Cybersecurity
DevOps Cloud
IT Operations Cloud
/opt/netiq/idm/apps/jre/bin/keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.jks -dname "CN=idmServ.acme.edu, OU=Dept, O=Acme University, L=City, ST=XX, C=US" -validity 1095 -storepass novell
/opt/netiq/idm/apps/jre/bin/keytool -certreq -alias tomcat -file /opt/netiq/idm/apps/tomcat/conf/csr.txt -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.jks -storepass novell
/opt/netiq/idm/apps/jre/bin/keytool -import -alias tomcat -file /opt/netiq/idm/apps/tomcat/conf/ca-response.txt -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.jks -storepass novell
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" keyAlias="tomcat" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/opt/netiq/idm/apps/tomcat/conf/tomcat.jks" keystorePass="password" />
/opt/netiq/idm/apps/jre/bin/keytool -import -alias interCA -file /opt/netiq/idm/apps/tomcat/conf/intermediate.b64 -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.jks -trustcacerts
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>base64StuffRedacted</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
/opt/netiq/idm/apps/jre/bin/keytool -import -alias idp-cert -file /opt/netiq/idm/apps/tomcat/conf/idp-cert.b64 -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.jks -storepass novell -trustcacerts
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://login.acme.edu/idp/profile/Shibboleth/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.acme.edu/idp/profile/SAML2/POST/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login.acme.edu/idp/profile/SAML2/POST-SimpleSign/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.acme.edu/idp/profile/SAML2/Redirect/SSO" />
<!-- idvault : do not require encryption. -->
<RelyingParty id="https://idmServr.acme.edu:8443/osp/a/idm/auth/saml2/metadata"
provider="https://login.acme.edu/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<!-- END idvault -->
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsi:string">geoffc@acme.edu</saml2:AttributeValue>
</saml2:Attribute>
<resolver:AttributeDefinition id="serialNumberOSP" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="serialNumber">
<resolver:Dependency ref="shib_attr" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="cn" friendlyName="serialNumber" />
</resolver:AttributeDefinition>
<AttributeFilterPolicy id="idvaultdev3">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://idmServ.acme.edu:8443/osp/a/idm/auth/saml2/metadata" />
<AttributeRule attributeID="serialNumberOSP">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>