Identity Server stores certificates in keystores and trust stores. Keystores can hold only one certificate. Trust stores can hold multiple trusted roots. After you install Identity Server, you should replace the default certificates in the keystore. You should create an SSL certificate for Identity Server and use it to replace the predefined test-connector certificate that comes with Access Manager. You can also replace the test-provider and test-consumer certificates in the Provider Introductions SSL Connector and Consumer Introductions SSL Connector keystores. The steps for replacing the signing, encryption, provider, and consumer certificates are similar.
You can also add trusted roots to the trust store used by Identity Server, delete imported trusted roots, or auto-import them from a server. Trust store is the certificate container for CA certificates that Identity Server has been configured to trust. It needs to contain the trusted root for the identity providers, service providers, and embedded service providers that it has been configured to trust.
You can also access the OCSP trust store to add OCSP server certificates. Online Certificate Status Protocol is a method used for checking the revocation status of a certificate. For this feature, you must set up an OCSP server. Identity Server sends an OCSP request to the OCSP server to determine if a certain certificate has been revoked. The OCSP server replies with the revocation status. If this revocation checking protocol is used, Identity Server does not cache or store the information in the reply, but sends a request every time it needs to check the revocation status of a certificate. The OCSP reply is signed by the OCSP server. To verify that it was signed by the correct OCSP server, the OCSP server certificate needs to be added to this trust store. The OCSP server certificate itself is added to the trust store, not the CA certificate
Click Devices > Identity Servers > Edit > Security.
To replace a certificate in a keystore:
Click the keystore link that contains the certificate you want to replace:
Encryption: Displays the encryption certificate keystore. The encryption certificate is used to encrypt specific fields or data in the assertions.
Signing: Displays the signing certificate keystore. Click this option to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.
SSL: Displays the SSL connector keystore. Click this option to access the keystore and replace the SSL certificate as necessary. This certificate is used for SSL connections.
Provider: Displays the identity provider keystore. Click this option to access the keystore and replace the identity provider certificate.
Consumer: Displays the identity consumer keystore. Click this option to access the keystore and replace the identity consumer certificate as necessary.
Click Replace.
A keystore stores only one certificate at a time. When you replace a certificate, you overwrite the existing one.
Click the Select Certificate icon and browse to select the certificate you created in Section 16.0, Creating Certificates.
Click > OK.
Restart Tomcat.
The system restarts Tomcat for you if you click Restart Now at the prompt. If you want to restart at your convenience, select Restart Later and then manually restart Tomcat.
Run the following command:
/etc/init.d/novell-idp restart OR systemctl restart novell-idp.service
For the Docker deployment, perform the following steps:
Run the kubectl get pods command to view the Access Manager pods.
Go to the Identity Server pod by running the kubectl exec --namespace <name-of-the-namespace> -it pod/<name-of-the-identity-server-pod> -- sh command.
Run the /etc/init.d/novell-idp restart or systemctl restart novell-idp.service command.
To modify the trusted roots in the Trust Store:
Click the name of the trust store that you want to manage.
NIDP Trust Store: Contains the trusted root certificates of all the providers that Identity Server trusts.
OCSP Trust Store: Contains the certificates of the OCSP servers that Identity Server trusts.
To add a trusted root that you have saved in a file, click Add.
To remove a trusted root, select the trusted root, then click Delete.
To download the trusted root from the server, click Auto-Import From Server, specify the DNS or IP address of the server, enter the port, then click OK.
Select the certificate to add, specify an alias, then click OK.
Update the Identity Server configuration on the Servers page.