Versions Compared

Old Version 1

changes.mady.by.user Jonė Š.

Saved on

compared with

New Version 2

changes.mady.by.user Jonė Š.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

id1317141704

...

id1317141715

...

id1329529972

On this page

...

Table of Contents

...

id1317141705

Basic Configuration

In

...

order for Common Access Card (CAC) authentication to work, SSL must be enabled

...

in Web Application Platform.

Next, you need to enable certificate authentication:

Code Block
authentication.certificate.enabled=true

The next step is to configure which part of the subject DN (distinguished name) will be used as the username (authentication.certificate.username.template), and which part will be displayed in the login screen (authentication.certificate.displayname.template).

Both of these values default to using (CN)

Image Modified

...

Configuring username

Code Block
authentication.certificate.username.template=(CN)

The template can contain ASCII characters as well as placeholders in parenthesis that are replaced with relative distinguished name (RDN)

...

 values from the DN (if the username is constructed from the Subject Distinguished Name) or SAN (if the username is constructed from the Subject Alternative Name) 

For example, when the subject DN or SAN (of type 4) on the certificate is CN=JohnDoe,O=MyCompany,C=GB:

Template: (CN), username: JohnDoe

Template: (O)-(CN), username: MyCompany-JohnDoe

Template: CERT_(CN), username: CERT_JohnDoe

...

Configuring the value displayed in the login button

To configure the value displayed in the login button, we must edit the authentication.certificate.displayname.template

...

 property:

Code Block
authentication.certificate.displayname.template=(CN)

For example, as shown in the picture above, when

...

the subject DN or SAN (of type 4) on the certificate

...

is CN=JohnDoe,O=MyCompany,C=GB, and the display template

...

is (CN) CERTIFICATE, the button will display „JOHNDOE CERTIFICATE“.

For a list of all the advanced properties available for configuration, please refer

...

to Authentication by certificate.  

...

Configuring truststore

CAC integration requires that a truststore containing the Certificate Authority (CA) certificates that issue the user's certificates would exist.

Certificate verification should be enabled in

...

the WebAppPlatform/conf/server.xml

...

 file. See the Tomcat configuration information for it

...

on this page. E.g., if the Tomcat SSL implementation is JSSE-based, you will need to add the following attributes to the SSLHostConfig property under Connector:

  • certificateVerification

...

  •  with the

...

  • value optional

...

  •  or  required  (if ONLY the certificate authentication is allowed).
  • truststoreFile - path to the truststore file containing the CA certificates.
  • truststorePassword - truststore password.
  • truststoreType - e.g. "JKS" or "PKCS12".

Certificate Revocation List

The authentication server supports 2 methods of handling certificate revocation lists - via a URL, or via a local list stored in the file system. To enable this feature, uncomment either authentication.certificate.revocation.list.url

...

 or authentication.certificate.revocation.list.file, and point it to the location of the revocation list.


Code Block
authentication.certificate.revocation.list.url=http://someserver.somedomain.com/revocation.lst
authentication.certificate.revocation.list.file=/opt/local/revovcation.lst

...

id1317141703

Related pages

...