The Certificate authentication module requires a personal digital certificate (PDC) to identify and authenticate a user. The module can be configured to require a match between the user's PDC and a PDC stored in the configuration data store, as well as verification against a Certificate Revocation List. It can also require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Successful or failed authentication is dependent on whether or not the certificate is valid. The following information should be considered before using the Certificate authentication module.
The web container that is installed with the OpenSSO Enterprise needs to be secured and configured for Certificate-based Authentication.
To add this module, log in to OpenSSO Enterprise as the realm Administrator and have OpenSSO Enterprise and the web container configured for SSL and with client authentication enabled.
To check the certificates presented by a client against those found in a directory server, import the root CA certificate for the client certificate into the trust store of the JVM on the OpenSSO Enterprise host machine (by default JDK_HOME/jre/lib/security/cacerts). You can use the keytool command line interface.
If you are configuring OpenSSO Enterprise Certificate authentication with an SSL-enabled Sun Java System Web Server 6.1 instance, and wish to have the Web Server defined to accept both certificate based and non certificate based authentication requests, you must set the following value in the Web Server's obj.conf file:
PathCheck fn="get-client-cert" dorequest="1" require="0 |
This is due to a limitation in the Web Server console when setting the optional attribute for this behavior. Is this the web container on which OSSO is deployed?
Before enabling the Certificate-based module, see Using Certificates and Keys in the Sun ONE Web Server 6.1 Administration Guide at http://docs.sun.com/db/prod/s1websrv#hic or the Sun ONE Application Server Administrator’s Guide to Security at http://docs.sun.com/db/prod/s1appsrv#hic for initial configuration steps.
Each user that will authenticate using the Certificate authentication module must request a PDC for the browser. Instructions depend upon the browser being used. See the specific documentation for more information.
For information on the Certificate authentication module attributes, see Certificate in Sun OpenSSO Enterprise 8.0 Administration Reference.