is configured under the CertsMapping entry of the REGISTRY_HOMEconfjaas.conf file. An example of CertsMapping
entry is shown in Example 5, CertsMapping JAAS configuration
. You can configure the following options:
• debug
- if set to true, debug actions of the login module are printed to an error stream. False by default. •
issuer - issuer name. If set, mapped certificate must be issued by a certification authority with this subject name
recommended. •
pattern - regular expression as per java.util.regexp that is used to get user names. The first capturing group
of a specified pattern is used as a user name. When there is no capturing group and the pattern matches, the whole subject becomes a user name. Used regular expressions are case-insensitive. Examples are:
• The default is ?\\,\s?EMAILADDRESS=.+. It matches a name listed in EMAILADDRESS. This
regular expression ignores the case of EMAILADDRESS possibly contained in another part of subject. •
CN=[,]+ matches common name.
• .
matches every subject. Since it has no capturing group, the whole subject DN is used. You can configure more than one login module to perform certificate mapping. This is useful when you have to
accept different issuers andor provide a fallback to a failed certificate mapping of the first configured login module. An example of a CertsMapping entry that allows the mapping of certificates issued by 2 issuers with different
mappings is shown in Example 6, CertsMapping JAAS configuration with 2 possible issuers
. 5.
The registry is now configured for SSL client authentication. You may also change the applicability of SSL client authentication by changing the configuration of SSL security providers. This configuration is in the
securityProviderPreferences name=SSL element of the REGISTRY_HOMEconfserverconf.xml file. An
example is shown in Example 4, A fragment of serverconf.xml with 2-way SSL turned on
.
Page 134
8.3. SSL Client authentication with Embedded HTTPHTTPS Server
Example 4. A fragment of serverconf.xml with 2-way SSL turned on
?xml version=1.0 encoding=UTF-8? config name=main
... securityPreferences name=main
-- Added acceptingSecurityProvider -- acceptingSecurityProviderSSLacceptingSecurityProvider
pstoreInitParams ...
securityPreferences ...
httpsPreferences name=https ...
-- Client authentication required -- needsClientAuthtrueneedsClientAuth
... httpsPreferences
... -- security provider preferences intended mainly for SSL client authentication --
securityProviderPreferences name=SSL -- What to do when SSL is not used to access the resource? Avalaible options:
redirect - perform HTTP redirect to associated HTTPS URL 302 Moved Temporarily
fail - return a message that informs to use HTTPS URL 400 Bad Request
skip - do not perform certififate mapping at all
perform - try to perform certificate mapping with no client certificates
-- whenNotSslskipwhenNotSsl
-- Can certificate mapping fail? If set to true and it fails, no received subject will be constructed. --
certMappingMayFailfalsecertMappingMayFail -- Can a default account be created when no account for a mapped user exists? --
createDefaultAccountfalsecreateDefaultAccount securityProviderPreferences
config
Example 5. CertsMapping JAAS configuration
CertsMapping{ com.systinet.uddi.security.jaas.CertMappingLoginModule sufficient
pattern=?\\,\s?EMAILADDRESS=.+ debug=false issuer=CN=Company CA, OU=mycomp; };
Page 135
8.3. SSL Client authentication with Embedded HTTPHTTPS
Example 6. CertsMapping JAAS configuration with 2 possible issuers
CertsMapping{ com.systinet.uddi.security.jaas.CertMappingLoginModule sufficient
pattern=?\\,\s?EMAILADDRESS=.+ debug=false issuer=CN=Company CA, OU=mycomp; com.systinet.uddi.security.jaas.CertMappingLoginModule sufficient pattern=CN=[,]
issuer=CN=Company CA2, OU=mycomp debug=false; };
8.4. SSL Client Authentication in Oracle WebLogic
This section described how to enable SSL and SSL Client Authentication in Oracle Service Registry deployed to Oracle WebLogic Server 10.3. The following steps assume that Registry is already deployed to WebLogic.
1. Locate WEB-INFweb.xml for the WAR file that is used. You may either edit the WAR file with a file commander
that allows you to edit such archives directly and redeploy it later or locate this file where the WAR file is unpacked. 2.
a. Add tags inside web-app:
context-param param-nameuse.request.userparam-name
param-valuetrueparam-value context-param
login-config auth-methodCLIENT-CERTauth-method
login-config
security-constraint display-nameHTTPS required to access registrydisplay-
name web-resource-collection
web-resource-nameProtected Areaweb-resource-name url-patternurl-pattern
http-methodDELETEhttp-method http-methodGEThttp-method
http-methodPOSThttp-method http-methodPUThttp-method
web-resource-collection user-data-constraint
descriptionRequire confidentialitydescription transport-guaranteeCONFIDENTIALtransport-guarantee
user-data-constraint security-constraint
b. C h a n g e s e r v l e t c l a s s t o l o o k l i k e t h i s : s e r v l e t -
classcom.systinet.transport.servlet.server.registry.RegistryServletservlet-class
3. Start Registry in WebLogic. The Registry still works with normal userpassword authentication.
4. Select EnvironmentServers_your_server_Configuration
Page 136
8.4. SSL Client Authentication in Oracle WebLogic
Select the Keystores Tab. Select Custom Identity and Custom Trust. Provide values to your identity and trust stores. Click Save.
a. b.
Select the SSL Tab. Click the Advanced option. Fill in Identity Alias and Password. Select Client Certs Requested and enforced
in Two Way Client Cert Behavior. Click Save.
5. Click Security Realms in Domain Structure. Select myrealm.
a. Click Users and groups. Create a new user called admin. You can create other users here too. Their names
are matched with the name part of emails in the certificate. b.
Click the Providers tab. Create a new authentication provider. Name it mysslauthprovider and select DefaultIdentityAsserter
. Click on the provider properties. Add the X.509 type. Click Save. Click the Provider specific
tab. Check Use Default User Name Mapper. Leave default value for Default User Name Mapper Attribute Delimiter
. Click Save.
Note
The last step may not work when another provider with DefaultIdentityAsserter is present. Either modify the old provider or delete the old and configure the new mysslauthprovider.
8.5. J2EE Server Authentication
The registry can be configured to let a J2EE application server perform authentication. Unlike Section 8.2, Netegrity
SiteMinder and
Section 8.1, HTTP Basic , the authentication takes place for the whole registry application. To allow J2EE
server authentication: 1.
Locate the EAR or WAR file produced by the installer. It is available in REGISTRY_HOMEconfporting or in the application server when deployed. Note that in case of an EAR file the actual WAR file is contained in it. Both files
can be opened as ZIP archives.
2. Modify WEB-INFweb.xml file in the WAR file as follows:
a. Change the value of context parameter use.request.user to true.
b. Add a login-config element with a type of the chosen J2EE authentication.
Example 7, A fragment of web.xml shows a login config that turns on the CLIENT-CERT authentication method, which is used for SSL client
authentication. You may also add a security-constraint element to specify a set of resources where confidentiality andor
integrity is required. Example 7, A fragment of web.xml
contains a security-constraint that requires confidential communication between client and server for all registry resources, which typically means to
allowing only HTTPS for communication with registry. c.
Configure a J2EE application server for the authentication method of your choice. For SSL client authentication, this typically means setting up HTTPS transport to require client certificates and to map client certificates to
user names. Consult your J2EE application server documentation for details.
3. Continue deployment of the modified war file.
Page 137
8.5. J2EE Server Authentication
