Logging in with a client certificate

You have two options when configuring the ability to log in with a client certificate.

Logging in when using WebSphere Application Server to host Build Forge

About this task

When using WebSphere Application Server to host Build Forge, you have an option that you can use with some modifications. This option requires WebSphereSSOInterceptor, which obtains the authenticated principal after WebSphere has performed the authentication.

Make the modifications in the following procedure to use this option.

Procedure

  1. Protect the Build Forge WAR file so that the WebSphere Application Server container-managed authentication will authenticate requests to jas. For information about how to set up this protection, see Integrating with WebSphere Application Server security using a custom interceptor.
  2. Configure WebSphere Application Server to support client certificate authentication mapping for the jas web application. Set up this support by configuring the following items:
    • SSL for a client certificate
    • Your jas webapp for a client certificate
    • Your web server for a client certificate
    • The LDAP server mapping for client certificates

    For information about configuring client certificate authentication for WebSphere Portal that can guide you in configuring WebSphere Application Server, see http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/index.jsp?topic=/com.ibm.wp.ent.doc/wpf/certauth.html. Follow steps 1 through 3. That procedure refers to the web.xml file that you modify in Integrating with WebSphere Application Server security using a custom interceptor. You modify the file located at ${WAS_INSTALL_ROOT}/profiles/${PROFILE_NAME}/installedApps/${CELL_NAME}/jas_war.ear/jas.war/WEB-INF/web.xml.

Logging in based on a custom Build Forge SSO interceptor

About this task

This option requires you to add a custom SSO interceptor, as explained in About the single sign-on framework.

Procedure

  1. Ensure the custom SSO interceptor receives the X509 certificate from the request attribute as follows:
    X509Certificate[] certs = 
    (X509Certificate[])request.getAttribute("javax.net.ssl.peer_certificates");
  2. Ensure the custom SSO interceptor maps portions of the Subject DN to LDAP attributes. Typically, you map the Common Name (CN) from the certificate to the userid in the LDAP directory. Return the result in the authenticateRequest method of the Build Forge SSO interceptor.
    responseAttributes.setStatus(HttpServletResponse.SC_OK);
    principal = mapCert(certs);  /* Custom method to map from certificate to 
                                    Build Forge LDAP principal. */
    result = new Result(Result.UseridOnlyOID, domain, principal); /* Specify 
                   the domain name of the LDAP server the principal exists in. */
    return result;

Feedback