Access Manager allows you to manage centrally stored certificates used for digital signatures and data encryption. eDirectory resides on Administration Console and is the main certificate store for all of the Access Manager components. If you use a Novell Certificate Server, you can create certificates there and import them into Access Manager.
By default, all Access Manager components (Identity Server and Access Gateway) trust the local Access Manager certificate authority (CA). However, if Identity Server is configured to use an SSL certificate signed externally, the trust store of the Embedded Service Provider for each component must be configured to trust this new CA.
Certificate management commands issued from a secondary Administration Console can work only if the primary console is also running properly. Other commands can work independently of the primary console.
You can create and distribute certificates to the following components:
Identity Server: Uses certificates and trust stores to provide secure authentication to Identity Server and enable encrypted content from Identity Server portal via HTTPS. Certificates also provide secure communications between trusted Identity Servers and user stores.
Liberty and SAML 2.0 protocol messages that are exchanged between identity and service providers often need to be digitally signed. Identity Server uses the signing certificate included with the metadata of a trusted provider to validate signed messages from the trusted provider. For protocol messages to be exchanged between providers through SSL, each provider must trust the CA of the other provider. You must import the public key of the CA used by the other provider.
Identity Server also has a trust store for OCSP (Online Certificate Status Protocol) certificates, which is used to check the revocation status of a certificate.
Access Gateway: Uses server certificates and trusted roots to protect web servers, provide single sign-on, and enable the product’s data confidentiality features, such as encryption. They are used for background communication with Identity Server and policy engine and to establish trust between Identity Server and Access Gateway.
To ensure the validity of X.509 certificates, Access Manager supports both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) methods of verification.
When X509 authentication is configured as the authentication contract, it works even after you revoke the certificate for the X509 mutual authentication. When you access the nidp login page from the client browser and select the revoked certificate, browser does not throw an error message telling that the certificate has been revoked. You can either issue a CRL or wait until the next CRL issuance date. The revoked certificates will work until the next CRL issuance date.
If you do not want to wait and issue a CRL now, perform the following steps:
Navigate to Roles and Tasks > NetIQ Certificate Server > Configure Certificate Authority > CRL.
Click CRL.
Under Next CRL Issuance, click Issue Now.
Click OK.
Restart Identity Server.
Access Manager stores the certificates that a device has been configured to use in trust stores and keystores. This section describes the following certificate features: