Book Demo!

˂ Return to FAQ

XTAM Federated Sign-In – Importing a Self Signed Certificate

While we continue to recommend the use of a SSL certificate from a well known internet Certificate Authority, we do understand that not everyone has nor wants to invest in such certificates. If you have a self-signed certificate that you wish to use in order to use the XTAM Federated Sign-In module, then please review the following article which outlines several scenarios and choose the one that fits your needs best.

 

I do not currently have a self-signed certificate, but I would like to generate.

The following section will describe how to use XTAM to create your own self-signed certificate (in JKS format) and then configure XTAM to use it. Please note that this self-signed certificate may not be trusted by all your internet browser, so you may still receive a browser security warning.

1

Login to the server where XTAM is installed.

2

Open a command line and navigate to the folder where XTAM is installed {$XTAM_HOME} and issue the following command:

2a

For Windows, substitute your PATH_TO_KEY_STORE.jks with a location where the certificate file will be created and its name (for example, c:\xtam\content\keys\xtamcert.jks). ALIAS_NAME is a unique identifying string for the key and can be any value, avoiding spaces and special characters (for example, xtamcert)

bin\PamKeytool.cmd -genkey -keystore PATH_TO_KEY_STORE.jks -alias ALIAS_NAME -keyalg RSA -keysize 4096 -validity 720
2b

For Unix or Linux, substitute your PATH_TO_KEY_STORE.jks with a location where the certificate file will be created and its name. ALIAS_NAME is a unique identifying string for the key and can be any value, avoiding spaces and special characters:

bin/PamKeytool.sh -genkey -keystore PATH_TO_KEY_STORE.jks -alias ALIAS_NAME -keyalg RSA -keysize 4096 -validity 720
3

After the command is issued, you will be prompted for a number of values. Enter values as described below:

3a

Keystore Password: Create a password for the keystore directory defined in the PATH_TO_KEY_STORE location.

3b

First and Last Name: The domain name of the server. It looks wrong, but you need to enter the domain name for the certificate here. For example, xtam.company.com.

3c

Organizational Unit: Your department name.

3d

Organization: Your company name.

3e

City or Locality: Your city or locality name.

3f

State or Province: Your state or province name.

3g

Country Code: Your two letter country code.

4

Confirm you information by entering y for Yes.

5

Create a new password for the key (as defined by its alias name) or reuse the keystore password by pressing the Enter key.

XTAM Self Signed Certificate Generate Command

6

The certificate will now be generated in the location defined in PATH_TO_KEY_STORE.jks

XTAM Self-Signed Certificate File Location

7

Now we want to encrypt your key password. In the same command line, issue the following command:

7a

For Windows:

bin\PamDirectory.cmd Encrypt - 
7b

For Unix or Linux:

bin/PamDirectory.sh Encrypt - 
8

When prompted, enter your key password (the password from step 5) and press Enter to continue. The command output will display the full encrypted password string after the Ok: prefix.

XTAM Certificate Password Encrypt Command

9

Now that we have your new certificate (PATH_TO_KEY_STORE.jks) and its encrypted password its time to configure it for use by XTAM. Open the file: {XTAM_HOME}/web/conf/catalina.properties

10

Scroll down or search for the section labeled # SSL Certificate

11

In this section, replace the existing path and password with your new certificate and its password.

11a

xtam.cert.path={PATH_TO_KEY_STORE.jks}

11b

xtam.cert.password={yourEncryptedPasswordString}

XTAM Self-Signed Certificate Configuration File

12

Save and close this file.

13

Restart the PamManagement (Windows) or pammanager (Linux) service.

14

Open your browser and navigate to the new login page. Remember, the XTAM login will now be located at the domain defined in the certificate. For example, https://xtam.company.com:6443/xtam

To summarize, you now have generated your own certificate, an encrypted password for it and have configured XTAM to recognize and use this certificate. This configuration will allow the use of XTAM without the Federated Sign-In module. In order to also use the Federated Sign-In module, then please continue to the next section.

 

I already have a self-signed certificate encoded in JKS format that I would like to use.

The following section will describe how to convert your existing .jks certificate (like the one created in the previous section) into the .der format so that the XTAM Federated Sign-In module can be used.

