Using a CA-signed (custom) certificate for SSO based on SAML

By default, a self-signed certificate is used during the SSO configuration. However, you can use a custom certificate generated for the BigFix Inventory server to increase security of the configuration.

Procedure

  1. Log in to the computer where Active Directory Federation Services are installed.
  2. Generate a certificate for the BigFix Inventory sever signed by a trusted CA.
    Important: Ensure that you remember the certificate label that is used during certificate generation as it is needed in further steps.
  3. Export the certificate into a .pfx file. For example, custom_cert.pfx.
  4. Copy the custom_cert.pfx file to the computer where the BigFix Inventory server is installed and place it in the following location: install_dir\wlp\usr\servers\server1\resources\security.
  5. To delete the existing self-signed certificate and private key provided by HCL, run the following commands. 
    install_dir\jre\jre\bin\ikeycmd -cert -delete -label cert_label -db 
install_dir\wlp\usr\servers\server1\resources\security\<keystore_name> -pw sso_password -type <type>
    Where:
    cert_label
    Is the label of the custom certificate generated for the BigFix Inventory server in step 2. If you do not know the certificate label, run the following command: 
    install_dir\jre\jre\bin\ikeycmd -cert -list -db custom_cert.pfx -pw custom_cert_password -type pkcs12
    sso_password
    Is the password to the SSO keystore. For the default keystore password contact the HCL Support. Otherwise, provide the password that you configured.
  6. To import the custom certificate, run the following commands. 
    install_dir\jre\jre\bin\ikeycmd -cert -import -file custom_cert.pfx -pw custom_cert_password -type pkcs12 -target
install_dir\wlp\usr\servers\server1\resources\security\<keystore_name> -target_pw sso_password -target_type <type> -label cert_label -new_label samlsp
    Where:
    custom_cert_password
    Is the password to the custom certificate generated in step 2.
    sso_password
    Is the password to the SSO keystore.
    cert_label
    Is the label of the custom certificate generated in step 2.
  7. In BigFix Inventory go to Management > Single Sign-On Settings. Click Download Service Provider Metadata, and save the spMetadata.xml file.

What to do next

Based on the spMetadata.xml file, configure Identity Provider for single sign-on.
Note: The <type> and <keystore_name> parameters that apply to the above commands specifies the following:
<type>
Starting from version 10.0.8.0, the type of the certificate is PKCS12. For earlier versions, it is JCEKS.
<keystore_name>

Starting from version 10.0.8.0, the name of the keystore file is SPKeyStore.p12. For earlier versions, it is SPKeyStore.jceks.