-
Notifications
You must be signed in to change notification settings - Fork 244
Google as Identity Provider
Vrinda edited this page Apr 17, 2023
·
1 revision
- Verify Google's certificate CA in JDK Truststore.
- Create Google as Identity Provider
in
dcm4che
realm exactly as mentioned. Except forClient ID
andClient Secret
, that one gets from Google, remaining field values are unchanged and set to defaults.
-
Download the PEM certificate from
View Page Info -> Security -> View Certificate -> Global Sign
from Google's website. -
JDK 11 onwards, Google Trust Services GlobalSign is part of the default set of root Certification Authority (CA) certificates. Verify the CA is available in JDK truststore.
keytool -list -v -keystore /usr/lib/jvm/java-13-oracle/lib/security/cacerts
Alias name: debian:globalsign_ecc_root_ca_-_r4.pem Creation date: May 14, 2019 Entry type: trustedCertEntry Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 Serial number: 2a38a41c960a04de42b228a50be8349802 Valid from: Tue Nov 13 01:00:00 CET 2012 until: Tue Jan 19 04:14:07 CET 2038 Certificate fingerprints: SHA1: 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB SHA256: BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C Signature algorithm name: SHA256withECDSA Subject Public Key Algorithm: 256-bit EC (secp256r1) key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 54 B0 7B AD 45 B8 E2 40 7F FB 0A 6E FB BE 33 C9 T...E..@...n..3. 0010: 3C A3 84 D5 <... ] ]
-
If this is not available or one has an older JDK version, add Google's CA in the JDK truststore
sudo -i cat /Downloads/www-google-com.pem >> /usr/lib/jvm/<JDKOlderThan11>/lib/security/cacerts exit
DCM4CHEE 5 Documentation