Certificate Validation Properties

Add and configure provider properties for CertificateValidationLoginModule, or accept the default settings. CertificateValidationLoginModule  can be used in conjunction with other login modules that support certificate authentication (for example, LDAPLoginModule) by configuring CertificateValidationLoginModule before the login modules that support certificate authentication.

You can only use this provider to validate client certificates when an HTTPS listeners is configured to use mutual authentication.
CertificateValidationLoginModule properties
Property Description
Implementation class The fully qualified class that implements the login module. com.sybase.security.core.CertificateValidationLoginModule is the default class.
crl.[index].uri Specifies the universal resource identifier for the certificate revocation list (CRL). Multiple CRLs can be configured using different values for the index. The CRLs are processed in index order. For example:
crl.1.uri=http://crl.verisign.com/ThawtePersonalFreemailIssuingCA.crl
crl.2.uri=http://crl-server/
Provider type LoginModule is the only supported value.
Validated certificate is identity (Optional) Determines if the certificate should be set the authenticated subject as the user ID. If the CertificateValidationLoginModule is used in conjunction with other login modules that establish user identity based on the validated certificate, set this value to false. If you are implementing this provider with a DCN security configuration, and it's also not used with SSO, then set this property to true.False is the default value.
Enable revocation checking
(Optional) Enables online certificate status protocol (OCSP) certificate checking for user authentication. If you enable this option, you must enable OCSP in SAP Mobile Server. This provider uses the values that are defined in the SSL security profile. Revoked certificates result in authentication failure when:
  • Revocation checking is enabled, and
  • OCSP properties are configured correctly.
Trusted certificate store
(Optional) The file containing the trusted CA certificates (import the issuer certificate into this certificate store). Use this property and Store Password property to keep the module out of the system trust store. The default SAP Mobile Server system trust store is SMP_HOME\Servers\UnwiredServer\Repository\Security\keystore.jks. If you do not specify a store location:
  • SAP Mobile Server checks to see if a store used by the JVM (that is, the one defined by the javax.net.ssl.trustStoreType system property.
  • If the system property is not defined, then this value is used: ${java.home}/lib/security/jssecacerts
  • If that location also doesn't exist, then this value is used: ${java.home}/lib/security/cacerts
Note: This property is required only if Validate certificate path is set to true.
Trusted certificate store password
(Optional) The password required to access the trusted certificate store. For example, import the issuer of the certificate you are trying to authenticate into the shared JDK cacerts file and specify the password using this property.
Note: This property is required only if Validate certificate path is set to true. However, you do not need to configure this value if the default is used.
The default value is the value of the javax.net.ssl.trustStorePassword property.
Trusted certificate store provider
(Optional) The keystore provider. For example, "SunJCE."
Note: This property is required only if Validate certificate path is set to true. However, you do not need to configure this value if the default is used.
The default value is the value of the javax.net.ssl.trustStoreProvider property. If it is not defined, then the most preferred provider from the list of registered providers that supports the specified certificate store type is used.
Trusted certificate store type
(Optional) The type of certificate store. For example, "JKS."
Note: This property is required only if Validate certificate path is set to true. However, you do not need to configure this value if the default is used.
The default value is the value of the javax.net.ssl.trustStore property. If this value is not defined, then default value is the keystore type as specified in the Java security properties file, or the string "jks" (Java keystore) if no such property exists.
Validate certificate path

If true (the default), performs certificate chain validation of the certificate being authenticated, starting with the certificate being validated. Verifies that the issuer of that certificate is valid and is issued by a trusted certificate authority (CA), if not, it looks up the issuer of that certificate in turn and verifies it is valid and is issued by a trusted CA. In other words, it builds up the path to a CA that is in the trusted certificate store. If the trusted store does not contain any of the issuers in the certificate chain, then path validation fails.

providerDescription

(Optional). When enabled, allows the administrator to associate a description with the provider instance.

Using a provider description makes it easier to differentiate between multiple instances of the same provider type: for example, when you have multiple login modules of the same type stacked in a security configuration, each targeting a different repository.