Configure EJBCA with OpenSSO
EJBCA can issue certificates to be used when protecting sites using OpenSSO (Sun's Access Manager). EJBCA will then be configured to publish issued certificates to the AM LDAP server.
After installing EJBCA, follow these configuration steps:
Step 1: Create a Publisher, AMPublisher with the following properties
Publisher Type: LDAP V3 Search Publisher
Base DN: The Base DN in the AM LDAP, for example dc=company,dc=com
Login parameters to the AM LDAP server
Create Nonexisting Users: false
Modify Existing Users: true
Add multiple certificates per user: false
Remove certificates when revoked: true
Remove ldap user when certificate revoked: false
LDAP location fields from cert DN: CN, Common Name (not really used)
Suffix base DN of the LDAP Search: same as Base DN, for example dc=company,dc=com
LDAP filter of the search: uid=$USERNAME
Step 2: Create a Certificate Profile, AMUser
Use ENDUSER as template when creating the profile
Extended Key Usage: Client Authentication
Publishers: AMPublisher
Step 3: Create an End Entity Profile, AMUser
Subject DN Fields: UID, CN, O, C is sufficient
Default Certificate Profile: AMUser
Available Certificate Profiles: AMUser
To add a new user:
Create a new user in AM
Create a new user in EJBCA with the same username and UID as the username in AM
Get the certificate for the user, for example with the user's browser on the public web pages of EJBCA
When the users certificate is created, the certificate is published to the AM LDAP server and certificate authentication can be configured and used in AM.
For more information on integrating EJBCA and OpenSSO, refer to the article Using OpenSSO To Protect Java EE Applications, Part 1: Setting Up X.509 Client Authentication by Bruno Bonfil. Also see the Integration between EJBCA and OpenSSO for information on Integration between EJBCA and OpenSSO.