Adding the Service Provider server certificate and key to other vault server ID files

If there are other ID vault servers in your Domino domain with replicas of the ID vault used for Nomad federated login, complete the following steps. These steps add the new Service Provider server certificate and key created in the previous procedure to the server ID files of those ID vault servers:

Procedure

  1. Complete the following steps from the ID vault server on which you created the IdP Configuration document and exported the ServiceProvider.xml file in the previous procedure:
    1. Open the IdP Configuration document in idpcat.nsf and select the Certificate Management tab.
    2. Note the values of the following fields:
      • Company name
      • Certificate public hash value
    3. On the current ID vault server from which you created the new IdP Configuration document, enter the following command at the server console:
      certmgmt show all
    4. Confirm that the command output contains the following information, which indicates that the current ID vault server ID file contains the new certificate:
      • A Subject Name that matches the value of the Company name field.
      • Public Key Hash value that matches the Certificate public hash value field.
    5. On the current ID vault server, add the following three notes.ini settings:
      • SAMLCompanyname=<SubjectName>

        For example: SAMLCompanyname=CN=Renovationsvault

      • SAMLPublicKeyHash=<PublicKeyHash>

        For example: SAMLPublicKeyHash=HkcAGUXy3z4D8V1v9vUYlA==

      • SAMLAuthVersion=2.0
    6. Restart the ID vault server.
    7. Run the following command to export the certificate and private key to a pkcs12 file:
      certmgmt EXPORT saml pkcs12 <filename> <filePw>.

      For example: certmgmt EXPORT saml pkcs12 renovationsvault.p12 PASSw0rd!!

      Note:
      • The command is successful if the exported file name contains the certificate Subject Name.
      • If you don't specify an explicit path, the file is created under the Domino server data directory.
  2. Complete the following steps on each additional ID vault server that has a replica of the ID vault used for Nomad federated login.
    1. Copy the pkcs12 certificate file exported in Step 1 to the Domino data directory of the additional ID vault server.
    2. Run the following command to import the certificate and key to the server ID file of the additional ID vault server:
      certmgmt IMPORT pkcs12 <filename> <filePw>

      For example: certmgmt IMPORT saml pkcs12 renovationsvault.p12 PASSw0rd!!

    3. Execute the following command:
      certmgmt show all
    4. Confirm that the command output contains:
      • A Subject Name that matches the value of the Company name field in the IdP Configuration document.
      • Public Key Hash value that matches the Certificate public hash value field in the Configuration document.

What to do next

Complete the procedure Setting up a Relying Party Trust for the ID vault server used by Nomad federated login.