The following shows two (2) servers configurations for Single Sign-On capabilities. There are others servers such as reporting, self service and other applications which would be involved for SSO. These other systems would have the same principles applied to them in order to achieve true SSO. Basically, anything the packets from the user to the end servers needs to be included in the chaining. Lets break it down with the Load Balancer VIP (Virtual IP) included:
keytool -genkeypair -size 256 -keyalg EC -sigalg SHA512withECDSA -alias ig -keypass changeit -keystore tomcat/conf/PKCS12.keystore -validity 1460 -storepass changeit -storetype pkcs12 -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1
keytool -certificatereq -v -alias ig -sigalg SHA384withECDSA -file tomcat/conf/IG.csr -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias client_root -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_ROOT.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias client_inter -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_INTER.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias adroot -keystore /tomcat/conf/PKCS12.keystore -file tomcat/conf/ADRootCA.cer -storepass changeit -storetype pkcs12
keytool -import -v -alias ssocertificate -file tomcat/conf/SSO.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias reportingcertificate -file tomcat/conf/Reporting.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias igcertificate -file tomcat/conf/IG.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
*** Do not forget the Load Balancer certificateitifcates in front of any of the above servers
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" enableLookups="false" scheme="https" secure="true" server myserver SSLEnabled="true" SSLProtocol="TLSv1.2" keyAlias="ig" keystorePass="changeit" keystoreFile="tomcat/conf/PKCS12.keystore" keystoreType="PKCS12" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" enableLookups="false" scheme="https" secure="true" server="Example" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHOSTCONFIG CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:HIGH:!ANULL:!ENULL:!EXPORT:!DES:!RC4:!MD5:!KRSA" HONORCIPHERORDER="TRUE" PROTOCOLS="TLSV1.2" INSECURERENEGOTIATION="FALSE" > <certificateificate certificateificateKeyFile="/etc/pki/tls/private/EXAMPLE_com.key" certificateificateFile="/etc/pki/tls/certificates/EXAMPLE/EXAMPLE_com.crt" certificateificateChainFile="/etc/pki/tls/EXAMPLE/EXAMPLE_com_CA.pem" /> </SSLHostConfig> </Connector>
keytool -genkeypair -size 256 -keyalg EC -sigalg SHA512withECDSA -alias sso -keypass changeit -keystore tomcat/conf/PKCS12.keystore -validity 1460 -storepass changeit -storetype pkcs12 -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1
keytool -certificatereq -v -alias sso -sigalg SHA384withECDSA -file tomcat/conf/SSO.csr -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias client_root -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_ROOT.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias client_inter -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_INTER.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias adroot -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/ADRootCA.cer -storepass changeit -storetype pkcs12
keytool -import -v -alias IGcertificate -file tomcat/conf/IG.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias Reportingcertificate -file tomcat/conf/Reporting.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias ssocertificate -file tomcat/conf/SSO.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
*** Do not forget the Load Balancer certificates in front of any of the above servers
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" enableLookups="false" scheme="https" secure="true" server myserver SSLEnabled="true" SSLProtocol="TLSv1.2" keyAlias="sso" keystorePass="changeit" keystoreFile="tomcat/conf/PKCS12.keystore" keystoreType="PKCS12" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>