Using a CA-signed (custom) certificate for SSO based on SAML

Edit online

By default, a self-signed certificate is used during the SSO configuration. However, you can use a custom certificate generated for the License Metric Tool server to increase security of the configuration.

Procedure

  1. Log in to the computer where Active Directory Federation Services are installed.
  2. Generate a certificate for the License Metric Tool sever signed by a trusted CA.
    Important: Ensure that you remember the certificate label that is used during certificate generation as it is needed in further steps.
  3. Export the certificate into a .pfx file. For example, custom_cert.pfx.
  4. Copy the custom_cert.pfx file to the computer where the License Metric Tool server is installed and place it in the following location: <install_dir>\wlp\usr\servers\server1\resources\security.
  5. To delete the existing self-signed certificate and private key provided by IBM, run the following command. 
    <install_dir>\jre\jre\bin\ikeycmd -cert -delete -label <cert_label> -db <keystore_file> -pw <sso_password> -type <type>
    Where:
    <cert_label>
    Is the label of the custom certificate generated for the License Metric Tool server in step 2. If you do not know the certificate label, run the following command: 
    <install_dir>\jre\jre\bin\ikeycmd -cert -list -db custom_cert.pfx -pw <custom_cert_password> -type <type>
    <keystore_file>
    Starting from application update 9.2.26, the keystore file is: SPKeyStore.p12. For earlier application updates, it is: SPKeyStore.jceks. By default, the file is stored in the following location: <install_dir>\wlp\usr\servers\server1\resources\security.
    <sso_password>
    Is the password to the SSO keystore. For the default keystore password contact the IBM Support. Otherwise, provide the password that you configured.
    <type>
    Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.
  6. To import the custom certificate, run the following commands. 
    <install_dir>\jre\jre\bin\ikeycmd -cert -import -file custom_cert.pfx -pw <custom_cert_password> -type <type> -target <keystore_file> -target_pw <sso_password> -target_type <type> -label <cert_label> -new_label samlsp
    Where:
    <cert_label>
    Is the label of the custom certificate generated in step 2.
    <custom_cert_password>
    Is the password to the custom certificate generated in step 2.
    <keystore_file>
    Starting from application update 9.2.26, the keystore file is: SPKeyStore.p12. For earlier application updates, it is: SPKeyStore.jceks. By default, the file is stored in the following location: install_dir\wlp\usr\servers\server1\resources\security.
    <sso_password>
    Is the password to the SSO keystore.
    <type>
    Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.
  7. In License Metric Tool go to Management > Single Sign-On Settings. Click Download Service Provider Metadata, and save the spMetadata.xml file.

What to do next

Based on the spMetadata.xml file, configure Identity Provider for single sign-on.