280 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 20102b Click the name of the Embedded Service Provider certificate of the Access Gateway, notethe name of the Issuer, then click Close.2c (Conditional) If you do not know the names of these certificates, see Section 12.2.3,“Certificate Names,” on page 278.3 To verify the trusted root for the Identity Server, click Trusted Roots > NIDP-truststore.4 Scan for a certificate subject that matches the issuer of the Embedded Service Providercertificate, then click its name. If the Issuer has the same name as the Subject name, then this certificate is the rootcertificate. If the Issuer has a different name than the Subject name, the certificate is an intermediatecertificate in the chain. Click Close, and make sure another certificate in the trust store isthe root certificate. If it isn’t there, you need to import it and any other intermediatecertificates between the one you have and the root certificate.5 To verify the trusted root for the Embedded Service Provider, click Trusted Roots > ESP TrustStore.6 Scan for a certificate subject that matches the issuer of the Identity Server certificate, then clickits name. If the Issuer has the same name as the Subject name, then this certificate is the rootcertificate. If the Issuer has a different name than the Subject name, the certificate is an intermediatecertificate in the chain. Click Close, and make sure another certificate in the trust store isthe root certificate. If it isn’t there, you need to import it and any other intermediatecertificates between the one you have and the root certificate.7 (Optional) If you have clustered your Identity Servers and Access Gateways and you areconcerned that not all members of the cluster are using the correct trusted root certificates, youcan re-push the certificates to the cluster members.7a Click Auditing > Troubleshooting > Certificates.7b Select the Trust Store of your Identity Servers and Access Gateways, then click Re-pushcertificates.7c Update the Identity Severs and Access Gateways.7d Check the command status of each device to ensure that the certificate was pushed to thedevice. From the Identity Servers page or the Access Gateways page, click the Commandslink.To view sample log entries that are logged to the catalina.out file when a trusted root certificateis missing, see “Trusted Roots Are Not Imported into the Appropriate Trusted Root Containers” onpage 282.12.2.5 Certificates in the Correct Certificate StoreMake sure that the server certificates are added to the correct certificate store. In other words, theIdentity Server certificate must be added to the NIDP-connector store, and the Embedded ServiceProvider certificate must be added to the Proxy Key Store.1 In the Administration Console, click Security > Certificates.2 Click NIDP-connector.