Enabling client certificate login support for a file-based repository in federated repositories
You can enable support for client certificate login in a realm configured with a single built-in file-based repository or a multiple repository configuration that includes the file-based repository and other repositories.
Before you begin
About this task
The default configuration of the built-in file-based repository ignores a certificate login request, returns an empty search result, and does not display any error.
If you want to enable client certificate login for the built-in file-based repository, complete the following steps to set custom properties.
Procedure
Adding custom properties using wsadmin commands
Alternately, you can also use wsadmin commands to add the custom properties as shown in the following steps.
Procedure
Results
<config:CustomProperties name="certificateMapMode" value="mode"/>
<config:CustomProperties name="certificateFilter" value="filter_expression"/>
If the certificate login request is honored, login is successful. If the certificate login request is rejected, an error is displayed.
If only file repository is configured under federated repositories, the results of the certificate login request are as described in the following table.
File repository | Expected results |
---|---|
Default behavior (certificateMapMode custom property is not added) | Certificate login request is ignored, an empty result is returned, and no error is displayed |
Certificate login is not supported (value of certificateMapMode custom property is notSupported) | CertificateMapNotSupportedException occurs |
Certificate login is supported (value of certificateMapMode custom property is exactDNMode or filterDescriptorMode) and user is not found | EntityNotFoundException occurs |
Certificate login is supported (value of certificateMapMode custom property is exactDNMode) and an entity with DN that matches the PrincipalName in the certificate is found | Certificate login is successful |
Certificate login is supported (value of certificateMapMode custom property is filterDescriptorMode) and a single matching entity is found | Certificate login is successful |
Certificate login is supported (value of certificateMapMode custom property is filterDescriptorMode) and more than one matching entities are found | CertificateMapFailedException occurs and a Multiple principals
found error message is displayed |
If multiple repositories are configured under federated repositories, the final login result depends on the behavior and results returned from the other repositories. The following tables contain examples of errors that are displayed in various configuration scenarios.
File repository | LDAP repository | Expected results |
---|---|---|
Default behavior | Certificate login is supported and user is found | Certificate login is successful |
Default behavior | Certificate login is supported and user is not found | PasswordCheckFailedException occurs |
Certificate login is not supported | Certificate login is supported and user is found | CertificateMapFailedException occurs |
Certificate login is supported and user is found | Certificate login is supported and user is found | DuplicateLogonIdException occurs |
Certificate login is supported and user is found | Certificate login is supported and user is not found | Certificate login is successful |
Certificate login is supported and user is not found | Certificate login is supported and user is found | Certificate login is successful |
Certificate login is supported and user is not found | Certificate login is supported and user is not found | PasswordCheckFailedException occurs |
File repository | Local operating system repository | Expected results |
---|---|---|
Default behavior | Certificate login is not supported | CertificateMapFailedException occurs |
Certificate login is not supported | Certificate login is not supported | CertificateMapNotSupportedException occurs |
Certificate login is supported and user is found | Certificate login is not supported | CertificateMapFailedException occurs |
Certificate login is supported and user is not found | Certificate login is not supported | CertificateMapFailedException occurs |
Default behavior | Certificate login is supported and user is found | Certificate login is successful |
Default behavior | Certificate login is supported and user is not found | PasswordCheckFailedException occurs |
Certificate login is not supported | Certificate login is supported and user is found | CertificateMapFailedException occurs |
Certificate login is supported and user is found | Certificate login is supported and user is found | DuplicateLogonIdException occurs |
Certificate login is supported and user is found | Certificate login is supported and user is not found | Certificate login is successful |
Certificate login is supported and user is not found | Certificate login is supported and user is found | Certificate login is successful |
Certificate login is supported and user is not found | Certificate login is supported and user is not found | PasswordCheckFailedException occurs |