Mainly, this setting has 3 steps:
1. Set replication among the Policy Stores (1);
2. Set up Failover among the Policy Stores in the Policy Server configuration without SSL (2);
3. Set up SSL communication between Policy Server and Policy Stores:
- On all CA Directory host part of this Policy Server DSAs doing MW replication, backup existing DXHOME/config/ssld folder;
- Pick one server and at the system prompt run “dxcertgen certs” to generate self-signed certificates;
"dxcertgen certs" used as is, defaults to ONE-year certificate validity. If extended validity is needed, use (number of days) switch. E.g. if 10 years validity is required, the command would be "dxcertgen –d 3650 certs".
- Next is to copy this entire DXHOME/config/ssld folder from this server where self-signed certs are generated to *all other* CA Directory hosts that are part of this Provisioning setup which is configured for MW replication;
- Next is to restart *ALL* Policy Store DSAs on *ALL* hosts so the new certs can be read in;
Then copy CA root cert and server certs to Policy Server machine;
Policy Server configuration:
- Use certutil in the Policy Server bin directory to create the Certificate Database Files (3):
Example: certutil -N -d C:\certdatabase
-N (Creates the cert8.db, key3.db, and secmod.db certificate database files)
-d (Specifies the directory in which the certutil tool is to create the certificate database files.)
- Add the Root CA and the server certificates to the Certificate database:
C:\Program Files (x86)\CA\siteminder\bin>certutil -A -n "MyRootCA" -t "P,," -i C:\certdatabase\trusted.pem -d "C:\Program Files (x86)\CA\SiteMinder\bin"
C:\Program Files (x86)\CA\siteminder\bin>certutil -A -n "My Client01 Certificate" -t "P,," -i "C:\certdatabase\server01.pem" -d "C:\Program Files (x86)\CA\SiteMinder\bin"
C:\Program Files (x86)\CA\siteminder\bin>certutil -A -n "My Client02 Certificate" -t "P,," -i "C:\certdatabase\server02.pem" -d "C:\Program Files (x86)\CA\SiteMinder\bin"
After running the above command, locate the cert8.db file in "siteminder\bin" folder. To test the Policy Store connectivity through the "smconsole", in the data tab give the above location of cert8.db and check the SSL tab and give the SSL port number and verify the connection;
- trusted.pm (which holds the root CA certificate);
- server01.pem (client certificate for sserver01 DSA);
- server02.pem (client certificate for server02 DSA);
- The above certificates were copied to the following path on the Policy Server:
- Example to C:\certdatabase
- trusted.pem was copied from the following location on one of the policy store DSAs:C:\Program Files\CA\Directory\dxserver\config\ssld;
- server01.pem and server02.pem were copied from the following location on one of the policy store DSAs: C:\Program Files\CA\Directory\dxserver\config\ssld\personalities;
- Restart the Policy Server and in the management console, try to reconnect to the Policy Stores by checking the SSL option;
- Finally, use the following command to check cert validity by running at the system prompt:
- dxcertgen report
- The above will list out information on all (trusted root CA and personalities) certificates.