To log in to UA with certificate authentication use http://hostname:port/certAuth/index.jsp.There are both HTTP and HTTPS port number configurations for certificate authentication in the config.txt file located in $UA80/tomcat/webapps/certAuth. Ensure the port numbers are configured correctly in terms of Tomcat listener configuration.
In the following example certificate authentication is used against the LDAP server in UA 8.0 to illustrate the configuration options.
You must first import the appropriate certificate into the IE browser. In UA 8.0, Tomcat does not come configured with a client authentication-enabled HTTPS listener. You must configure $UA80/tomcat/conf/server.xml to create this type of listener as shown in the following procedure.
Importing the certificate into IE
In IE, select Tools | Internet Options | Content | Certificates | Import.
If you are using Tomcat, the Java VM the certificate uses should trust the Certificate Authority that issued the certificate.
Go to $UA80/jdk1.5.0_05/jre/lib/security and use the keytool command to import the CA certificate into the cacerts keystore.
Tomcat is not configured with a client authentication-enabled HTTPS listener, so you must configure the server.xml file located in $UA80/tomcat/conf to create the listener as shown in this example:
<!-- Define a SSL HTTP/1.1 Connector on port 4444 --> <Connector port="4444" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile=".keystore"/>
Make sure clientAuth is assigned the want value. After creating the listener, update the config.txt file located in $UA80/tomcat/webapps/certAuth accordingly. Then, configure the CSI LDAP provider to support certificate authentication.
There are two ways to map a certificate to a record in the LDAP directory:
Binary Certificate Registration – the user certificate is registered with an LDAP user record using an LDAP administration tool such as the SunONE Server Console. In this case, the CSI LDAP authentication provider is configured to match the certificate binary supplied by the user and locate a record in the LDAP server with the same registered binary certificate in order to authenticate the user.
Certificate Attribute Mapping – use this technique to map certificates that do not, or cannot, hold the actual certificate data into the LDAP directory. Configuring the mappings between the certificate and LDAP attributes is done through modifications to the following two configuration properties:
<config:authenticationProvidername="com.sybase.security.ldap. LDAPLoginModule" controlFlag="requisite"> <!-- snipped other options for brevity --> <config:options name="certificateAttributes" value="" /> <config:options name="ldapAttributes" value=""/> </config:authenticationProvider>
For example, to define a mapping between the e-mail attributes, you can use a configuration like this:
<config:options name="certificateAttributes" value="EMAIL" /> <config:options name="ldapAttributes" value="mail" />
You can add a secondary search attribute by separating the attribute names with a comma. For example:
<config:options name="certificateAttributes" value="EMAIL,CN"/> <config:options name="ldapAttributes" value="mail,cn" />
Following is an example of a complete CSI configuration for LDAP certificate authentication:
?xml version="1.0" encoding="UTF-8"?>
<config:configuration xmlns:config="http://www.sybase.com/csi/2.5/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Certificate validation moduel -->
<config:authenticationProvider name="com.sybase.security.core.CertificateValidationLoginModule"
controlFlag = "optional" >
</config:authenticationProvider>
<!-- LDAP authenticator -->
<config:authenticationProvidername="com.sybase.security.ldap.LDAPLoginModule" controlFlag="optional" />
<config:options name="ServerType" value="sunone5" />
<config:options name="ProviderURL"value="ldap://tyuanxp.sybase.com:59889" />
<config:options name="DefaultSearchBase" value="dc=sybase,dc=com" />
<config:options name="enableCertificateAuthentication" value="true" />
<config:options name="CertificateAuthenticationFilter" value="(&({certattr}={0})(objectclass=person))" />
</config:authenticationProvider>
<!-- LDAP attributer -->
<config:provider name="com.sybase.security.ldap.LDAPAttributer" type="attributer" />
<config:provider name="com.sybase.security.portaldb.PortalDBAuthorizer"
type="authorizer" >
<config:options name="AlwaysUsePortalDBRoles" value="false" />
<config:options name="AlwaysUsePortalDBPermissions" value="false" />
</config:provider>
</config:configuration>
com.sybase.security.core.CertificateValidationLoginModule is configured preceding the LDAP authentication provider. This provider is used to validate the certificate. In the above configuration, CertificateValidationLoginModule is not configured with any option, so it validates only whether the certificate to be authenticated is within the valid time period.
Table A-2 lists available configuration options for CertificateValidationLoginModule.
Configuration option |
Default value |
Definition |
|---|---|---|
crl.[index].uri |
Specifies the uri of the CRL. Multiple CRLs can be configured using different values for the index. If the CRL is to be retrieved from an LDAP directory then the LDAP url specified should point to the certificationAuthority entry and should include the query parameters to retrieve the certificateRevocationList attribute of that entry. For example if an organizational unit (say ou=certCAou,dc=sybase,dc=com) is designated as a CA by adding the auxiliary object class certificationAuthority to it, then the LDAP URL specified should look like this:
|
|
validateCertPath |
false |
Enables or disables certificate path validation. |
trustedCertStore |
Specifies the key store containing the trusted CA certificates. Required when certPathValidation is set to true. |
|
trustedCertStorePassword |
Password to access the specified trusted certificate store. |
|
trustedCertStoreType |
Obtained at runtime KeyStore.getDefaultType() |
Specifies the type of key store. |
trustedCertStoreProvider |
Specifies the provider for the key store. |
|
validatedCertificateIsIdentity |
false |
Specifies if certificate should be set as the ID for the authenticated subject. Set to false if the CertificateValidationLoginModule is used in conjunction with other login modules that establish user identity based on the validated certificate. |
