The user is attempting to setup SAML between ACC and EM using SSL.
Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?
APM + ACC + SAML
If you want to change what keys/certs APM and ACC uses for SAML signing and encryption, here is the procedure:
- The EM and ACC keys can be replaced separately, or only one of them, as needed. - We recommend to have a separate keystore for SAML authentication and use different certificates than those for HTTPS authentication. - There is no need to have certificates signed by any certificate authority, there is an explicit trust by IdP for certificates imported from metadata. - The certificates used for SAML are usually self-signed with long valid period (often 10 years).
Change ACC key/cert: - generate/get a keystore with privateKey/cert - configure authentication.central properties for new keystore - keystore,password,alias - authentication.central.keyStorePassword=<pass> - authentication.central.keyStore=config/security/saml/saml.keystore - authentication.central.keyStore.alias=apmccsrv - restart ACC - download ACC metadata from https://<hostname>:<port>/saml/metadata - on EM: copy metadata file to em/config under the name saml-sp-acc-metadata.xml - on EM: restart EM to refresh metadata (on running system metadata are refreshed after several hours)
Change EM key/cert (Shibboleth): - generate/extract private and public keys in pem format - configure config/shibboleth/conf/relying-party.xml to use these new files <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem"> <security:PrivateKey>config/internal/server/My.priv.pem</security:PrivateKey> <security:Certificate>config/internal/server/My.pub.pem</security:Certificate> </security:Credential> - on ACC: Update certificate in config/security/saml/em_idp.metadata.xml - restart EM and ACC