Integrating EJBCA and OpenSSO



Similar documents
CA Performance Center

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Configuring Sponsor Authentication

Configuring idrac6 for Directory Services

Stronger Authentication with Biometric SSO

Sun Access Manager CAC Authentication Deployment Configuration Guide

Configuration Guide BES12. Version 12.2

Security Provider Integration Kerberos Authentication

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

How To Configure Bm Atrium Sso For A Long Term Memory (Long Term Memory) On A Microsoft Server (For A Long Time) On An Ubuntu 2.5 (For An Uborg 2.4) (For Ub

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.1

VMware Identity Manager Administration

Using LDAP Authentication in a PowerCenter Domain

Ulteo Open Virtual Desktop Installation

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Configuring EPM System for SAML2-based Federation Services SSO

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Microsoft Outlook 2010

How To - Implement Single Sign On Authentication with Active Directory

LDAP and Active Directory Guide

BlackBerry Enterprise Service 10. Version: Configuration Guide

Configure Single Sign on Between Domino and WPS

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Managed Services PKI 60-day Trial Quick Start Guide

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Steps to configure SiteMinder Policy Server to connect to CA Directory using LDAPS

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Installation documentation for Ulteo Open Virtual Desktop

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Security Assertion Markup Language (SAML) Site Manager Setup

Adobe Connect LMS Integration for Blackboard Learn 9

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

GlassFish OpenSSO CAC Authentication Deployment Configuration Guide

Configuring Global Protect SSL VPN with a user-defined port

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Angel Dichev RIG, SAP Labs

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

HP Device Manager 4.7

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Introduction to Mobile Access Gateway Installation

ECA IIS Instructions. January 2005

Flexible Identity. LDAP Synchronization Agent guide. Bronze. version 1.2

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

GlobalSign Integration Guide

Configuring Thunderbird with UEA Exchange 2007:

TIBCO Spotfire Platform IT Brief

NetIQ Access Manager 3.2 integration

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Mozilla Thunderbird: Setup & Configuration Learning Guide

Active Directory Requirements and Setup

Enterprise Content Management System Monitor. How to deploy the JMX monitor application in WebSphere ND clustered environments. Revision 1.

Certificate technology on Pulse Secure Access

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Certificate technology on Junos Pulse Secure Access

AVG Business SSO Connecting to Active Directory

Massey University Wireless Network Client Configuration Mac OS X

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Setting Up SSL on IIS6 for MEGA Advisor

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.2

CHAPTER 7 SSL CONFIGURATION AND TESTING

1 Introduction. Windows Server & Client and Active Directory.

ENABLING SINGLE SIGN-ON FOR EMC DOCUMENTUM WDK-BASED APPLICATIONS USING IBM WEBSEAL ON AIX

QUICK START. GO-Global Cloud 4.1 SETTING UP A LINUX CLOUD SERVER AND HOST INSTALL THE CLOUD SERVER ON LINUX

NSi Mobile Installation Guide. Version 6.2

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

SAP NetWeaver AS Java

ADFS Integration Guidelines

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.0

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

AVG Business SSO Partner Getting Started Guide

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Deploying RSA ClearTrust with the FirePass controller

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.2

Oracle Enterprise Single Sign-On Provisioning Gateway. Administrator's Guide Release E

Marriott Enrollment Server for Web User Guide V1.4

Password Manager. Version Password Manager Quick Guide

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

Update Instructions

Active Directory 2008 Implementation. Version 6.410

Configuration Guide. BES12 Cloud

Training module 2 Installing VMware View

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Exchange 2010 PKI Configuration Guide

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Transcription:

