Documentation Center

Loading the STS Token Signing Certificate

To enable Security Token Service (STS) for SDL LiveContent Reach, you first must load the STS token signing certificate into the Apache Tomcat web application server.

Before you begin

Ensure that the %JAVA_HOME% ($JAVA_HOME on Linux) path and the Apache Tomcat JVM path are synchronized, such as shown below:

Apache Tomcat JVMEnvironment Variable
C:\Program Files\Java\jdk7\bin\server\jvm.dll%JAVA_HOME%

C:\Program Files\Java\jdk7\

/usr/java/jdk7$JAVA_HOME

/usr/java/jdk7

Ensure that the %PATH% ($PATH on Linux) environment variable setting contains the %JAVA_HOME%\bin ($JAVA_HOME/bin on Linux) path.

Procedure

  1. Obtain a token signing certificate from a trusted STS (Security Token Service) organization.
    To obtain a token signing certificate from the ADFS STS:
    1. Log on to the ADFS STS server.
    2. Start the ADFS STS Management Console.
    3. In the left pane, navigate to Service > Certificates.
    4. In the center pane, under Certificates, right-click the ADFS certificate in the Token-signing section and then click View Certificate.
    5. On the Details tab, click Copy to File.

      The Certificate Export Wizard opens on the welcome page. Click Next to continue.

    6. In the Export File Format pane, select DER encoded binary X.509 (.CER).
    7. In the File to Export pane, save the file to C:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux).
    8. On the Completing the Certificate Export Wizard pane, click Finish to exit.
    To obtain a token signing certificate from the SDL LiveContent Architect STS (InfoShareSTS):
    1. In a web browser, log on to the SDL LiveContent Architect STS (InfoShareSTS) site.
    2. Click the icon in the taskbar, and then click View certificates.
    3. On the Details tab, click Copy to File.
    4. Save the certificate file to c:\sts_signing_cert.cer (/usr/sts_signing_cert.cer on Linux)
  2. Import the token signing certificate into the Apache Tomcat keystore.
    1. Using the Command Prompt or Terminal window, in the JDK bin directory:

      On Windows:

      keytool -import -keystore TOMCAT_HOME\conf\tomcat_keystore.jks -alias mystscert -trustcacerts -file c:\sts_signing_cert.cer -noprompt -storepass *****

      where:
      • TOMCAT_HOME is the Apache Tomcat application server installation directory (for example, C:\Program Files\Apache Software Foundation\Tomcat 7.0\).
      • -file c:\sts_signing_cert.cer specifies the token signing certificate file you obtained from the STS organization.

      On Linux:

      keytool -import -keystore TOMCAT_HOME/conf/tomcat_keystore.jks -alias mystscert -trustcacerts -file /usr/sts_signing_cert.cer -noprompt -storepass *****

      where:
      • TOMCAT_HOME is the Apache Tomcat application server installation directory (for example, /usr/Apache Software Foundation/Tomcat 7.0/).
      • -file /usr/sts_signing_cert.cer specifies the token signing certificate file you obtained from the STS organization.
    2. Check the content of the keystore for the token signing certificate:

      keytool -list -keystore TOMCAT_HOME/conf/tomcat_keystore.jks -storepass ***** -v