Skip to content
CA Performance Management - 3.6
Documentation powered by DocOps

Set Up SAML Certificates

Last update August 28, 2018

To configure the single sign-on website to use SAML over SSL, obtain and install a private key and an associated public certificate. SAML can be used with either a self-signed certificate or a certificate that a trusted Certificate Authority has signed. The procedures are typically specific to an organization and the policies of its security team. However, these procedures provide some guidance.

Select the appropriate procedure for your situation:

Note: For more information about the keytool command, see the  Java documentation on the Oracle website.

Generate and Import a Certificate

To generate an SAML certificate, use the keytool command. Generate a self-signed certificate and install it in the keystore.

Follow these steps:

  1. Change the directory:

    cd InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration

    Note: /opt/CA is the default installation directory.
  2. If a keystore file exists, rename the existing keystore file to create a backup of it:

    mv InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration/keystore InstallDirectory/PerformanceCenter/PerformanceCenter/sso/webapps/sso/configuration/keystore.bak

    Important! Move the old keystore. If you do not, an error appears in later steps: "Keystore was tampered with, or password was incorrect."
  3. Generate a private key and a public, self-signed certificate:

    keytool -genkeypair -keystore keystore_file.ks -storepass password -keyalg RSA -keysize 2048 -keypass password -alias alias_name

    Note your entries for the following variables:

    • keystore_file.ks
      Specify the name of the keystore file to create

    • password
      Specify the password for the keystore and self-signed certificate. Specify a secure password.

    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the self-signed certificate.

    N ote: When you are prompted for your first and last name, provide the fully qualified hostname of the server.
  4. Proceed through the security prompt questions and confirm your responses.

    Your self-signed SAML certificate is generated and installed in the keystore.

  5. Configure the saml.properties with the keystore location and filename, keystore password, and alias. For more informarion, see Preparing the Security Properties File.

Convert a Self-Signed Certificate to a Certification Authority SAML Certificate

A self-signed certificate is signed by the same entity whose identity it certifies rather than a Certification Authority. Therefore, a self-signed certificate is not trusted. The following procedure explains how to convert the self-signed certificate to a certificate that a trusted Certification Authority has signed.

Follow these steps:

  1. Change the directory:

    cd InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration

    Note: /opt/CA is the default installation directory.
  2. Export a certificate signature request:

    keytool -certreq -keystore keystore_file.ks -storepass password -alias alias_name -keypass password -file RequestFileName.csr

    • keystore_file.ks
      Specify the same keystore file name previously created.
    • password
      Specify the same password when creating the self-signed certificate.
    • alias_name
      Specify the same alias when creating the self-signed certificate.
    • RequestFileName.csr
      Specify the path and file name of the exported signature request.
  3. Send the resulting file (RequestFileName.csr) to a qualified signing authority with any other requested information. 
    The Certificate Authority sends you a signed certificate (SignedCert.cer). They might also provide a root Certificate Authority certificate (RootCA.cer) to authenticate the signed certificate.
  4. (Optional) Determine whether the root Certificate Authority certificate is part of the default java trusted authorities:

    keytool -list -v -keystore InstallDirectory/jre/lib/security/cacerts -storepass password

    • password
      Specify the same password when creating the self-signed certificate.

      Note: The default password for the Certificate Authority keystore is changeit.
  5. (Optional) Search the output for the Certificate Authority that signed your certificate. If the Certificate Authority is not listed, add it to the list of trusted authorities:

    keytool -importcert -keystore InstallDirectory/jre/lib/security/cacerts -storepass cacertspassword -alias alias_name -file RootCA.cer

    • cacertspassword
      Specify the password for the Certificate Authority keystore.
    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the root or intermediate certificate.
    • RootCA.cer
      Specify the filename of the root certificate.
    Note: Import the root certificate and any intermediate certificates between the certificate authority root certificate and the certificates authorities signed certificate.
  6. Import the signed certificate:

    keytool -importcert -trustcacerts -keystore keystore_file.ks -storepass password -alias alias_name -keypass password -file SignedCert.cer

    • password
      Specify the same password when creating the self-signed certificate.
    • alias_name
      Specify the same alias when creating the self-signed certificate.
    • SignedCert.cer
      Specify the certificate file from the Certificate Authority.
  7. Confirm that you trust the certificate.
  8. Validate the contents of the keystore:

    keytool -list -keystore InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration/keystore_file.ks

    The single certificate that you imported appears in the list.

    The Certificate Authority SAML certificate replaces your self-signed certificate in the keystore.

  9. Update the certificate in the IdP with the same certificate that you just imported.

Import a Key and an Existing Certificate

You can use a private key and public certificate (a self-signed or a Certificate Authority certificate) from a different source. For example, your security team provides an SAML certificate that is customized for your organization. To use this SAML certificate, import the private key and the signed certificate.

Follow these steps:

  1. Change the directory:

    cd InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration

    Note: /opt/CA is the default installation directory.
  2. If a keystore file exists, rename the existing keystore file to create a backup of it:

    mv InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration/keystore InstallDirectory/PerformanceCenter/sso/webapps/sso/configuration/keystore.bak

    Important! Move the old keystore. If you do not, an error appears in later steps: "Keystore was tampered with, or password was incorrect."
  3. Create a PKCS#12 keystore from the private key and certificate:

    openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -name alias_name -out keystore.pkcs12

    • certificate.pem
      Specify the certificate that is provided to you.
    • privatekey.pem
      Specify the private key that is provided to you.
    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the certificate
    • keystore.pkcs12
      Specify the keystore to create to store the keys provided.
    Note: This command works on Linux only.
  4. Import the key and certificate into the CA Performance Center keystore:

    keytool -importkeystore -destkeystore keystore_file.ks -deststorepass password -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -srcalias src_alias_name -destalias dest_alias_name -destkeypass password

    • keystore_file.ks
      Specify the name of the keystore file to create.

    • password
      Specify the password for the keystore and imported certificate. Specify a secure password.

    • keystore.pkcs12
      Specify the PKCS#12 keystore previously created.

    • src_alias_name
      Specify the alias_name when importing the private key and certificate.

    • dest_alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the imported certificate.

    Your existing SAML certificate is imported into the keystore.

  5. Determine whether the certificate includes a chain terminating at a certificate in the keystore. If the certificate is missing, import it into the Java keystore.

    keytool -printcert -file filename

    • filename specifies the name of the certificate.

  6. Update the certificate in the IdP with the same certificate that you just imported.
Was this helpful?

Please log in to post comments.