1

Open a command line and navigate to the folder where XTAM is installed {$XTAM_HOME} and issue the following command:

1a

For Windows, substitute ALIAS_NAME with the unique identifying string for the key, CERTIFICATE.der with the location and name of the converted certificate file in .der format and PATH_TO_KEYSTORE.jks with the location and name of the .jks certificate file to be converted.

bin\PamKeytool.cmd -export -alias ALIAS_NAME -file CERTIFICATE.der -keystore PATH_TO_KEYSTORE.jks
1b

For Unix or Linux, substitute ALIAS_NAME with the unique identifying string for the key, CERTIFICATE.der with the location and name of the converted certificate file in .der format and PATH_TO_KEYSTORE.jks with the location and name of the .jks certificate file to be converted.

bin/PamKeytool.sh -export -alias ALIAS_NAME -file CERTIFICATE.der -keystore PATH_TO_KEYSTORE.jks
2

After the command is issued, you will be prompted to enter the keystore password. Enter this password and press Enter to continue.

XTAM Self Signed Certificate Convert Command

3

The certificate will now be converted and the message Certificate stored in file will be displayed.

XTAM Self-Signed Certificate Converted File Location

Now we have converted your existing .jks certificate into a .der certificate so that the XTAM Federated Sign-In module can be secured. Continue to the DER certificate section to configure this certificate in the Federated Sign-In module.

 

I already have a self-signed certificate encoded in something other than DER or JKS that I would like to use.

The following section will describe how to convert your existing non-.jks or .der certificate into the .der format so that the XTAM Federated Sign-In module can be used. For this we will download and use an external application called OpenSSL (external link) and provide a few common conversion examples. Please review OpenSSL documentation for additional guidance.
There are several utilities available for certificate conversion, so if you would like to use something else ensure it can convert your current certificate format into .der format.

1

Download and install OpenSSL.

2

Open a command line, navigate to OpenSSL and issue the command specific to your conversion needs.

2a

For example, to convert .pem format to .der:

openssl x509 -in CERT.pem -out CERT.der -outform DER
2a

For example, to convert .pfx format to .pem:

openssl pkcs12 -in certificatename.pfx -out certificatename.pem

When the conversion is complete (which may require more than one operation), your certificate is now in the required .der format. You can continue to the next section to configure the XTAM Federated Sign-In module with this certificate.

 

I already have a self-signed certificate encoded in DER format that I would like to use.

The following section will describe how to import your certificate in .der format into XTAM so that the Federated Sign-In module can be utilized. If you do not have a certificate or if it is not in the .der format, please review the previous section of this FAQ article.

1

Open a command line and navigate to the folder where XTAM is installed {$XTAM_HOME} and issue the following command:

1a

For Windows, substitute ALIAS_NAME with the unique identifying string for the key, and PATH_TO_CERT.der with the location and name of the .der certificate file to be imported and used by the Federated Sign-In module.

bin\PamKeytool.cmd -import -alias ALIAS_NAME -file PATH_TO_CERT.der -keystore jre\lib\security\cacerts
1b

For Unix or Linux, substitute ALIAS_NAME with the unique identifying string for the key, and PATH_TO_CERT.der with the location and name of the .der certificate file to be imported and used by the Federated Sign-In module.

bin/PamKeytool.sh -import -alias ALIAS_NAME -file PATH_TO_CERT.der -keystore jre/lib/security/cacerts
2

After the command is issued, you will be prompted for the keystore password. Enter the value changeit and press the Enter key to continue.

3

When asked Trust this certificate [n]: enter y for yes and press the Enter key to continue.

4

The confirmation message Certificate was added to keystore will appear when the import process has completed successfully.

XTAM Self Signed Certificate Import Command

5

Now that the certificate has been added, you can return to the Federated Sign-In article to complete the setup using this self-signed certificate.

The import is complete and now the XTAM Federated Sign-In module is now setup to be secured with your own internal or self-signed certificate. If you have done this previously, are unsure if the import was successfully or you simply want to double check, please continue to the next section to check which certificate are in the XTAM store.

 

I imported my self-signed certificate already and want to check that it is in the XTAM store.

1

Open a command line and navigate to the folder where XTAM is installed {$XTAM_HOME} and issue the following command:

1a

For Windows, substitute ALIAS_NAME with the unique identifying string for the key, and PATH_TO_CERT.der with the location and name of the .der certificate file to be imported and used by the Federated Sign-In module.

bin\PamKeytool.cmd -v -list -keystore jre\lib\security\cacerts
1b

For Unix or Linux, substitute ALIAS_NAME with the unique identifying string for the key, and PATH_TO_CERT.der with the location and name of the .der certificate file to be imported and used by the Federated Sign-In module.

bin/PamKeytool.sh -v -list -keystore jre/lib/security/cacerts
2

After the command is issued, you will be prompted for the keystore password. Enter the value changeit and press the Enter key to continue.

The output will list all certificates currently found in the XTAM store. Please note that many well known trusted internet Certificate Authority certificate come with XTAM out of the box, so you will need to search through all to locate your self-signed certificate.

 
 

Copyright © 2020 Xton Technologies, LLC. All rights reserved.