Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?
Article ID: 106140
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
INTROSCOPE
Issue/Introduction
The user is attempting to setup SAML between ACC and EM using SSL.
Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?
Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?
Environment
APM + ACC + SAML
Resolution
If you want to change what keys/certs APM and ACC uses for SAML signing and encryption, here is the procedure:
- The EM and ACC keys can be replaced separately, or only one of them, as needed.
- We recommend to have a separate keystore for SAML authentication and use different certificates than those for HTTPS authentication.
- There is no need to have certificates signed by any certificate authority, there is an explicit trust by IdP for certificates imported from metadata.
- The certificates used for SAML are usually self-signed with long valid period (often 10 years).
Change ACC key/cert:
- generate/get a keystore with privateKey/cert
- configure authentication.central properties for new keystore - keystore,password,alias
- authentication.central.keyStorePassword=<pass>
- authentication.central.keyStore=config/security/saml/saml.keystore
- authentication.central.keyStore.alias=apmccsrv
- restart ACC
- download ACC metadata from https://<hostname>:<port>/saml/metadata
- on EM: copy metadata file to em/config under the name saml-sp-acc-metadata.xml
- on EM: restart EM to refresh metadata (on running system metadata are refreshed after several hours)
Change EM key/cert (Shibboleth):
- generate/extract private and public keys in pem format
- configure config/shibboleth/conf/relying-party.xml to use these new files
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
<security:PrivateKey>config/internal/server/My.priv.pem</security:PrivateKey>
<security:Certificate>config/internal/server/My.pub.pem</security:Certificate>
</security:Credential>
- on ACC: Update certificate in config/security/saml/em_idp.metadata.xml
- restart EM and ACC
- The EM and ACC keys can be replaced separately, or only one of them, as needed.
- We recommend to have a separate keystore for SAML authentication and use different certificates than those for HTTPS authentication.
- There is no need to have certificates signed by any certificate authority, there is an explicit trust by IdP for certificates imported from metadata.
- The certificates used for SAML are usually self-signed with long valid period (often 10 years).
Change ACC key/cert:
- generate/get a keystore with privateKey/cert
- configure authentication.central properties for new keystore - keystore,password,alias
- authentication.central.keyStorePassword=<pass>
- authentication.central.keyStore=config/security/saml/saml.keystore
- authentication.central.keyStore.alias=apmccsrv
- restart ACC
- download ACC metadata from https://<hostname>:<port>/saml/metadata
- on EM: copy metadata file to em/config under the name saml-sp-acc-metadata.xml
- on EM: restart EM to refresh metadata (on running system metadata are refreshed after several hours)
Change EM key/cert (Shibboleth):
- generate/extract private and public keys in pem format
- configure config/shibboleth/conf/relying-party.xml to use these new files
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
<security:PrivateKey>config/internal/server/My.priv.pem</security:PrivateKey>
<security:Certificate>config/internal/server/My.pub.pem</security:Certificate>
</security:Credential>
- on ACC: Update certificate in config/security/saml/em_idp.metadata.xml
- restart EM and ACC
Feedback
Yes
No
Powered by
