Enabling an SSL connection to a CA Directory policy store

Document created by flama10 Employee on Dec 20, 2017Last modified by flama10 Employee on Dec 20, 2017
Version 2Show Document
  • View in full screen mode

Enable SSL on the CA Directory policy store


Login to the CA Directory server

CD to the dxserver/bin folder
./dxcertgen -d 1095 certs 
This will generate self signed certificates valid for 1095 days (3 years)
STOP! - If the DSA's are part of a cluster you MUST do this:
        copy DXHOME/config/ssld to ever server in the cluster
Restart all DSA's in cluster
CD here:
Copy the trusted.pem file to the each policy server
cd to the personalities folder
This folder contains a PEM file for each DSA. copy all files to the each policy server

Enable SSL on each policy server

Login to the policy server
Copy the files to the /siteminder/certificates folder
If the folder does not exist you can create it.
Find the cert8.db file this will be in:
In the instructions bellow replace:
         certdb with the path to the cert8.db file under the siteminder path.
         your_pem_file.pem with the name of the PEM file for the DSA
Add the Root CA and the server certificates to the Certificate database:
 certutil -A -n "RootCA" -t "P,," -i opt/proj/smnd/app/siteminder/certificates/trusted.pem -d "certdb"
  certutil -A -n "ps_dsa_client" -t "P,," -i opt/proj/smnd/app/siteminder/certificates/your_pem_file.pem -d "certdb"
Repeat the process for the other .pem files giving each file a a distinct name
Start Smconsole
    Select the data tab
    Select the certificate database
    Select Use SSL
Click "Test LDAP connection"
Wait for the test results.
Repeat this for session store and key store by changing the database drop-down if required.
Repeat this for every policy server until all policy servers in the cluster are using an SSL connection.