Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?


Article ID: 106140


Updated On:


APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE


The user is attempting to setup SAML between ACC and EM using SSL.


Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?




If you want to change what keys/certs APM and ACC uses for SAML signing and encryption, here is the procedure:

- The EM and ACC keys can be replaced separately, or only one of them, as needed.
- We recommend  to have a separate keystore for SAML authentication and use different certificates than those for HTTPS authentication.
- There is no need to have certificates signed by any certificate authority, there is an explicit trust by IdP for certificates imported from metadata.
- The certificates used for SAML are usually self-signed with long valid period (often 10 years).

Change ACC key/cert:
- generate/get a keystore with privateKey/cert
- configure authentication.central properties for new keystore - keystore,password,alias
- authentication.central.keyStorePassword=<pass>
- authentication.central.keyStore=config/security/saml/saml.keystore
- authentication.central.keyStore.alias=apmccsrv
- restart ACC
- download ACC metadata from https://<hostname>:<port>/saml/metadata
- on EM: copy metadata file to em/config under the name saml-sp-acc-metadata.xml
- on EM: restart EM to refresh metadata (on running system metadata are refreshed after several hours)

Change EM key/cert (Shibboleth):
- generate/extract private and public keys in pem format
- configure config/shibboleth/conf/relying-party.xml to use these new files
    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
- on ACC: Update certificate in config/security/saml/em_idp.metadata.xml
- restart EM and ACC