Configuring Trust Store

3DPassport can be configured to federate with an external third party SSO system and delegate authentication to the system using the SAML protocol.

To enable SAML federation, 3DPassport must be able to establish HTTPS connection to the third party identity provider, and reciprocally the third party identity provider must be able to establish HTTPS connection to 3DPassport. To enable HTTPS connection between the service provider and third party identity provider, each system must have the correct certificates embedded in their respective keystore.

3DPassport provides an embedded trust store that you can use to import public/private keys, either for SSL/TLS authentication or to digitally sign/verify and/or encrypt/decrypt SAML messages. This embedded keystore can be used instead of the JDK/JRE keystore for HTTPS configuration.

  1. Click Configuration, then select the Trust Store tab.
  2. In the Manage your keystore section, click Reloadable keystore enabled to enable the embedded trust store once it has been configured.

    You can add and delete certificates but they will not be taken into account until you enable the trust store.

  3. In the Read-only certificates section, identify in the list the read-only certificates. Keys are already present in the list, and can be used for testing/debugging purposes.
  4. In the Dynamic certificates section, click to add a certificate.

    Once they have been created, a list of dynamically generated certificates is displayed.

    You can create two types of certificate:

    X509 certificate

    To add a X509 certificate:

    • Enter an alias for the key in the New entity aliasfield.
    • Copy/paste the content of the key into the Base64-encoded value of the X509 certificate to add text area.
    PKCS12 (for private key).

    PKCS#12 is an archive that is commonly used to bundle a private key with its X.509 public certificate.

    • Enter an alias for the key in the New entity alias field.
    • Copy/paste the content of your PKCS#12 keystore in the Base64-encoded value of the PKCS12 which contains the key to import text area.
    • Enter the password of your PKCS#12 keystore, if any.
    • Enter the password of the key to import.

  5. Click Apply to save the key.

    The certificates are then added to either theRead-only certificates or Dynamic certificates section. If you want to delete them click Delete.

    When displayed either in the Read-only certificates or Dynamic certificates section, the certificates that include a private key are identified a red star symbol (*).

    Here is an example below on how to create your own PKCS#12 and import it into the 3DPassport Trust Store.

    For production purposes, you need to create a CSR file as described at step b) and send it to your Certificate Authority so it can issue a genuine signed certificate. Then you can continue from step c).

    For test purposes, you can skip CSR creation at step b) and create a self-signed certificate instead as explained as step c).

    1. Generate your private key, and provide a pass phrase:

      openssl genrsa -des3 -out server.key 2048 –sha256

      Generating RSA private key, 2048 bit long modulus
      ................................+++
      ...................+++
      e is 65537 (0x10001)
      Enter pass phrase for server.key:
      Verifying - Enter pass phrase for server.key:

      Note: On Windows, you can use an existing or install Apache HTTPD (or openssl binaries) to generate your private key.
    2. Generate your Certificate Signing Request (CSR):

      openssl req -new -key server.key -out server.csr

      Enter pass phrase for server.key:
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [GB]:FR
      State or Province Name (full name) [Berkshire]:Yvelines
      Locality Name (eg, city) [Newbury]:Velizy
      Organization Name (eg, company) [My Company Ltd]:Dassault Systemes
      Organizational Unit Name (eg, section) []:3DPassport
      Common Name (eg, your name or your server's hostname) []:lw5-yxs-dsy.dsone.3ds.com
      Email Address []:
      
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

    3. Generate a self-signed certificate:

      openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

      Signature ok
      subject=/C=FR/ST=Yvelines/L=Velizy/O=Dassault Systemes/OU=3DPassport/CN=lw5-yxs-dsy.dsone.3ds.com
      Getting Private key
      Enter pass phrase for server.key:

    4. Generate a PKCS#12 keystore with your private key and public certificate:

      openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -name "lw5-yxs-dsy.dsone.3ds.com"

      Enter pass phrase for server.key:
      Enter Export Password:
      Verifying - Enter Export Password:

    5. Output the content of your PKCS#12 keystore in Base64 format:

      cat server.p12 | base64 > server.p12.b64

      On Windows, you can use the following command : -encode server.p12 server.b64 to convert the PKCS12 keystore into base64 encoded content for use in 3DPassport's Trust Store.
    6. Now go to the Trust Store tab and enter your New entity alias, the content of your PKCS#12 in base-64, the passwords and click Apply.
    7. Now you can go to the Metadata generation form and select your newly added key to sign and encrypt.

  6. Return to the SAML tab, then enable SAML mode.
  7. Log onto the 3DEXPERIENCE platform to test that SAML federation has been configured and enabled in 3DPassport.

    When attempting to log onto the 3DEXPERIENCE platform, the end user is first redirected to the third party identity provider login page. After successful authentication by the identity provider, the user is redirected back to 3DEXPERIENCE platform.

    If all the required attributes to access the 3DEXPERIENCE platform have been retrieved from the SAML assertion, the user is then automatically authenticated and redirected back to the 3DEXPERIENCE platform (3DDashboard service).

    If certain attributes are missing from the SAML assertion, the user is redirected to the 3DPassport update page to update the end user's account. After providing the missing attributes and updated the account, the user is redirected back to the 3DEXPERIENCE platform.