Manage the Certificates
This includes updating the certificates before they expire to avoid an interruption of service.
As a best practice, it is strongly recommended that you implement policies and procedures to:
-
Monitor the certificates (expired, revoked or compromised) with automated notifications
-
Regularly maintain and update certificates with a defined renewal strategy
-
Identify a role (either an individual or team) who is responsible for certificate management according to your organization’s security policies and compliance requirements
Update the CA Certificates in the Application Server SSL Truststore
The application server SSL Truststore must be configured to trust the local or remote ActivID Authentication Server.
When creating an application profile, a default signer server certificate is created and added by default into the SSL Truststore. This signer certificate is then used to sign the SSL server certificate.
It is recommended to replace this certificate with a custom CA-signed SSL certificate.
For a successful SSL handshake between the application server and the HID Approve™ mobile app, this SSL server certificate must meet the following requirements:
- Issued by a CA whose root certificate is incorporated into the mobile device operating system or issued by a trusted root CA installed by the user on the mobile device.
- Signed with 2048-bits RSA key or 256-bits ECC key at a minimum.
- Have a SHA-2 hash algorithm with a SHA-256 fingerprint at minimum.
- Used with TLS 1.2 connection with either the AES-128 or AES-256 symmetric ciphers, and with a cipher suite supporting PFS through ECDHE key exchange.
The root CA certificate (of the custom CA-signed SSL certificate) or the self-signed SSL certificate of the ActivID Authentication Server should be added explicitly into the local SSL Truststore if:
- The ActivID Authentication Server is installed remotely.
- A custom CA-signed SSL server certificate is used.
- If a custom CA-signed SSL certificate is used, only the root CA certificate needs to be added to the truststore.
- If you use PKI login method to log on the ActivID Management Console, you must also import the user's Certificate Root CA into the SSL truststore of the application server. If this step is skipped, you will not be prompted to select the user's certificate at logon.
- Log on to the WebSphere administration console.
- In the navigation pane, expand the Security node and click SSL certificate and key management.
- Under Related Items, click Key stores and certificates, and then click the NodeDefaultTrustStore link.
- Under Additional Properties, click Signer certificates.
- Click Add to import the root CA certificate, or use the Retrieve from port option.
- Test the SSL connection with the remote ActivID Authentication Server and import the signer certificate.
- Import the SSL certificate root CA into the truststore (or the SSL server certificate if self-signed) using the following command:
Copy<JAVA_HOME>/bin/keytool -importcert -noprompt -trustcacerts -keystore <SSL_SERVER_TRUSTSTORE_FILE_PATH> -alias CAROOT -file /tmp/CAROOT.cer
Note: This command also creates the truststore if necessary.
- At the prompt, enter the truststore password to protect the truststore.
Update the ActivID Authentication Portal SAML Certificates
There is one SAML IdP signing certificate and one SAML IdP encryption certificate per security domain.
These certificates are stored in the ActivID Authentication server software keystore (<ACTIVID_HOME>/ActivID_AS/config/ActivID.keystore) under the idp_cert_signature_<domain> and idp_cert_ encryption_<domain> aliases.
Renew SAML IdP (Authentication Portal) Keys and Certificates
-
As ftadmin, run the following command:
Copy<ACTIVID_HOME>/ActivID_AS/bin/configureIDPData.sh -c createkeyscerts -d <domain name> -v <validity period (years)>
-
When prompted, enter the keystore password.
-
Replicate the keystore changes to all the ActivID AS servers in your deployment.
-
Restart the server.
-
Export the IdP metadata and reconfigure the service providers.
Replace the Certificates with CA Signed Certificates
For the the idp_cert_signature_<domain> and idp_cert_ encryption_<domain> keystore entry aliases, as ftadmin, use the following commands:
-
To load the environmental variable:
Copy. <ACTIVID_HOME>/ActivID_AS/bin/envdef
-
To generate the Certificate Signing Request:
Copykeytool –keystore <the keystore> –certreq –alias <alias> –keyalg rsa
–file client.csr -storetype JCEKS
-
To send the CSR to your Certificate Authority and then import CA certificate into the ActivID AS keystore:
Copykeytool -import -keystore <the keystore> -file ca-certificate.pem
-alias theCARoot -storetype JCEKS
-
To import the signed certificate in the keystore:
Copykeytool –import –keystore <the keystore> –file <CA signed IDP certificate> –alias <alias> -storetype JCEKS
-
Replicate the keystore changes to all the ActivID AS servers in your deployment.
-
Restart the server.
-
Export the IdP metadata and reconfigure the service providers.