Symantec Access Management

Hi Team,

Greetings.

There is an requirement that Third Party Root CA certificate (p12 format) need to be imported in Policy Store Trusted store.

Following are the steps following by the team.

1. Convert p12 certificate to .pem certificate using openssl tools.

2. user dxcertgen tool to import .pem certificate to trusted.pem

    dxcertgen -n cert-file importca

Q1 . Can we import directly .p12 certificate to CA Directory Policy Store Trusted store using dxcertgen tool without converting to .pem file ?

Q2 . Do we need to add rootCA certificate.pem to /dxhome/config/ssld/personalities or just trusted.pem after executing dxcertgen tool is ok. ?

Thanks and Regards,

Srinivasu G

Srinivas 

My thoughts on this is, we are mixing two different things.

dxcertgen is a utility which helps to enable SSL connectivity on CA Directory.

CDS (Certificate Data Store) within the Policy Store is data within the Store itself. The only way to import certificates into Policy Store / CDS is via WAMUI or smkeytool.

Also currently for Root Authorities and Certificates please refer to the highlighted caveats.

Hi Srinivasu,

DXcertgen can import certificates from the following formats:

• PEM (base-64 encoded)
• DER/CER ASN.1 (base-64 encoded or binary)
• PKCS#12

To configure CA Directory policy store connection over SSL, please refer to following documentation:

CA SiteMinder® Integrated Documents 12.52 SP1 

Private key/certificate pairs and single certificates for federation functions are stored in the certificate data store (CDS). The certificate data store is collocated with the policy store. All Policy Servers that share a common view into the same policy store have access to the same keys, certificates, CDS-configured certificate revocation lists (CRL), and OCSP responders. As Hubert mentioned, you can import the certificates into CDS via smkeytool or WAMUI.

Hi,

I am little bit confused in step-2. Please correct me If I am wrong.

1. SSL configuration has been completed as per the document link given above.

    Added the Root Certificate Authority (CA) to the certificate data base - using certutil commands

2. As per the policy server The trust store needs to be updated.

    Do we need to import the Root certificates added in step-1 in ca directory using dxcertgen tool or via wamui/smkeytool ?

Thanks and Regards,

Srinivas

dxcertgent is CA Directory ONlY utility. So , you will use this to manage certificates on CA directory.

AdminUI, smkeytool & certutil is CA Siteminder ONLY utility.

So, you will use this to manage certificates on Policy server.

Hi Srinivasu,

The following tech tip post might help:

Tech Tip : CA Single Sign-On : Policy Server : Policy Store Failover : CA Directory in SSL 

Hi,

Thanks for providing the tech tip post details.

Given example in the tech tip post is helpful to compare with the current configurations.

Example shows root certificate and client certificates of DSA's need to be present at the Directory server side and at Policy server side in certificate database.

In our situation renewal client certificates are issued by other CA, which means need to add those certificate at both the Directory server side and at Policy server side as well.

Thanks and Regards,

Srinivasu G