r\n).
  6. Copy the content of the test2.pem file and paste the content in the ‘Signing Certificate’ field.
  7. Click Save.
  8. Wait for 15 seconds, view the realm using SAML.
  9. On the Authentication tab, click View Metadata. Verify the SP metadata is updated with the new signing certificate.

Updating the SP metadata at the IdP side

  1. Export the SP metadata and save it in a local file.
  2. Share the exported SP metadata and the new signing certificate information with the IdP team for updating.

If ADFS is the IdP, the customer can add the new signing certificate as below:

  1. Open Properties dialog of the relying party for Remedy SSO.
  2. Go to the Signature tab.
  3. Click Add.
  4. Select the new signing certificate file.
  5. Click OK.

For rolling upgrade

To achieve a zero-down time in a cluster environment for the signing certificate update when Active Directory Federated (ADFS) Services is the IdP, perform the following steps:

  1. Put down one Remedy SSO server instance and update the java keystore cot.jks file on it.
  2. Update the signing certificate in Remedy SSO Admin console.
  3. Update the SP metadata at the IdP side. Note that you must not delete the old signing certificate.
  4. Make the Remedy SSO server instance up again.
  5. Repeat step 1 to step 4 for all the Remedy SSO server instances.
  6. After the keystore cot.jks is updated on all Remedy SSO server instances, remove the old signing certificate on the Remedy SSO relying party at ADFS side.

SAMLv2 authentication process

Setting SP signing certificate for SAML authentication 


Was this page helpful? Yes No Submitting... Thank you

Comments