Certificate

Certificate-based Authentication involves using a personal digital certificate (PDC) to identify and authenticate a user. A PDC can be configured to require a match against a PDC stored in Directory Server, and verification against a Certificate Revocation List.

There are a number of things that need to be accomplished before adding the Certificate-based Authentication module to a realm. First, the web container that is installed with the Access Manager needs to be secured and configured for Certificate-based Authentication.

If you are configuring Access Manager Certificate authentication with an SSL-enabled Sun Java System WebsServer 6.1 instance, and wish to have the WebServer defined to accept both certificate based and non certificate based authentication requests, you must set the following value in the WebServer's obj.conf file:

PathCheck fn="get-client-cert" dorequest="1" require="0"

This is due to a limitation in the WebServer console when setting the optional attribute for this behavior.

Before enabling the Certificate-based module, see Chapter 6, “Using Certificates and Keys” in the Sun ONE Web Server 6.1 Administrator’s Guide for these initial Web Server configuration steps. This document can be found at the following location:

http://docs.sun.com/db/prod/s1websrv#hic

Or, see the Sun ONE Application Server Administrator’s Guide to Security at http://docs.sun.com/source/816-7158-10/contents.html.

Each user that will authenticate using the certificate-based module must request a PDC for the user’s browser. Instructions are different depending upon the browser used. See your browser’s documentation for more information.

In order to add this module, you must log in to Access Manager as the realm Administrator and have Access Manager and the web container configured for SSL and with client authentication enabled. For more information, see Configuring Access Manager in SSL Mode in the Access Manager Post Installation Guide.