Setting up the certificate key store for decoding SAML encrypted elements

SAML 2.0 supports encrypted XML elements. The identity provider, idP, creates the assertion and can encrypt a portion of the assertion or the entire assertion. The Sametime® Community Server needs to decrypt the encrypted elements in order to validate the assertion. This encryption is based on asymmetric cryptography, using two related keys: a private key and a public key. The idP typically uses the public key for encryption, and the Sametime server uses the private key for decryption.

About this task

SAML encryption is an optional feature. If your idP does not encrypt SAML elements, skip this step. If your idP is set to encrypt SAML elements, configure the Sametime Community Server with the private key, and the idP must use the corresponding public key for encryption.

Setting up a key store is similar to setting up a trust store as explained in the topic Setting up the certificate trust store for SAML signature validation. The difference between a trust store and a key store, is that the trust store is used for signature validation, and as such does not require a private key, while the key store is used for element decryption, and must contain a private key. The private key is specified by adding the private key certificate under "Personal Certificates" in the key store.

The key store can be a P12 file (PKCS#12), JKS (Java™ Key Store), or KDB (IBM key database). You can use an existing certificate store file, or create a new one. If you are creating a new certificate store, P12 (PKCS#12) is the recommended format. You can use the iKeyMan tool for creating and editing the certificate store, as explained in the topic Using iKeyMan to manage certificates for TLS.

Once you have the key store, specify the key store file and password in the Sametime configuration. If you plan to use the same key store for TLS and SAML, or if you are not using TLS, then only a single key store file is needed in the Sametime configuration. In this case, it is recommended that you use the TLS configuration settings in the Integrated Solutions Console. At a minimum, specify the key store file and password in the "Server application connections" column. Refer to the topic Setting up TLS configuration for the complete list of available settings.

Procedure

If you plan to use a different key store for TLS and SAML, specify the key store using the following SAML-specific settings in the [Config] section of the sametime.ini file:

STSAML_KEY_STORE_FILE=Key store file
STSAML_KEY_STORE_TYPE=Key store type
STSAML_KEY_STORE_PASSWORD=Key store password
STSAML_KEY_STORE_PASSWORD_STASH_FILE=Key store password stash file
STSAML_KEY_LABEL=Certificate alias in key store

Note: If the Sametime server is currently running, this setting takes effect the next time the Sametime server is restarted.