Add and configure provider properties for CertificateValidationLoginModule, or accept the default settings. CertificateValidationLoginModule can be used in conjunction with other login modules that support certificate authentication (for example, LDAPLoginModule) by configuring CertificateValidationLoginModule before the login modules that support certificate authentication.
Property | Description |
---|---|
Implementation class | The fully qualified class that implements the login module. com.sybase.security.core.CertificateValidationLoginModule is the default class. |
crl.[index].uri | Specifies the universal resource identifier
for the certificate revocation list (CRL). Multiple CRLs can be
configured using different values for the index. The CRLs are
processed in index order. For
example:crl.1.uri=http://crl.verisign.com/ThawtePersonalFreemailIssuingCA.crl crl.2.uri=http://crl-server/ |
Provider type | LoginModule is the only supported value. |
Validated certificate is identity | (Optional) Determines if the certificate should be set the authenticated subject as the user ID. If the CertificateValidationLoginModule is used in conjunction with other login modules that establish user identity based on the validated certificate, set this value to false. If you are implementing this provider with a DCN security configuration, and it's also not used with SSO, then set this property to true.False is the default value. |
Enable revocation checking |
(Optional) Enables online certificate status protocol (OCSP)
certificate checking for user authentication. If you enable
this option, you muse enable OCSP in Unwired Server. This
provider uses the values defined as part of the SSL security
profile. Revoked certificates result in authentication
failure when both of these conditions are met:
|
Trusted certificate store |
(Optional)
The file containing the trusted CA certificates (import the
issuer certificate into this certificate store). Use this
property and Store Password property to
keep the module out of the system trust store.
The default Unwired Server system trust
store is <UnwiredPlatform_InstallDir\Servers\UnwiredServer\Repository\Securitytruststore\truststore.jks.
If you do not specify a store location::
Note: This property
is required only if Validate certificate path is set to
true.
|
Trusted certificate store password |
(Optional)
The password required to access the trusted certificate
store. For example, import the issuer of the certificate you
are trying to authenticate into the shared JDK cacerts file
and specify the password using this property.
Note: This property is required only if
Validate certificate path is set to
true.
However, you do not need to configure this value if the
default is
used.
The
default value is the value of the
javax.net.ssl.trustStorePassword
property. |
Trusted certificate store provider |
(Optional) The keystore provider. For
example, "SunJCE."
Note: This property is
required only if Validate certificate path is set to
true.
However, you do not need to configure this value if the
default is
used.
The
default value is the value of the
javax.net.ssl.trustStoreProvider
property. If it is not defined, then the most preferred
provider from the list of registered providers that supports
the specified certificate store type is
used. |
Trusted certificate store type |
(Optional) The type of certificate store.
For example, "JKS."
Note: This property is
required only if Validate certificate path is set to
true.
However, you do not need to configure this value if the
default is
used.
The
default value is the value of the
javax.net.ssl.trustStore property. If
this value is not defined, then default value is the
keystore type as specified in the Java security properties
file, or the string "jks" (Java keystore) if no such
property exists. |
Validate certificate path |
If true (the default), performs certificate chain validation of the certificate being authenticated, starting with the certificate being validated. Verifies that the issuer of that certificate is valid and is issued by a trusted certificate authority (CA), if not, it looks up the issuer of that certificate in turn and verifies it is valid and is issued by a trusted CA. In other words, it builds up the path to a CA that is in the trusted certificate store. If the trusted store does not contain any of the issuers in the certificate chain, then path validation fails. For information about adding a certificate to the truststore, see Using Keytool to Generate Self-Signed Certificates and Keys in Security. |