The Identity Server uses the following key pairs for secure communication. In a production environment, you should exchange the key pairs that are created at installation time with certificates from a trusted Certificate Authority.

NAM Keystores#

The Administration Console creates a keystore in the file system of the device that is assigned to the keystore.
  • Linux Device: /opt/novell/devman/jcc/certs/<device>
  • Windows Device: C:\Program Files\novell\devman\jcc\certs/<device>

Identity Server Keystores#

Access Manager creates the following keystores for each Identity Server cluster configuration.

NIDP-signing#

The test-signing key pair is used by:
  • the various protocols to sign authentication requests
  • to sign communication with providers on the SOAP back-channel
  • to sign Web Service Provider profiles
The NIDP-signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.

NIDP-encryption#

The NIDP-encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.

NIDP-provider#

The NIDP-provider keystore contains the certificate that you configure when you set up the Identity Server to provide introductions to service providers that are trusted members of a service domain. The subject name of this certificate needs to match the DNS name of the service domain.

NDIP-consumer#

The NDIP-consumer keystore contains the certificate that you configure when you set up the Identity Server to consume authentications provided by other identity providers that are trusted members of a service domain. The subject name of this certificate needs to match the DNS name of the service domain.

Access Gateway Keystores#

Access Manager creates the following keystores for each Access Gateway or cluster.

Signing#

The Signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.

Encryption#

The Encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.

ESP Mutual SSL#

THe ESP Mutual SSL keystore contains the certificate that is used for SSL when you have established SSL communication between the Access Gateway and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.

Proxy Key Store#

The Proxy Key Store keystore contains the certificate that is used for SSL when you have enabled SSL between a reverse proxy and the browsers. The public key (trusted root) of the certificate authority that created the certificate needs to be in browser’s trust store for the SSL connection to work without warnings. If you create multiple reverse proxies and enable them for SSL, each reverse proxy needs a certificate, and the subject name of the certificate needs to match the DNS name of the reverse proxy.

NOTE: The Proxy Key Store keystore does not use the default location; it is located in the /opt/novell/conf/keys directory.

J2EE Agent Keystores#

Access Manager creates the following keystores for each J2EE Agent.

Signing#

The Signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.

Encryption#

The Encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.

ESP Mutual SSL#

The ESP Mutual SSL keystore contains the certificate that is used for SSL, when you have established SSL communication between the J2EE agent and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.

SSL VPN Keystores#

Access Manager creates the following keystores for each SSL VPN server or cluster.

Signing#

The Signing keystore contains the certificate that is used for signing the assertion or specific parts of the assertion.

Encryption#

The Encryption keystore contains the certificate that is used to encrypt specific fields or data in assertions.

ESP Mutual SSL#

The ESP Mutual SSL keystore contains the certificate that is used for SSL when you have established SSL communication between the ESP-enabled SSL VPN server and the Identity Server. The public key (trusted root) of the certificate authority that created the certificate needs to be in the Identity Server’s trust store.

SSLVPN Secure Tunnel#

The SSLVPN Secure Tunnel keystore contains the certificate that encrypts the data exchanged between SSL VPN client and the SSL VPN server, after the SSL VPN connection is made.

NOTE: This keystore does not use the default location; it is located in the /etc/opt/novell/sslvpn/certs directory.

SSL Connector#

The SSL Connector keystore contains the certificate that encrypts authentication information between the SSL VPN client browser and the SSL VPN server.

Keystores When Multiple Devices Are Installed on the Administration Console#

Access Manager creates the following keystore when the Identity Server and the SSL VPN server are installed on the Administration Console.

COMMON_TOMCAT_CLUSTER#

The COMMON_TOMCAT_CLUSTER keystore contains the certificate that is used for SSL connections.

The location of this keystore depends upon which device was installed last:

  • the Identity Server or the SSL VPN server.
  • If the Identity Server was installed last, it is in the idp directory.
  • If the SSL VPN server was installed last, it is in the sslvpn directory.

AKA#

Why Novell can not use consistent name is beyond me. The names I have found are:
File SystemUnder CertificatesAdmin ConsoleDescription
connector.keystoreNIDP-connectorSSL CertificateDisplays the SSL connector keystore. Click this option to access the keystore and replace the SSL certificate as necessary. This certificate is used for SSL connections.
signing.keystoreNIDP-signingSigningDisplays the signing certificate keystore. Click this option to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.
encryption.keystoreNIDP-encryptionEncryptionDisplays the encryption certificate keystore. The encryption certificate is used to encrypt specific fields or data in the assertions.
truststore.keystoreNIDP-providerProviderDisplays the identity provider keystore. Click this option to access the keystore and replace the identity provider certificate.
provider.keystoreNIDP-consumerConsumerDisplays the identity consumer keystore. Click this option to access the keystore and replace the identity consumer certificate as necessary.
not knownAdministration ConsoleAdministration ConsoleCertificate used by Admin Console. AFAIK, if the IDP and the Admin Console is on the same box, they run on the same port as the IDP communications and therefore will use the same certificate. This will be the certificate that is displayed to the browsers.

IDP Keystore File System Locations#

On the IDP Servers, the certificate keystores are at:
/opt/novell/devman/jcc/certs/idp/

Names used in Admin Console:#

  • Identity Servers -> Edit -> General -> Name -> SSL Certificate
  • Identity Servers -> Edit -> General -> Identity Provider -> SSL Certificate
  • Identity Servers -> Edit -> General -> Identity Consumer -> SSL Certificate
  • Identity Servers -> Edit -> Security -> Keys and Certificates:
    • Encryption - NIDP-encryption
    • Signing - NIDP-signing
    • SSL - NIDP-connector
    • Provider - NIDP-connector
    • Consumer - NIDP-connector
  • Identity Servers -> Edit -> Security -> Trust Stores:
    • NIDP Trust Store - NIDP-truststore
    • OCSP Trust Store - NIDP-truststore

Certificate Issues with NAM#

Occasionally we have seen certificates get "stuck" and not be properly replaced within the IDPs. Novell support provided the following instructions to correct this condition:
  • Remove or move the certificate keystore out of the /opt/novell/devman/jcc/certs/idp(id)/ directory on the IDP Servers (if there are multiple ID numbers in the /opt/novell/devman/jcc/certs/idp directory, look in the Admin Console -> Auditing -> General logging, and locate the appropriate ID number for the ISP)
  • From the Admin Console, go to Access Manager > Auditing > Troubleshooting > Certificates
  • Select all the certificates for the agent and Re-push the certificates
  • Restart the IDP.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-23) was last changed on 14-Nov-2011 12:41 by jim