To enable Security Token Service (STS) for SDL LiveContent Reach, you first must load the STS token signing certificate into the Apache Tomcat web application server.
Before you begin
Note: This procedure is supported only for the Apache Tomcat third-party web application server. It is not supported for the web application server that is bundled with SDL LiveContent Reach.
Ensure that the %JAVA_HOME% ($JAVA_HOME on Linux) path and the Apache Tomcat JVM path are synchronized, such as shown below:
| Apache Tomcat JVM | Environment Variable |
|---|
| C:\Program Files\Java\jdk7\bin\server\jvm.dll | %JAVA_HOME% C:\Program Files\Java\jdk7\ |
| /usr/java/jdk7 | $JAVA_HOME /usr/java/jdk7 |
Tip: To find the setting for the Apache Tomcat JVM, start the Configure Tomcat application (under Apache Tomcat in Program Files) and click the Java tab.
Ensure that the %PATH% ($PATH on Linux) environment variable setting contains the %JAVA_HOME%\bin ($JAVA_HOME/bin on Linux) path.
Procedure
- Obtain a token signing certificate from a trusted STS (Security Token Service) organization.
| To obtain a token signing certificate from the ADFS STS: |
- Log on to the ADFS STS server.
- Start the ADFS STS Management Console.
- In the left pane, navigate to .
- In the center pane, under Certificates, right-click the ADFS certificate in the Token-signing section and then click View Certificate.
- On the Details tab, click Copy to File.
The Certificate Export Wizard opens on the welcome page. Click Next to continue.
- In the Export File Format pane, select DER encoded binary X.509 (.CER).
- In the File to Export pane, save the file to C:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux).
- On the Completing the Certificate Export Wizard pane, click Finish to exit.
|
| To obtain a token signing certificate from the SDL LiveContent Architect STS (InfoShareSTS): |
- In a web browser, log on to the SDL LiveContent Architect STS (InfoShareSTS) site.
- Click the
icon in the taskbar, and then click View certificates.
- On the Details tab, click Copy to File.
- Save the certificate file to c:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux)
|
Note: If you are using some other STS organization, follow their procedures to obtain a token signing certificate.
Tip: Save all certs (CAcert, SSL or machine cert, STS cert) in the same directory as the tomcat keystore. This makes it easier to keep track of things, and verify cert subject strings against the list view of keystore.
- Import the token signing certificate into the Apache Tomcat keystore.
- Using the Command Prompt or Terminal window, in the JDK bin directory:
On Windows:
keytool -import -keystore TOMCAT_HOME\conf\tomcat_keystore.jks -alias mystscert -trustcacerts -file c:\sts_signing_cert.cer -noprompt -storepass *****
where:
- TOMCAT_HOME is the Apache Tomcat application server installation directory (for example, C:\Program Files\Apache Software Foundation\Tomcat 7.0\).
- -file c:\sts_signing_cert.cer specifies the token signing certificate file you obtained from the STS organization.
On Linux:
keytool -import -keystore TOMCAT_HOME/conf/tomcat_keystore.jks -alias mystscert -trustcacerts -file /usr/sts_signing_cert.cer -noprompt -storepass *****
where:
- TOMCAT_HOME is the Apache Tomcat application server installation directory (for example, /usr/Apache Software Foundation/Tomcat 7.0/).
- -file /usr/sts_signing_cert.cer specifies the token signing certificate file you obtained from the STS organization.
- Check the content of the keystore for the token signing certificate:
keytool -list -keystore TOMCAT_HOME/conf/tomcat_keystore.jks -storepass ***** -v
Tip: Search for the -alias value you specified when importing the certificate (mystscert).
Note: Keep the token signing certificate file c:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux), as you must open it in a subsequent process to extract certificate information.