Generating a Client Certificate and Keystore

Procedure

  1. On the machine on which the client application resides, generate an RSA keystore (for example, auser.jks) containing:
    • for X.509 authentication, a public/private key pair for the TIBCO ActiveMatrix BPM user to be authenticated. The user should be identified by their X.509 DN, which must match the DN of the primary LDAP source of the LDAP container from which the user was derived
    • for SAML authentication, any public/private key pair. (The identity of the user to be authenticated is, in this case, supplied in the SAML assertion.)
  2. Create a certificate request for this keystore entry (for example, auser.csr).
  3. Sign the auser.csr certificate request, generating a signed certificate (for example, auser.crt). Use:
    • the CA’s private key (bpm-ca.key) to digitally sign the certificate.
    • the CA’s public certificate (bpm-ca.crt) to identify the issuer of the private key. (In this case, both entities are the same.)
  4. Import the public root certificate issued by the CA (bpm-ca.crt) into the client keystore (auser.jks). Verify that you trust the certificate when importing it. (This step is necessary because TIBCO ActiveMatrix BPM is not a known CA. You must indicate that it can be trusted, so establishing a chain of trust for any certificates signed using bpm-ca.crt.)
  5. Overwrite the existing (unsigned) keystore entry with the signed certificate (auser.crt).

Result

The client application can now include the signed certificate (auser.crt) in the SOAP header when it invokes a TIBCO ActiveMatrix BPM service.