CloudFans

Tips for renew certificate for asserting party

Discussion created by CloudFans Employee on Aug 22, 2013
Latest reply on Dec 5, 2015 by Palli123
Tips: In Federation, if you renew the the certificate in the smkeydatabase,but it didn't work.

Smps.log showed
<StatusMessage>Error Signing Assertion.</StatusMessage>

One thing you should check is to run smkeytool.sh -listCerts and check if the key type is KeyEntry instead of Type: CertificateEntry.

Make sure you use the addPrivKey option. Refer to:

Policy Server Guides > Policy Server Configuration Guide > SiteMinder Key Database Management > Modify the Key Database Using smkeytool > Smkeytool Command Syntax and Options >

addPrivKey Option

Adds a private key/certificate pair to the key database. Use this command to import only a private key/certificate pair into the key database. You can have multiple private key/certificate pairs in the database, but SiteMinder supports only RSA keys in the database.

Note: Only private key/certificate pairs are stored in the smkeydatabase in encrypted form.

The Policy Server at the asserting party uses a single private key/certificate pair to sign SAML assertions and the certificate to decrypt encrypted SAML assertions received from the relying party. Typically, the key is the first private key/certificate pair found in the smkeydatabase.

With the -addPrivKey command, you can specify the key data by combining the -keyfile and -certfile options or by using the -keycertfile option alone.

addCert Option

Adds only a certificate to the key database. Use this command option only to import a public certificataddPrivKey Option

Adds a private key/certificate pair to the key database. Use this command to import only a private key/certificate pair into the key database. You can have multiple private key/certificate pairs in the database, but SiteMinder supports only RSA keys in the database.

Note: Only private key/certificate pairs are stored in the smkeydatabase in encrypted form.

The Policy Server at the asserting party uses a single private key/certificate pair to sign SAML assertions and the certificate to decrypt encrypted SAML assertions received from the relying party. Typically, the key is the first private key/certificate pair found in the smkeydatabase.

With the -addPrivKey command, you can specify the key data by combining the -keyfile and -certfile options or by using the -keycertfile option alone.e. The certificate can be a certificate associated with a private key/certificate pair; however, you are only adding the certificate to the key database. You can also use this command to import trusted CA certificates.

Outcomes