13.4.4 Managing the Keys, Certificates, and Trust Stores

You can view the private keys, CA certificates, and certificate containers associated with Identity Server configuration. Primarily, you use the Security page to add and replace CA certificates as necessary and to perform certificate management tasks, such as adding trusted root certificates to a trust store.

  1. Click Devices > Identity Servers > Edit > General > Security.

  2. To view or manage keys and certificates:

    1. Click any of the following links:

      Encryption: Displays the NIDP encryption certificate keystore. The encryption certificate is used to encrypt specific fields or data in the assertions. Click Replace to replace the encryption certificate. Click Add or Remove to add or remove the encryption certificates.

      Signing: Displays the NIDP signing certificate keystore. The signing certificate is used to sign the assertion or specific parts of the assertion. Click Replace to replace the signing certificate. Click Add or Remove to add or remove the signing certificates.

      NOTE:When you change the existing signing/encryption certificate, ensure that the metadata is reimported from an identity or service provider of another cluster.

      SSL: (Required) Displays the SSL connector keystore. Click this link to access the keystore and replace the connector certificate.

      Provider: Displays the ID Provider Introductions SSL Connector keystore. Click this link to access the keystore and replace the provider certificate used by Identity Server when it is acting as an identity provider.

      Consumer: Displays the ID Consumer Introductions SSL Connector keystore. Click this link to access the keystore and replace the consumer certificate used by Identity Server when it is acting as an identity consumer (service provider).

      For example, when you click the Provider keystore, the following page appears:

      Replacing Identity Server certificates

    2. To replace a certificate, click Replace, browse to locate the certificate, then click OK.

    3. If prompted to restart Tomcat, click OK. Otherwise, update Identity Server.

  3. To manage trust stores associated with Identity Server:

    1. Click either of the following links on the Security page:

      NIDP Trust Store: This Identity Server trust store contains the trusted root certificates of all the providers that it trusts. Liberty and SAML 2.0 protocol messages that are exchanged between identity and service providers often need to be digitally signed. A provider uses the signing certificate included with the metadata of a trusted provider to validate signed messages from the trusted provider. The trusted root of the CA that created the signing certificate for the service provider needs to be in this trust store.

      To use SSL for protocol messages to be exchanged between providers, each provider must trust the SSL certificate authority (CA) of the other provider. You must import the root certificate chain for the other provider. Failure to do so causes numerous system errors.

      OCSP Trust Store: Identity Server uses this trust store for OCSP certificates. Online Certificate Status Protocol is a method used for checking the revocation status of a certificate. To use this feature, you must set up an OCSP server. Identity Server sends an OCSP request to the OCSP server to determine if a certain certificate has been revoked. The OCSP server replies with the revocation status. If this revocation checking protocol is used, Identity Server does not cache or store the information in the reply, but sends a request every time it needs to check the revocation status of a certificate. The OCSP reply is signed by the OCSP server. To verify that it was signed by the correct OCSP server, the OCSP server certificate needs to be added to this trust store. The OCSP server certificate itself is added to the trust store, not the CA certificate.

      For example, if you click the NIDP Trust Store, the following page appears:

      Importing trusted roots

    2. Select one of the following actions:

      • To add a trusted root that you have already imported, click Add, click the Select Trusted Roots icon, select the trusted root, then click OK twice.

      • To import the trusted root from the server, click Auto-Import From Server, specify the server’s IP address or DNS name and port, then click OK. The auto-import displays the certificate chain, which you can select for import.

      • To remove a trusted root, select the trusted root, then click Remove.

For information about enabling security for a basic Access Manager configuration, see Section 20.0, Enabling SSL Communication.

For more information about managing certificates, see Managing Certificates and Keystores.