https://support.axway.com/en/admin/kbadmin/edit-ar...

Problem

Axway strongly recommends to replace Axway certificates by your company certificates for security reasons.

Here a guideline to change this SSO certificates by your own certificates

Resolution

1. Current certificates

Server certificates.

Classic SSO (ReverseProxy default port 6900) and CAS SSO (no proxy 6901) http connectors use same SSL server certificate (cn=PassPortSecured). This certificate is signed by Passport CA (offline authority whose private key is owned by Passport Team).

This certificates are viewable in Passport UI in Administration -> Server Security Settings menu , Default_SSO and NoProxy_SSO entries.

Classic SSO http connector doesn't require client authentication.

CAS SSO http connector requires client authentication. Will cover accepted issuers bellow.

Client certificates

Classic SSO has one client SSL certificate stored in passport/sso/webapps/ROOT/sso.jks. This certificate is used by the SSO agent to communicate with Passport in an ssl client authenticated connection.

Also, this certificate is used to sign the sso cookie and validate it.

CAS SSO has one client SSL certificate stored in ssofilter/webapps/WEB-INF/ssofilter.jks, but this dependens on the product implementation of CAS SSO. This certificate is used to connect on an ssl client authenticated connection to the sso agent to validate SSO token and renew it. Also, this certificate is used to sign and validate the temporary product sso cookie.

Accepted Issuers

The ssl client authenticated connections are:

Client -> Server

SSO Agent -> Passport Server

CAS SSO Product -> SSO Agent

ReverseProxy -> ReverseProxy SSO Product

Client Certificate Accepted Issuers

Both Passport Server and SSO Agent use as accepted issuer the CA that has signed the certificate from passport/conf/sso.jks (which is the same with passport/sso/webapps/ROOT/sso.jks), which in the default schema is the intermediate Passport SSO CA (signed by root Passport CA).

Server Certificates Accepted Issuers

Both the SSO Agent and SSO Product have a jks called truststore.jks (one found in passport/sso/webapps/ROOT/truststore.jks and one found by default in ssofilter/webapps/WEB-INF/truststore.jks). This jks contains the Passport CA root authority.

2. Changing default certificates

Changing server certificates

Go to Passport UI and first import your certificate into Passport under the Entities menu.

In Passport UI go to Administration -> Server Security Settings and change the SSO and NoProxy SSO certificates.

Go to passport/sso/webapps/ROOT/truststore.jks and ssofilter/webapps/WEB-INF/truststore.jks. In these jks remove the Passport CA entry and import your custom CA that signed the server certificates.

Changing client certificates

In Passport UI import the CA chain that signed your client certificate. Mark each CA certificate you import as active and trusted.

Go to passport/conf/sso.jks and delete the alias "passportsso". In this jks import the client certificate under the alias "passportsso" using the "axway*" password. Copy this jks to passport/sso/webapps/ROOT/sso.jks and to ssofilter/webapps/WEB-INF/truststore.jks if you are using CAS SSO.

------------

NOTE: When PassPort SP/Patch is applied, sso.jks may be redelivered for renewal purposes (when expiration approaches), case in which it would overwrite the SSO.jks from both passport/conf and passport/sso/webapps/ROOT. It is advisable to rename the two keystores when customizing them and apply the following changes so that the renamed ones are taken into account:

a. rename passport/conf/sso.jks

You need to point to the renamed jks file in the conf/filereg.xml file:

<File name="pki.sso.keystore" path="conf/security/sso.jks"/>

b. rename passport/sso/webapps/ROOT/sso.jks

Point to the new file in passport/sso/webapps/ROOT/WEB-INF/web.xml:

<context-param>
<param-name>keyStore</param-name>
<param-value>sso.jks</param-value>
</context-param>

-------------

Restart passport.

Note:
Check also https://support.axway.com/kb/180293 for generating custom certificates and replacing default ones within the PassPort jks files.