| Implementation class |
The fully qualified class
that implements the login module. com.sybase.security.core.CertificateAuthenticationLoginModule
is the default class. |
| Provider type |
LoginModule is the only supported
value. |
| Control flag |
Determines how success or
failure of this module affects the overall authentication
decision. optional is the
default value. |
| Clear password |
(Optional) If true, the login
module clears the user name and password from the shared
context. The default is false. |
| Store password |
(Optional) If true, the login
module stores the user name and password in the shared context.
The default is false. |
| Try first password |
(Optional) If true, the login
module attempts to retrieve user name and password information
from the shared context, before using the callback handler. The
default is false. |
| Use first password |
(Optional) If true, the login
module attempts to retrieve the user name and password only from
the shared context. The default is false. |
| Enable revocation checking |
(Optional) Enables online
certificate status protocol (OCSP) certificate checking for
user authentication. If you enable this option, you muse
enable OCSP in SAP Mobile Server. This provider uses the values
defined as part of the SSL security profile. Revoked
certificates result in authentication failure when both of
these conditions are met: - revocation checking is enabled
- OCSP properties are configured
correctly
|
| Regex for username certificate
match |
(Optional) By default, this
value matches that of the certificates common name (CN) property
used to identify the user. If a mobile
application user supplies a user name that does not match
this value, authentication fails.
|
| Trusted certificate store |
(Optional) The file
containing the trusted CA certificates (import the issuer
certificate into this certificate store). Use this property
and Store Password
property to keep the module out of the system trust store.
The default SAP Mobile Server
system trust store is SMP_HOME\Servers\UnwiredServer\Repository\Securitytruststore\truststore.jks.
If you do not specify a store location:: - SAP Mobile Server checks to see if a store
used by the JVM (that is, the one defined by the
javax.net.ssl.trustStoreType system
property.
- If the system property is not
defined, then this value is used: ${java.home}/lib/security/jssecacerts
- If that location also doesn't exist,
then this value is used: ${java.home}/lib/security/cacerts
Note: This property is required only
if Validate certificate path is set to true.
|
| Trusted certificate store
password |
(Optional) The password
required to access the trusted certificate store. For
example, import the issuer of the certificate you are trying
to authenticate into the shared JDK cacerts file and specify
the password using this property. Note: This
property is required only if Validate certificate path
is set to true. However, you do not need to configure
this value if the default is used.
The default
value is the value of the javax.net.ssl.trustStorePassword property. |
| Trusted certificate store
provider |
(Optional) The keystore
provider. For example, "SunJCE." Note: This
property is required only if Validate certificate path
is set to true. However, you do not need to configure
this value if the default is used.
The default
value is the value of the javax.net.ssl.trustStoreProvider property. If
it is not defined, then the most preferred provider from the
list of registered providers that supports the specified
certificate store type is used. |
| Trusted certificate store type |
(Optional) The type of
certificate store. For example, "JKS." Note: This property is required only if Validate certificate
path is set to true. However, you do not need to
configure this value if the default is used.
The
default value is the value of the javax.net.ssl.trustStore property. If this
value is not defined, then default value is the keystore
type as specified in the Java security properties file, or
the string "jks" (Java keystore) if no such property
exists. |
| Validate certificate path |
If true (the default),
performs certificate chain validation of the certificate
being authenticated, starting with the certificate being
validated. Verifies that the issuer of that certificate is
valid and is issued by a trusted certificate authority (CA),
if not, it looks up the issuer of that certificate in turn
and verifies it is valid and is issued by a trusted CA. In
other words, it builds up the path to a CA that is in the
trusted certificate store. If the trusted store does not
contain any of the issuers in the certificate chain, then
path validation fails. For information about adding a
certificate to the truststore, see Using Keytool to Generate Self-Signed Certificates and
Keys in Security.
|
| providerDescription |
(Optional). When enabled, allows the administrator to associate a
description with the provider instance.
Using a provider description makes it easier to
differentiate between multiple instances of the same provider type: for example,
when you have multiple login modules of the same type stacked in a security
configuration, each targeting a different repository.
|