Setting up the certificate key store for decoding SAML encrypted elements
SAML 2.0 supports encrypted XML elements. The identity provider, idP, creates the assertion and can encrypt a portion of the assertion or the entire assertion. The Sametime® Community Server needs to decrypt the encrypted elements in order to validate the assertion. This encryption is based on asymmetric cryptography, using two related keys: a private key and a public key. The idP typically uses the public key for encryption, and the Sametime server uses the private key for decryption.
About this task
Setting up a key store is similar to setting up a trust store as explained in the topic Setting up the certificate trust store for SAML signature validation. The difference between a trust store and a key store, is that the trust store is used for signature validation, and as such does not require a private key, while the key store is used for element decryption, and must contain a private key. The private key is specified by adding the private key certificate under "Personal Certificates" in the key store.
The key store can be a P12 file (PKCS#12), JKS (Java™ Key Store), or KDB (IBM key database). You can use an existing certificate store file, or create a new one. If you are creating a new certificate store, P12 (PKCS#12) is the recommended format. You can use the iKeyMan tool for creating and editing the certificate store, as explained in the topic Using iKeyMan to manage certificates for TLS.
Once you have the key store, specify the key store file and password in the Sametime configuration. If you plan to use the same key store for TLS and SAML, or if you are not using TLS, then only a single key store file is needed in the Sametime configuration. In this case, it is recommended that you use the TLS configuration settings in the Integrated Solutions Console. At a minimum, specify the key store file and password in the "Server application connections" column. Refer to the topic Setting up TLS configuration for the complete list of available settings.
Procedure
STSAML_KEY_STORE_FILE=Key store file
STSAML_KEY_STORE_TYPE=Key store type
STSAML_KEY_STORE_PASSWORD=Key store password
STSAML_KEY_STORE_PASSWORD_STASH_FILE=Key store password stash file
STSAML_KEY_LABEL=Certificate alias in key store