-
Click Configuration, then select the Trust
Store tab.
-
In the
Manage your keystore section, click
Reloadable keystore enabled to enable the
embedded trust store once it has been configured.
You can add and delete certificates but they will not be taken
into account until you enable the trust store.
-
In the
Read-only certificates section, identify in the
list the read-only certificates. Keys are already present in the list, and can
be used for testing/debugging purposes.
-
In the
Dynamic certificates section, click
to add a certificate.
Once they have been created, a list of dynamically generated
certificates is displayed.
You can create two types of certificate:
- X509 certificate
-
To add a X509 certificate:
- Enter an alias for the key in the New entity aliasfield.
- Copy/paste the content of the key into the
Base64-encoded value of the X509 certificate to
add text area.
- PKCS12 (for private key).
-
PKCS#12 is an archive that is commonly used to bundle a
private key with its X.509 public certificate.
- Enter an alias for the key in the New entity alias field.
- Copy/paste the content of your PKCS#12 keystore in the
Base64-encoded value of the PKCS12 which contains
the key to import text area.
- Enter the password of your PKCS#12 keystore, if any.
- Enter the password of the key to import.
-
Click
Apply to save the key.
The certificates are then added to either theRead-only certificates or
Dynamic certificates section. If you want to delete
them click Delete.
When displayed either in the Read-only certificates or Dynamic
certificates section, the certificates that include a private
key are identified a red star symbol (*).
Here is an example below on how to create your own PKCS#12 and
import it into the
3DPassport
Trust Store.
For production purposes, you need to create a CSR file as
described at step b) and send it to your Certificate Authority so it can issue
a genuine signed certificate. Then you can continue from step c).
For test purposes, you can skip CSR creation at step b) and
create a self-signed certificate instead as explained as step c).
- Generate your private key, and provide a pass phrase:
openssl genrsa -des3 -out
server.key 2048 –sha256
Generating RSA private key, 2048 bit long modulus
................................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
Note:
On Windows, you can use an existing or install Apache HTTPD
(or openssl binaries) to generate your private key.
- Generate your Certificate Signing Request (CSR):
openssl req -new -key server.key -out
server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:FR
State or Province Name (full name) [Berkshire]:Yvelines
Locality Name (eg, city) [Newbury]:Velizy
Organization Name (eg, company) [My Company Ltd]:Dassault Systemes
Organizational Unit Name (eg, section) []:3DPassport
Common Name (eg, your name or your server's hostname) []:lw5-yxs-dsy.dsone.3ds.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- Generate a self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey
server.key -out server.crt
Signature ok
subject=/C=FR/ST=Yvelines/L=Velizy/O=Dassault Systemes/OU=3DPassport/CN=lw5-yxs-dsy.dsone.3ds.com
Getting Private key
Enter pass phrase for server.key:
- Generate a PKCS#12 keystore with your private key and public
certificate:
openssl pkcs12 -export -out server.p12 -inkey
server.key -in server.crt -name "lw5-yxs-dsy.dsone.3ds.com"
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:
- Output the content of your PKCS#12 keystore in Base64 format:
cat server.p12 |
base64 > server.p12.b64
On Windows, you can use the following command : -encode
server.p12 server.b64 to convert the PKCS12 keystore into
base64 encoded content for use in 3DPassport's Trust Store.
- Now go to the
Trust Store tab and enter your
New entity alias , the content of your PKCS#12 in
base-64, the passwords and click
Apply.
- Now you can go to the Metadata generation form and select your
newly added key to sign and encrypt.
-
Return to the
SAML tab, then enable SAML mode.
-
Log onto the
3DEXPERIENCE platform
to test that SAML federation has been configured and enabled in
3DPassport.
When attempting to log onto the
3DEXPERIENCE platform,
the end user is first redirected to the third party identity provider login
page. After successful authentication by the identity provider, the user is
redirected back to
3DEXPERIENCE platform.
If all the required attributes to access the
3DEXPERIENCE platform
have been retrieved from the SAML assertion, the user is then automatically
authenticated and redirected back to the
3DEXPERIENCE platform
(3DDashboard
service).
If certain attributes are missing from the SAML assertion, the
user is redirected to the
3DPassport
update page to update the end user's account. After providing the missing
attributes and updated the account, the user is redirected back to the
3DEXPERIENCE platform.
|