The user is attempting to setup SAML between ACC and EM using SSL.
Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?
APM + ACC + SAML
If you want to change what keys/certs APM and ACC uses for SAML signing and encryption, here is the procedure:
- The EM and ACC keys can be replaced separately, or only one of them, as needed.
- We recommend to have a separate keystore for SAML authentication and use different certificates than those for HTTPS authentication.
- There is no need to have certificates signed by any certificate authority, there is an explicit trust by IdP for certificates imported from metadata.
- The certificates used for SAML are usually self-signed with long valid period (often 10 years).
Change ACC key/cert:
- generate/get a keystore with privateKey/cert
- configure authentication.central properties for new keystore - keystore,password,alias
- restart ACC
- download ACC metadata from https://<hostname>:<port>/saml/metadata
- on EM: copy metadata file to em/config under the name saml-sp-acc-metadata.xml
- on EM: restart EM to refresh metadata (on running system metadata are refreshed after several hours)
Change EM key/cert (Shibboleth):
- generate/extract private and public keys in pem format
- configure config/shibboleth/conf/relying-party.xml to use these new files
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
- on ACC: Update certificate in config/security/saml/em_idp.metadata.xml
- restart EM and ACC