Enable SSL on the CA Directory policy store
Login to the CA Directory server
CD to the dxserver/bin folder
./dxcertgen -d 1095 certs
This will generate self signed certificates valid for 1095 days (3 years)
STOP! - If the DSA's are part of a cluster you MUST do this:
Restart all DSA's in cluster
Copy the trusted.pem file to the each policy server
cd to the personalities folder
This folder contains a PEM file for each DSA. copy all files to the each policy server
Enable SSL on each policy server
Login to the policy server
Copy the files to the /siteminder/certificates folder
If the folder does not exist you can create it.
Find the cert8.db file this will be in:
In the instructions bellow replace:
certdb with the path to the cert8.db file under the siteminder path.
your_pem_file.pem with the name of the PEM file for the DSA
Add the Root CA and the server certificates to the Certificate database:
certutil -A -n "RootCA" -t "P,," -i opt/proj/smnd/app/siteminder/certificates/trusted.pem -d "certdb"
certutil -A -n "ps_dsa_client" -t "P,," -i opt/proj/smnd/app/siteminder/certificates/your_pem_file.pem -d "certdb"
Repeat the process for the other .pem files giving each file a a distinct name
Select the data tab
Select the certificate database
Select Use SSL
Click "Test LDAP connection"
Wait for the test results.
Repeat this for session store and key store by changing the database drop-down if required.
Repeat this for every policy server until all policy servers in the cluster are using an SSL connection.
2 people found this helpful