Configuring SSL and X509 for Converged Application Server

Converged Application Server includes two separate Identity Assertion providers that can be used with X509 certificates. The LDAP X509 Identity Asserter provider receives an X509 certificate, looks up the LDAP object for the user associated with that certificate in a separate LDAP store, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object. The Default Identity Asserter provider maps the user according to its configuration, but does not validate the certificate.

With either provider, Converged Application Server uses two-way SSL to verify the digital certificate supplied by the client. You must ensure that a SIPS transport (SSL) has been configured in order to use Client-Cert authentication. See information on configuring secure transport in the Oracle Communications Converged Application Server Administrator's Guide.

See "Configuring the Default Identity Asserter" to configure the Default Identity Asserter provider. In most production installations you will have a separate LDAP store and will need to configure the LDAP X509 Identity Asserter provider to use client-cert authentication; see "Configuring the LDAP X509 Identity Asserter".

Configuring the Default Identity Asserter

The Default Identity Asserter can be configured to verify an X509 certificate passed to it by a client over a secure (SSL) connection. The Default Identity Asserter requires a separate user name mapper to map the associated client "certificate" to a user configured in the default security realm. You can use the default user name mapper installed with Converged Application Server, or you can create a custom user name mapper class. See the chapters on configuring a WebLogic credential mapping provider in Securing Oracle WebLogic Server the Oracle WebLogic Server Documentation for information on creating a custom user name mapper class.

Follow these instructions to configure the Default Identity Asserter:

  1. From the Edit Tree of the Remote Console, click Security, and then Realms, and then your specific realm, and then Authentication Providers.
  2. Select DefaultIdentityAsserter from the Authentication Providers table.
  3. Copy the string X.509 from the Supported Types column and paste it into the Active Types column on a new line.
  4. Click Save to apply the change.
  5. You can use either a custom Java class to map names in the X.509 certificate to user names in the built-in LDAP store, or you can use the default user name mapper. To specify a custom Java class to perform user name mapping:
    1. Select the Default Identity Asserter Parameters subtab.
    2. Enter the name of the custom class in the User Name Mapper Class Name field.
    3. Click Save.

    To use the default user name mapper:

    1. In the Default User Name Mapper Attribute Type list, select either CN (for Common Name) or E (for Email address) depending on the user name attribute you have stored in the security realm.
    2. In the Default User Name Mapper Attribute Delimiter field, accept the default delimiter of "@". This delimiter is used with the E (Email address) attribute type to extract the email portion from the client token. For example, a token of "joe@mycompany.com" would be mapped to a username "joe" configured in the default security realm.
    3. Click Save.
  6. Restart the server.

Configuring the LDAP X509 Identity Asserter

Follow these steps to create and configure the X509 Authentication Provider.

  1. From the Edit Tree of the Remote Console, select Security, and then Realms, and then your specific realm, and then Authentication Providers.
  2. Click New, enter a name, and select LDAPX509 Identity Asserter as the type.
  3. Click Create.
  4. If necessary, select the name of the provider you just created.
  5. In the LDAPX509 Identity Asserter Parameters tab, enter LDAP server information into the fields as follows:
    • Host: Enter the host name of the LDAP server to verify the incoming certificate. If you are using multiple LDAP servers for failover capabilities, enter the host name:port value for each server separated by spaces. For example: ldap1.mycompany.com:1050 ldap2.mycompany.com:1050

      See Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation for more information about configuring failover.

    • Port: Enter the port number of the LDAP server.
    • Principal: Enter the name of a principal that Converged Application Server uses to access the LDAP server.
    • Credential: Enter the credential for the above principal name (generally a password).
    • SSL Enabled: Select this option if you are using SSL to communicate unencrypted passwords between Converged Application Server and the LDAP Server.
    • User Name Attribute: Enter the LDAP attribute that stores the user's name.
    • User Field Attributes: Enter an LDAP search filter that Converged Application Server will use to locate a given username. The filter is applied to LDAP objects beneath the base DN defined in the Certificate Mapping attribute described below.
    • Certificate Attribute: Enter the LDAP attribute that stores the certificate for the user name.
    • Certificate Mapping: Specify how a query string to construct the base LDAP DN used to locate the LDAP object for the user.
    • Connection Retry Limit: Specifies the number of times the provider tries to reestablish a connection to an LDAP server if the LDAP server throws an exception while creating a connection.
    • Cache Enabled: Specifies whether a cache should be used with the associated LDAP server.
    • Cache Size: Specifies the size of the cache, in Kilobytes, used to store results from the LDAP server. By default the cache size is 32K.
    • Cache TTL: Specifies the time-to-live (TTL) value, in seconds, for the LDAP cache. By default the TTL value is 60 seconds.
    • Identity Domain: Specifies the identity domain.
  6. Click Save, click the shopping cart, and click Commit Changes.
  7. Restart the server.