![]() ![]() ![]() ![]() ![]() ![]() ![]() |
The following sections describe how to configure Oracle Communications Converged Application Server to use Client-Cert authentication:
Client-Cert authentication uses a certificate or other custom tokens in order to authenticate a user. The token is “mapped” to a user present in the Oracle Communications Converged Application Server security realm in which the Servlet is deployed. SIP Servlets that want to use Client-Cert authentication must set the auth-method
element to CLIENT-CERT
in their sip.xml
deployment descriptor.
The token used for Client-Cert authentication can be obtained in several different ways:
javax.servlet.request.X509Certificate
request attribute. This method for performing Client-Cert authentication is the most common and is described in the SIP Servlet specification (JSR-116). Oracle Communications Converged Application Server provides two security providers that can be used to validate the X509 certificate; see Configuring SSL and X509 for Oracle Communications Converged Application Server.WL-Proxy-Client-Cert
header in the SIP message. The server hosting the destination SIP Servlet then uses the WL-Proxy-Client-Cert
header to obtain the certificate. The certificate is also made available by the container to Servlets via the javax.servlet.request.X509Certificate
request attribute.
To use this alternate method of supplying client tokens, you must configure Oracle Communications Converged Application Server to enable use of the WL-Proxy-Client-Cert
header; see Configuring Oracle Communications Converged Application Server to Use WL-Proxy-Client-Cert. You must also configure an X509 Identity Asserter provider as described in Configuring SSL and X509 for Oracle Communications Converged Application Server.
SIP Servlets can also use the CLIENT-CERT auth-method
to implement perimeter authentication. Perimeter authentication uses custom token names and values, along with a custom security provider, to authenticate clients. See Supporting Perimeter Authentication with a Custom IA Provider for a summary of steps required to implement perimeter authentication.
Oracle Communications Converged Application Server includes two separate Identity Assertion providers that can be used with X509 certificates. The LDAP X509 Identity Asserter provider receives an X509 certificate, looks up the LDAP object for the user associated with that certificate in a separate LDAP store, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object. The Default Identity Asserter provider maps the user according to its configuration, but does not validate the certificate.
With either provider, Oracle Communications Converged Application Server uses two-way SSL to verify the digital certificate supplied by the client. You must ensure that a SIPS transport (SSL) has been configured in order to use Client-Cert authentication. See Managing Oracle Communications Converged Application Server Network Resources in Configuring Network Resources if you have not yet configured a secure transport.
See Configuring the Default Identity Asserter to configure the Default Identity Asserter provider. In most production installations you will have a separate LDAP store and will need to configure the LDAP X509 Identity Asserter provider to use client-cert authentication; see Configuring the LDAP X509 Identity Asserter.
The Default Identity Asserter can be configured to verify an X509 certificate passed to it by a client over a secure (SSL) connection. The Default Identity Asserter requires a separate user name mapper to map the associated client “certificate” to a user configured in the default security realm. You can use the default user name mapper installed with Oracle Communications Converged Application Server, or you can create a custom user name mapper class as described in Configuring a WebLogic Credential Mapping Provider in the Oracle WebLogic Server 10g Release 3 Documentation.
Follow these instructions to configure the Default Identity Asserter:
To use the default user name mapper:
Follow these steps to create and configure the X509 Authentication Provider.
ldap1.mycompany.com:1050 ldap2.mycompany.com:1050
See Configuring Failover for LDAP Authentication Providers in the Oracle WebLogic Server 10g Release 3 documentation for more information about configuring failover.
If this value is set to a non-zero value, the provider waits the specified number of seconds before spawning a new thread for an additional connection attempt. For example, if the value is set to 2, the provider first tries to connect to the first configured LDAP server in the Host list. After 2 seconds, if the connection has not yet been established, the provider spawns a new thread and tries to connect to the second server configured in the Host list, and so on for each configured LDAP server.
In order for Oracle Communications Converged Application Server to use the WL-Proxy-Client-Cert
header, a proxy server or load balancer must first transmit the X509 certificate for a client request, encrypt it using base-64 encoding, and then add the resulting token WL-Proxy-Client-Cert
header in the SIP message. If your system is configured in this way, you can enable the local Oracle Communications Converged Application Server instance (or individual SIP Servlet instances) to examine the WL-Proxy-Client-Cert
header for client tokens.
To configure the server instance to use the WL-Proxy-Client-Cert
header:
To enable the WL-Proxy-Client-Cert
header for an individual Web Application, set the com.bea.wcp.clientCertProxyEnabled
context parameter to true in the application’s sip.xml
deployment descriptor.
With perimeter authentication, a system outside of WebLogic Server establishes trust via tokens. The system is generally comprised of an authentication agent that creates an artifact or token that must be presented to determine information about the authenticated user at a later time. The actual format of the token varies from vendor to vendor (for example, SAML or SPNEGO).
Oracle Communications Converged Application Server supports perimeter authentication through the use of an Identity Assertion provider designed to recognize one or more token formats. When the authentication type of a SIP Servlet is set to CLIENT-CERT
, the SIP container in Oracle Communications Converged Application Server performs identity assertion on values from the request headers. If the header name matches the active token type for a configured provider, the value is passed to the provider for identity assertion.
The provider can then use a user name mapper to resolve the certificate to a user available in the security realm. The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource.
If you want to use custom tokens to pass client certificates for perimeter authentication, you must create and configure a custom Identity Assertion provider in place of the LDAP X509 or Default Identity Asserter providers described above. See Identity Assertion Providers in the Oracle WebLogic Server 10g Release 3 Documentation for information about creating providers for handling tokens passed with perimeter authentication.
![]() ![]() ![]() |