Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?

Document ID : KB000106140
Last Modified Date : 12/07/2018
Show Technical Document Details
Introduction:
The user is attempting to setup SAML between ACC and EM using SSL.




 
Question:
Is there a procedure to change the keys/certs that APM and ACC uses for SAML signing and encryption?
 
Environment:
APM + ACC + SAML
Answer:
If you want to change what keys/certs APM and ACC uses for SAML signing and encryption, here is the procedure:

- The EM and ACC keys can be replaced separately, or only one of them, as needed.
- We recommend  to have a separate keystore for SAML authentication and use different certificates than those for HTTPS authentication.
- There is no need to have certificates signed by any certificate authority, there is an explicit trust by IdP for certificates imported from metadata.
- The certificates used for SAML are usually self-signed with long valid period (often 10 years).

Change ACC key/cert:
- generate/get a keystore with privateKey/cert
- configure authentication.central properties for new keystore - keystore,password,alias
- authentication.central.keyStorePassword=<pass>
- authentication.central.keyStore=config/security/saml/saml.keystore
- authentication.central.keyStore.alias=apmccsrv
- restart ACC
- download ACC metadata from https://<hostname>:<port>/saml/metadata
- on EM: copy metadata file to em/config under the name saml-sp-acc-metadata.xml
- on EM: restart EM to refresh metadata (on running system metadata are refreshed after several hours)


Change EM key/cert (Shibboleth):
- generate/extract private and public keys in pem format
- configure config/shibboleth/conf/relying-party.xml to use these new files
    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
        <security:PrivateKey>config/internal/server/My.priv.pem</security:PrivateKey>
        <security:Certificate>config/internal/server/My.pub.pem</security:Certificate>
    </security:Credential>
- on ACC: Update certificate in config/security/saml/em_idp.metadata.xml
- restart EM and ACC