Federation: Problems using "Secondary Verification Certificate Alias"


Article ID: 195156


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a Policy Server and after having set the new PartnerShip
certificate as "Secondary Verification Certificate Alias", then when
our Partner side stopped to use the old certificate on its side, the
Federation Partnership stopped to work on our side and fails.

We didn't deactivate the Partnership beforehand of setting the
Secondary Certificate, as this should be working this way in
Siteminder 12.8 as we understand.

How can we fix that ?




Policy Server 12.8SP3 on RedHat 6




At first glance, when you modify a Partnership, you have to
deactivate first and activate it later once configuration
modification are done as per our Documentation :

  Signature and Encryption Configuration for Federated Partnerships

    5. (Optional) Select another alias from the certificate data store for
       the Secondary Verification Certificate Alias field. If verification
       of a signed authentication or logout request fails using the
       primary verification certificate alias, the IdP uses this secondary
       verification alias. If the certificate is not already in the
       certificate data store, click Import to import one. When secondary
       certificates are configured or updated for an active partnership,
       the run time automatically picks up the changes. You do not need to
       flush the cache manually from the UI for the changes to take


    9. Activate a partnership for all configuration changes to take effect
       and for the partnership to become available for use. Restarting the
       services is not sufficient.