---
title: Enable signing and encryption in a Fedlet
description: Signing and encryption aren't configured by default when you create the Java Fedlet. You can, however, set up AM and the Fedlet to sign and verify XML signatures, and to encrypt and decrypt data such as SAML assertions.
component: pingam
version: 8.1
page_id: pingam:am-saml2:fedlet-sign-encrypt
canonical_url: https://docs.pingidentity.com/pingam/8.1/am-saml2/fedlet-sign-encrypt.html
keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation", "Fedlet", "Encryption"]
page_aliases: ["saml2-guide:fedlet-sign-encrypt.adoc"]
section_ids:
fedlet-conf-signing-encryption: Configure the Fedlet for signing and encryption
---
# Enable signing and encryption in a Fedlet
Signing and encryption aren't configured by default when you create the Java Fedlet. You can, however, set up AM and the Fedlet to sign and verify XML signatures, and to encrypt and decrypt data such as SAML assertions.
Enabling signing and encryption for the Java Fedlet involves the following high-level stages:
* Before you create the Fedlet, configure the IdP to sign and encrypt data. See Realms > *realm name* > Applications > Federation > Entity Providers > *IdP name* > Signing and Encryption in the AM admin UI.
For evaluation, you can use the `test` certificate delivered with AM.
* Initially deploy and configure the Fedlet, but do not use the Fedlet until you finish.
* On the Fedlet side, set up a JCEKS keystore used for signing and encryption. For evaluation, you can use copy the `keystore.jceks` file delivered with AM. You can find the file in the `$HOME/am/security/keystores/` directory for a server instance with the base URI `openam`. The built-in keystore includes the `test` certificate.
You must also set up the `.storepass` and `.keypass` files using the `fedletEncode.jsp` page, such as `https://am.example.com:8443/fedlet/fedletEncode.jsp`, to encode passwords on the Fedlet side.
The passwords for the test keystore and private key are recorded in the AM `.storepass` and `.keypass` files. These files are located in the `/path/to/am/security/secrets/defaults/` directory.
* Configure the Fedlet to perform signing and encryption by ensuring the Fedlet has access to the keystore, and by updating the SP metadata for the Fedlet.
* Import the updated SP metadata into the IdP to replace the default Fedlet configuration.
* Restart the Fedlet or container in which the Fedlet runs for the changes you made on the Fedlet side to take effect.
## Configure the Fedlet for signing and encryption
The `FederationConfig.properties` file specifies the paths to the keystore holding the signing or encryption keys for the Fedlet, the keystore password file, and the private key password file.
1. After setting up your keystore and password files as described above, edit the properties file in the configuration directory, such as `$HOME/fedlet/FederationConfig.properties`, to point to the keystore and password files.
2. Export the certificate to use for signing and encryption purposes.
```bash
$ keytool -export -rfc -keystore keystore.jceks -alias test
Enter keystore password:
-----BEGIN CERTIFICATE-----
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVL
MRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
b3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAz
MTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sx
DzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXC
AaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuV
YWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyi
P+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/Ml
SBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpb
aHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0O
BBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ2
9/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkm
t+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjIt
cGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ
0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx
7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCe
ksu7Y48BmkUqw6E9
-----END CERTIFICATE-----
```
3. Edit the standard metadata file for the Fedlet, such as `$HOME/fedlet/sp.xml`, to include the certificate in KeyDescriptor elements, that are children of the SPSSODescriptor element.
```xml
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVL
MRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
b3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAz
MTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sx
DzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXC
AaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuV
YWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyi
P+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/Ml
SBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpb
aHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0O
BBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ2
9/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkm
t+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjIt
cGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ
0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx
7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCe
ksu7Y48BmkUqw6E9
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVL
MRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlG
b3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAz
MTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sx
DzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXC
AaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuV
YWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyi
P+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/Ml
SBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpb
aHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0O
BBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ2
9/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkm
t+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjIt
cGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ
0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx
7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCe
ksu7Y48BmkUqw6E9
128
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
```
4. Edit the extended metadata file for the Fedlet, such as `$HOME/fedlet/sp-extended.xml`.
Set the certificate alias names to the alias for the Fedlet certificate, and the `want*Signed` and `want*Encrypted` values to `true`.
If you reformat the file, take care not to add white space around string values in elements.
```xml
test
test
false
false
anonymous
com.sun.identity.saml2.plugins.DefaultFedletAdapter
com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper
false
com.sun.identity.saml2.plugins.DefaultSPAttributeMapper
com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\|0\|default
exact
*=*
http://www.example.com:8080/fedlet/logout
300
true
true
true
URI
fedlet-cot
com.sun.identity.saml2.plugins.ECPIDPFinder
false
0
false
false
test
test
true
fedlet-cot
test
test
false
false
true
fedlet-cot
```
5. Make a copy of the `sp-extended.xml` file, called `sp-extended-copy.xml`, and set `hosted="0"` in the root element of the copy.
Use the copied file, `sp-extended-copy.xml`, when importing the Fedlet configuration into AM. AM must register the Fedlet as a *remote* SP.
6. In the AM admin UI, delete the original SP entity configuration for the Fedlet, and then import the updated metadata for the new configuration into AM on the IdP side.
7. Restart the Fedlet or the container in which it runs in order for the Fedlet to pick up the changes to the configuration properties and the metadata.