Software AG Infrasructure 10.7 | Setting Up Security | Creating Custom Keys and Certificates
Creating Custom Keys and Certificates
Software AG Common Platform provides a single sign-on service that has a predefined keystore (keystore.jks) and truststore (platform_truststore.jks). The predefined keystore and truststore contain default keys for issuing and validating signed SAML assertions. You can create and modify the keystore and certificates using the certtool tool provided by Security Infrastructure. The certtool is located in the Software AG_directory \common\bin directory and the file is named certool.{bat|sh} file. It is a wrapper of Java keytool and has default options that are used if you do not provide any custom input.
The options in the certool are mostly self-explanatory. The DEFAULT_PATH option indicates the default path in which the certificate stores are created when you install your products. The SIG-ALGORITHM option specifies the algorithm to use to sign the self-signed certificate if you make any changes. The algorithm must be compatible with KEY_ALGORITHM. The value of SIG-ALGORITHM is derived from the algorithm of the underlying private key. For example, if the private key is of type DSA, the value of the SIG_ALGORITHM option is SHA1withDSA.
The options have reasonable default values. If you modify them, use extreme caution; if incorrect values are entered, Security Infrastructure might stop working.
After you create a new certificate and add it to the keystore, you must update the configuration of the single sign-on service (SSOS) for your changes to take effect. If the keystore file already exists, and you try to generate a new key pair in the same keystore file, the certool warns that the file will be overwritten.
Open a command window and go to the Software AG_directory\common\bin directory. Start the certtool using one of the following commands:
*On Windows: certtool.bat
*On UNIX: ./
The following table describes the arguments that you can specify for the certtool command.
Lists keystore certificates currently located in the keystore. The default keystore certificate is keystore.jks with a default password of manage. The keystore should contain only one keystore certificate that is used for issuing signed SAML assertions.
Lists truststore certificates currently located in the truststore. The default certificate is platform_truststore.jks with a default password of manage. The truststore can contain multiple public truststore certificates that are used for validating SAML assertion signatures.
Adds a trusted certificate to the truststore. The .cer file is added to the location specified by the TRUSTSTORE_FILE option. If the truststore only contains the platform_truststore.jks certificate, then platform_truststore.jks is used.
Deletes a trusted certificate from the truststore. You are prompted to provide the alias name of the certificate file to delete.
Generates a key pair and exports the public information as a .cer file. You are prompted to provide a common name (CN) for the certificate. The keystore certificate is generated in the location specified by the DEFAULT_PATH option.
The specified password will be used for both the keystore and the key.