Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Content layer
id1317298791
Content column
id1317298811
Content block
id1329431813

On this page:

Table of Contents

Content block
id1317298801

Basic Configuration

In order for Common Access Card (CAC) authentication to work, SSL must be enabled on the authentication server.:

Code Block
server.ssl.enabled=true

Next, you need to enable certificate authentication.:

Code Block
authentication.certificate.enabled=true

The next step is to configure which part of the subject DN (distinguished name) will be used as the username (authentication.certificate.username.template), and which part will be displayed in the login screen (authentication.certificate.displayname.template).

Both of these values default to using (CN)

Configure username

Code Block
authentication.certificate.username.template=(CN)

The template can contain ASCII characters as well as placeholders in parenthesis that are replaced with relative distinguished name (RDN) values from the DN (if the username is constructed from the Subject Distinguished Name) or SAN (if the username is constructed from the Subject Alternative Name)

For example, when the subject DN or SAN (of type 4) on the certificate is CN=JohnDoe,O=MyCompany,C=GB:

Template: (CN), username: JohnDoe

Template: (O)-(CN), username: MyCompany-JohnDoe

Template: CERT_(CN), username: CERT_JohnDoe

Configure the value displayed in the login button

To configure the value displayed in the login button, we must edit the authenticationthe authentication.certificate.displayname.template property.

Code Block
authentication.certificate.displayname.template=(CN)

For example, as shown in the picture above, when the subject DN or SAN (of type 4) on the certificate is CN=JohnDoe,O=MyCompany,C=GB, and the display template is (CN) CERTIFICATE, the button will display „JOHNDOE CERTIFICATE“.

For a list of all the advanced properties available for configuration, please refer to Authentication by certificate.  

TrustStore Configuration

CAC integration requires that a truststore containing the Certificate Authority (CA) certificates that issue the user's certificates would exist. This truststore by default can be found under AuthServer/config/

The following parameter properties need to be configured:

Code Block
server.ssl.trust-store=config/truststore.jks
server.ssl.trust-store-type=JKS
server.ssl.trust-store-password=secret
server.ssl.client-auth=want

In a directory, named truststore, under AuthServer/config/ place all the CA certificates. Upon startup of the authentication server, if truststore.jks does not exist, it will be created by importing the CA certificates located in Authserver/config/truststore.  If you make changes to the certificates in the truststore directory, delete truststore.jks and restart the authentication service.  This will recreate the truststore with the current set of CA certificates.

For a list of all the advanced properties available for configuration, please refer to General parameters.

Certificate Revocation List

The authentication server supports 2 methods of handling certificate revocation lists - via a URL, or via a local list stored in the file system. To enable this feature, uncomment either authenticationeither authentication.certificate.revocation.list.url or authentication or authentication.certificate.revocation.list.file, and point it to the location of the revocation list.


Code Block
authentication.certificate.revocation.list.url=http://someserver.somedomain.com/revocation.lst
authentication.certificate.revocation.list.file=/opt/local/revovcation.lst
Content block
id1317298789

Related pages