The following shows two (2) servers configurations for Single Sign-On capabilities. There are others servers such as reporting, self service and other applications which would be involved for SSO. These other systems would have the same principles applied to them in order to achieve true SSO. Basically, anything the packets from the user to the end servers needs to be included in the chaining. Lets break it down with the Load Balancer VIP (Virtual IP) included:
keytool -genkeypair -size 4096 -keyalg RSA -sigalg SHA384withRSA -alias ig -keypass changeit -keystore tomcat/conf/PKCS12.keystore -validity 1460 -storepass changeit -storetype pkcs12 -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1
keytool -certreq -v -alias ig -sigalg SHA512withRSA -file tomcat/conf/IG.csr -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -trustcacerts -alias client_root -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_ROOT.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacerts -alias client_inter -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_INTER.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacerts -alias adroot -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/ADRootCA.cer -storepass changeit -storetype pkcs12
keytool -import -v -alias ospcert -file tomcat/conf/OSP.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias reportingcert -file tomcat/conf/Reporting.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias igcert -file tomcat/conf/IG.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
*** Do not forget the Load Balancer certificateitifcates in front of any of the above servers
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" secure="true" scheme="https" SSLEnabled="true" clientAuth="false" enableLookups="false" SSLProtocol="TLSv1.2" keyAlias="ig" keystorePass="changeit" keystoreFile="tomcat/conf/PKCS12.keystore" keystoreType="PKCS12" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" enableLookups="false" scheme="https" secure="true" server="Example" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHOSTCONFIG CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:HIGH:!ANULL:!ENULL:!EXPORT:!DES:!RC4:!MD5:!KRSA" HONORCIPHERORDER="TRUE" PROTOCOLS="TLSV1.2" INSECURERENEGOTIATION="FALSE" > <certificateificate certificateificateKeyFile="/etc/pki/tls/private/EXAMPLE_com.key" certificateificateFile="/etc/pki/tls/certificates/EXAMPLE/EXAMPLE_com.crt" certificateificateChainFile="/etc/pki/tls/EXAMPLE/EXAMPLE_com_CA.pem" /> </SSLHostConfig> </Connector>
keytool -genkeypair -size 4096 -keyalg RSA -sigalg SHA384withRSA -alias sso -keypass changeit -keystore tomcat/conf/PKCS12.keystore -validity 1460 -storepass changeit -storetype pkcs12 -ext san=dns:server.example.com,dns:server,ip:10.10.10.10,ip:::1
keytool -certreq -v -alias osp -sigalg SHA512withRSA -file tomcat/conf/SSO.csr -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias client_root -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_ROOT.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias client_inter -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/CLIENT_INTER.cer -storepass changeit -storetype pkcs12
keytool -import -trustcacertificates -alias adroot -keystore tomcat/conf/PKCS12.keystore -file tomcat/conf/ADRootCA.cer -storepass changeit -storetype pkcs12
keytool -import -v -alias IGcertificate -file tomcat/conf/IG.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias Reportingcertificate -file tomcat/conf/Reporting.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
keytool -import -v -alias ssocertificate -file tomcat/conf/SSO.cer -keystore tomcat/conf/PKCS12.keystore -storepass changeit -storetype pkcs12
*** Do not forget the Load Balancer Certitifcates in front of any of the above servers
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" enableLookups="false" scheme="https" secure="true" server myserver SSLEnabled="true" SSLProtocol="TLSv1.2" keyAlias="sso" keystorePass="changeit" keystoreFile="tomcat/conf/PKCS12.keystore" keystoreType="PKCS12" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>