The certificate realm supports SSL authentication. The certificate realm sets up the user identity in Sun Java System Web Server's security context and populates it with user data from the client certificate. The J2SE containers then handle authorization processing based on each user's DN from his or her certificate. The certificate realm has the following configuration characteristics:
Name: certificate
Classname: com.iplanet.ias.security.auth.realm.certificate.CertificateRealm
You can add the following optional property to tailor the certificate realm behavior:
assign-groups: If this property is set, its value is taken to be a comma-separated list of group names. All clients presenting valid certificates are assigned membership to these groups for the purposes of authorization decisions in the web container.
When you deploy an application, you must specify CLIENT-CERT as the authentication mechanism in the web.xml file as follows:
<login-config> <auth-method>CLIENT-CERT</auth-method> </login-config>
You must obtain a client certificate and install it in your browser to complete the setup for client certificate authentication. For details on how to set up the server and client certificates, see the Sun Java System Web Server 6.1 SP9 Administrator’s Guide.
You can configure the server instance for SSL authentication in these ways:
Configure an SSLPARAMS element in server.xml, then restart the server. For more information about the server.xml file, see the Sun Java System Web Server 6.1 SP9 Administrator’s Configuration File Reference.
Use the Administration interface as described in the Sun Java System Web Server 6.1 SP9 Administrator’s Guide.
In most cases, it is not necessary to configure a certificate realm in server.xml when using CLIENT-CERT authentication in web applications. Since the CLIENT-CERT authentication method inherently implies certificate-based authentication, Sun Java System Web Server will internally use a certificate realm even if one is not configured in server.xml. You can still configure a certificate realm if you want to specify properties for it (for example, assign-groups).