test

Sun OpenSSO Enterprise 8.0 Administration Reference

Certificate

This module enables a user to log in through a personal digital certificate (PDC). The module instance can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. The Certificate authentication attributes are realm attributes. The attributes are:

Match Certificate in LDAP

Specifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate.

Note –

A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See Match Certificate to CRL. However, the web container may check the validity of the user certificate presented at login.

Subject DN Attribute Used to Search LDAP for Certificates

Specifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. This attribute must uniquely identify a user entry. The actual value will be used for the search. The default is cn.

Match Certificate to CRL

Specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.

Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised.

Issuer DN Attribute Used to Search LDAP for CRLs

Specifies the attribute of the received certificate's issuer subjectDN value that will be used to search LDAP for CRLs. This field is used only when the Match Certificate to CRL attribute is enabled. The actual value will be used for the search. The default is cn.

HTTP Parameters for CRL Update

Specifies the HTTP parameters for obtaining a CRL from a servlet for a CRL update. Contact the administrator of your CA for these parameters.

OCSP Validation

Enables OCSP validation to be performed by contacting the corresponding OCSP responder. The OCSP responder is decided as follows during runtime. The attributes mentioned are located in the console at Configuration > Servers and Sites > Security:

Before enabling OCSP Validation, make sure that the time of the OpenSSO Enterprise machine and the OCSP responder machine are in sync as close as possible. Also, the time on the OpenSSO Enterprise machine must not be behind the time on the OCSP responder. For example:

OCSP responder machine - 12:00:00 pm

OpenSSO Enterprise machine - 12:00:30 pm

LDAP Server Where Certificates are Stored

Specifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when OpenSSO Enterprise was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is hostname:port.

LDAP Start Search DN

Specifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN.

Multiple entries must be prefixed by the local server name. The format is as follows:

servername|search dn

For multiple entries:

servername1|search dn servername2|search dn servername3|search dn...

If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.

LDAP Server Principal User

This field accepts the DN of the principal user for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server.

LDAP Server Principal Password

This field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user. This value is stored as readable text in the directory.

LDAP Server Principal Password (confirm)

Confirm the password.

Use SSL for LDAP Access

Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.

Certificate Field Used to Access User Profile

Specifies which field in the certificate's Subject DN should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:

Other Certificate Field Used to Access User Profile

If the value of the Certificate Field Used to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute.

SubjectAltNameExt Value Type to Access User Profile

If any value type other than none is selected, this attribute has precedence over Certificate Field Used to Access User Profile or Other Certificate Field Used to Access User Profileattribute.

Trusted Remote Hosts

Defines a list of trusted hosts that can be trusted to send certificates to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the certificate emanated from one of these hosts. This attribute is used for the Portal Server gateway, for a load balancer with SSL termination and for Distributed Authentication.

none

Disables the attribute. This is set by default.

all

Accepts Portal Server Gateway-style certificate authentication from any client IP address.

IP ADDR

Lists the IP addresses from which to accept Portal Server Gateway-style certificate authentication requests (the IP Address of the Gateway(s)). The attribute is configurable on an realm basis.

SSL Port Number

Specifies the port number for the secure socket layer. Currently, this attribute is only used by the Gateway servlet. Before you add or change an SSL Port Number, see the "Policy-Based Resource Management" section in the OpenSSO Enterprise Administration Guide.

HTTP Header Name for Client Certificate

This attribute is used only when the Trusted Remote Hosts attribute is set to all or has a specific host name defined. The administrator must specify the http header name for the client certificate that is inserted by the load balancer or SRA.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

Note –

If no authentication level is specified, the SSO token stores the value specified in the Core authentication attribute Default Authentication Level