6.3 Create X509 Authentication Module
X509 Authentication module is similar to LDAP Plug-in with additional properties that indicate which attribute of the client's X.509 certificate should be validated against the user attribute in LDAP. Use the Create X509 Authentication Module page to create a new X509 Authentication module.
The following table describes the elements on the Create X509 Authentication Module page:
| Element | Description |
|---|---|
|
Name |
Type a unique name for this module. |
|
Match LDAP Attribute |
Specify the LDAP distinguished name attribute to be searched against given the X509 Cert Attribute value. For example: If the certificate subject EMAIL is me@example.com and it must be matched against the “mail" LDAP Attribute, an LDAP query must search LDAP against the “mail" attribute with a value "me@example.com (cn)". |
|
X509 Cert Attribute |
Specify the certificate attribute to be used to bind the public key. For Example, Attributes within subject, issuer scope to be extracted from the certificate: subject.DN, issuer.DN, subject.EMAIL. |
|
Cert Validation Enabled |
Check to enable the X.509 Certificate validation. Disabled when not checked. When enabled, the OAM Server performs the certificate validation (rather than having the WebLogic server intercept and validate the certificate before passing it to the OAM Server). Access Manager performs the entire certificate path validation. |
|
OCSP Enabled |
Check to enable the Online Certificate Status Protocol. Disabled when not checked. Values will be either true or false. For example: OCSP Enabled - true. Note:OCSP Server Alias, OCSP Responder URL and OCSP Responder Timeout are required only when OCSP Enabled is selected. |
|
OCSP Server Alias |
Provide an alias name for the OSCSP responder pointing to CA certificates in oamkeystore file--a mapping between the aliased name and the actual instance name or the IP address and the OSCSP Responder instance. |
|
OCSP Responder URL |
Provides the URL of the Online Certificate Status Protocol responder. For example: OpenSSL Responder URL: http: //localhost:6060. |
|
OCSP Responder Timeout |
Specify the grace period for users with expired certificates to enable them access OAM Servers for a limited time before renewing the certificate. |
|
Apply |
Click Apply to submit this X509 Authentication module. |
Related Topics
Managing Authentication and Shared Policy Components in Administrator's Guide for Oracle Access Management.