Generating and importing CA certificates
The following topics are provided:
By default, BMC Atrium Single Sign-On is installed with a self-signed certificate. Although valid, this certificate causes warning messages to appear when users access the server to perform authentication. The warning messages occur because the certificate is not signed by a Certificate Authority (CA).
To generate and import a CA-signed identity certificate
- Generate a Certificate Signing Request (CSR) file. For more information, see Generating CSRs.
- After you get a confirmation that your signed certificate is available, you must send the CSR to be digitally signed and returned. The CA signs the CSR by using a private key that validates the identity of the server and returns a signed identity certificate. Your CA must provide any one of the following files:
- The base64 signed certificate, <cert_name>.cer
- The complete chain of certificates in <cert_name>.p7b (PKCS#7) format
- Import the CA certificate into the Apache Tomcat server truststore installed with BMC Atrium Single Sign-On. For more information, see Importing a certificate into cacerts.p12.
Stop and restart the Tomcat server.
The new CA certificate does not take effect until the Tomcat server is restarted.
Update all integrated application truststores with the new public key. You must share this new BMC Atrium Single Sign-On certificate with other server hosts hosts, such as LDAP or Active Directory Federation Services (AD FS) to establish a trust relationship.
The following command shows how to generate a new certificate with the same algorithm and key size as the certificate generated during the installation. This certificate also includes an alternative server that enables the original server to be accessed through a different fully qualified domain name (FQDN), which occurs when the BMC Atrium Single Sign-On server is running behind a load balancer or reverse proxy server or is accessed locally from the computer on which the server is running.
keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore "keystore.p12" -storepass internal4bmc -storetype pkcs12 -providername JsafeJCE -dname "CN=loadbalancer.bmc.com, OU=AtriumSSO Server, O=BMC, ST=TX, C=US" -ext "san=DNS:node1.bmc.com,DNS:node2.bmc.com"
The identity of the owner contains the FQDN of the BMC Atrium Single Sign-On server as the Common Name (CN) attribute of the Distinguished Name (DN).
Alternative server names can also be specified by the CA when the server certificate is signed.