Administer > System security > SAML Single Sign-On > SAML SSO setup > Configure SAML SSO using the standalone IdM > Task 2: Configure SSL in the IdM web application server

Task 2: Configure SSL in the IdM web application server

Important This task is required for the standalone IdM only.

The IdM service requires the use of SSL connections. Once you have completed the deployment of the IdM web application server (Tomcat), you need to configure SSL for it.

To configure SSL for Tomcat, follow these steps:

  1. Run the following keytool command to create a keystore file:

    ​keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

    Follow the screen prompts to enter required information.

    Note When asked for your first and last names, enter the fully qualified domain name (FQDN) of the Tomcat server. For example: myhost.mycompany.net.

    The following is an example.

    ​C:\Tomcat\tomcat_9443>keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
    Enter keystore password:
    
    Re-enter new password:
    
    What is your first and last name?
    
      [Unknown]:  myhost.mycompany.net  
    What is the name of your organizational unit?
    
    [Unknown]:  software
    
    What is the name of your organization?
    
     [Unknown]:  hpe
    
    What is the name of your City or Locality?
    
      [Unknown]:  shanghai
    
    What is the name of your State or Province?
    
      [Unknown]:  shanghai
    
    What is the two-letter country code for this unit?
    
      [Unknown]:  CN
    
    Is CN=myhost.mycompany.net, OU=software, O=hpe, L=shanghai, ST=shanghai, C=CN correct?
    
      [no]:  yes
    
    Enter key password for <tomcat>
    
            (RETURN if same as keystore password):
    
    Re-enter new password:
  2. Run the following command to export a certificate from the keystore:

    ​keytool -keystore tomcat.keystore -export -alias tomcat -file tomcat.cer
  3. Run the following command to import the certificate into JDK:

    ​keytool -import -alias idm -file tomcat.cer -keystore  cacerts

    Follow the screen prompts to enter required information. The following is an example.

    Note The default keystore password is changeit.

    C:\Program Files\Java\jdk1.8.0_91\jre\lib\security>keytool -import -alias idm -file tomcat.cer -keystore  cacerts
    
    Enter keystore password:
    
    Owner: CN=myhost.mycompany.net, OU=software, O=hpe, L=shanghai, ST=shanghai, C=CN
    
    Issuer: CN=myhost.mycompany.net, OU=software, O=hpe, L=shanghai, ST=shanghai, C=CN
    
    Serial number: 5acc6d54
    
    Valid from: Fri Jun 03 10:00:26 CST 2016 until: Thu Sep 01 10:00:26 CST 2016
    
    Certificate fingerprints:
    
             MD5:  52:9F:9E:57:63:11:26:DB:0A:D4:99:0D:44:1B:A8:65
    
             SHA1: 47:8E:26:C2:CA:0E:C2:B0:3C:D8:54:4F:70:93:44:F5:D6:6E:D6:1D
    
             SHA256: 5C:B0:98:10:7D:13:BE:D2:24:2C:C0:EF:F0:C5:F1:7F:87:6C:E7:0B:FA:22:4C:94:DE:46:EF:6C:0E:55:61:9B
    
             Signature algorithm name: SHA256withRSA
    
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    
    SubjectKeyIdentifier [
    
    KeyIdentifier [
    
    0000: 9D DB 0D 2A 12 B9 41 6B   3D C7 66 86 3B 63 9E 98  ...*..Ak=.f.;c..
    
    0010: 02 D7 38 CE                                        ..8.
    
    ]
    
    ]
    
    Trust this certificate? [no]:  yes
    
    Certificate was added to keystore
  4. Configure the https port and keystore in the server.xml file in the <Tomcat>/conf folder:

    <Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    
       maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    
           clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/tomcat.keystore" keystorePass="!qaz2wsx3edc" />

    Caution Be sure to enter the correct path of the tomcat.keytore file.