Unfortunately, that document does not address my questions. That document details how to change the certificate. Actually, it details how to "delete" and "add a new" certificate to the key store.
Can we use the individual private keys from our RSSO servers? (We have signed certificates for each server, with SAN entries for both nodes and the VIP)
The name of the key store in the documentation is cot.jks - is this a fixed requirement?
The name of the alias of the self-signed key in the documentation is sp-signing - is this a fixed requirement?
Can the key store use a password other than the default 'changeit'?
Can the key use a password other than the default 'changeit'?
I see numerous references for the cot.jks key store being located in \rsso\WEB-INF\classes - is this a fixed requirement if I fully qualify the path to the key store file in the general RSSO server configuration?
The document also does not address (at least not with any detail) how to work with an HA RSSO implementation.
Just as a FYI to all...
Per Support and Engineering, TSO does NOT work with SAMLv2 authentication via RSSO in any of the current versions of TSO. I don't think that this is supposed to be the case, but we confirmed with Engineering that it is not supported. The documentation does not reflect this incompatibility in both the TSO and RSSO product lines, and this is supposed to be updated to reflect that.
Currently TSO supports only local user and LDAP authentication. SAML support is being developed.
Since it was not documented in any version of TrueSight Orchestration/BMC Atrium Orchestrator or Remedy Single Sign-On, there was no reason to think that it was not supported. The documentation details that authentication is handled through either the embedded or an external implementation of RSSO. There were no indications in the documentation to lead us to believe that any of the forms of authentication available within a Realm would not be compatible with TSO. Ranganath Samudrala, please ensure that the documentation for both TSO and RSSO are updated to include this incompatibility to prevent other customers from stumbling into this. Thanks!