Using a CA-signed (custom) certificate for SSO based on SAML
By default, a self-signed certificate is used during the SSO configuration. However, you can use a custom certificate generated for the BigFix Inventory server to increase security of the configuration.
Procedure
- Log in to the computer where Active Directory Federation Services are installed.
-
Generate a certificate for the BigFix Inventory sever signed
by a trusted CA.
Important: Ensure that you remember the certificate label that is used during certificate generation as it is needed in further steps.
- Export the certificate into a .pfx file. For example, custom_cert.pfx.
- Copy the custom_cert.pfx file to the computer where the BigFix Inventory server is installed and place it in the following location: install_dir\wlp\usr\servers\server1\resources\security.
-
To delete the existing self-signed certificate and private key provided by HCL, run the
following commands.
Where:install_dir\jre\jre\bin\ikeycmd -cert -delete -label cert_label -db install_dir\wlp\usr\servers\server1\resources\security\SPKeyStore.jceks -pw sso_password -type JCEKS
- cert_label
- Is the label of the custom certificate generated for the BigFix Inventory server in step 2. If you do not know the certificate label, run the
following command:
install_dir\jre\jre\bin\ikeycmd -cert -list -db custom_cert.pfx -pw custom_cert_password -type pkcs12
- sso_password
- Is the password to the SSO keystore. For the default keystore password contact the HCL Support. Otherwise, provide the password that you configured.
-
To import the custom certificate, run the following commands.
Where:install_dir\jre\jre\bin\ikeycmd -cert -import -file custom_cert.pfx -pw custom_cert_password -type pkcs12 -target install_dir\wlp\usr\servers\server1\resources\security\SPKeyStore.jceks -target_pw sso_password -target_type JCEKS -label cert_label -new_label samlsp
- In BigFix Inventory go to . Click Download Service Provider Metadata, and save the spMetadata.xml file.