Integrating EJBCA and OpenSSO EJBCA is an Enterprise PKI Certificate Authority issuing certificates to users, servers and devices. In an organization certificate can be used for strong authentication. EJBCA is based on standard such as X.509 and OCSP. OpenSSO provides core identity services to simplify the implementation of transparent single sign-on (SSO). OpenSSO provides authentication and authorization services based on standards such as SAML and XACML. Contents Integrating EJBCA and OpenSSO...1 Integration goal...2 Deployment Architecture...2 Installation prerequisites...2 Configuring OpenSSO...3 Install OpenSSO...3 Configure the Certificate authentication module...3 Configuring EJBCA...5 Install OpenSSO...5 Creating the LDAP publisher...5 Create the certificate profile...6 Create the end entity profile...7 Creating the user...8 Adding the user in EJBCA...8 Issuing the certificate...9 Using the certificate for authentication in OpenSSO...9 Other Deployment Architectures...10 More information...10 1(10)

Integration goal The goal of this integration description is to demonstrate creating users issuing certificate to those users, and using those certificates to authenticate the user with OpenSSO. Doing all this with only adding the user once in EJBCA, issuing the certificate. Issue a digital certificate to a user using EJBCA. Immediately use this certificate for single sign-on and and authorization with OpenSSO. Deployment Architecture In this integration guide the deployment architecture is a simple one where user provisioning is made in EJBCA. Installation prerequisites To perform the steps in this simplified guide we have made default installations of EJBCA and OpenSSO in the same JBoss application server. In order to be able to use OpenSSO for certificate authentication the CA certificate from EJBCA must be installed in the Java trust store of the system: In the EJBCA administration console go to Basic Functions. For the default CA, AdminCA1, select the link Download binary/to IE and save the certificate in the file system as AdminCA1.cacert.crt. Open a command line windows where the certificate was saved and enter the command: keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file 2(10)

AdminCA1.cacert.crt Example on Ubuntu Linux: sudo keytool -import -keystore /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts -file AdminCA1.cacert.crt After performing this step, your application server must be restarted. Configuring OpenSSO Install OpenSSO This is not an installation guide for OpenSSO, hence we will only cover the configuration for the actual integration. To make the basic setup of OpenSSO you can follow the installation instructions of the product. There are two configuration option you set during installation that is important to remember for the integration: Hostname and port of the OpenSSO User Data Store LDAP server, usually something like ds.domain.com and 50389. Login and password to the OpenSSO User Data Store, could be something like cn=directory Manager and the same password as amadmin. The Root Suffix of the LDAP tree in the User Data Store, usually something like dc=opensso,dc=company,dc=com. Configure the Certificate authentication module Since we will use certificates for stronger authentication we need the Certificate authentication module enabled in OpenSSL. Log in to the administration console as amadmin. Go to Access Control, '/ (Top Level Realm)' and finally Authentication. Under Module Instances, click New. Select Certificate as type and enter Certificate as name. Click OK. Click on Certificate under Module Instances to configure the module. Match Certificate in LDAP: Enabled LDAP Search Start DN: Use Root Suffix of the LDAP tree, dc=opensso,dc=company,dc=com LDAP Server Principal User: Use login to the User Data Store, cn=directory Manager 3(10)

LDAP Server Principal Password: Use login to the User Data Store Certificate Field Used to Access User Profile: Use Subject UID Click Save 4(10)

Configuring EJBCA Install OpenSSO This is not an installation guide for EJBCA, hence we will only cover the configuration for the actual integration. To make the basic setup of EJBCA you can follow the installation instructions of the product. Creating the LDAP publisher We will use a regular LDAP publisher to publish user data and issued certificates from EJBCA to OpenSSO when certificates are issued. Login to the EJBCA administration console and click on Edit Publishers. Add a new publisher called OpenSSOPublisher. Select the publisher and click Edit Publisher. Hostname and port: Use the hostname and port of the OpenSSO User Data Store, ds.domain.com and 50389. Uncheck Use SSL. Base DN: Use Root Suffix prepended with ou=people, ou=people, dc=opensso,dc=company,dc=com. This is the tree where default users are stored in OpenSSO. Adapt this is you have configured something else in you User Data Store. Login DN and password: Use the same as LDAP Server Principal User in the OpenSSO configuration, cn=directory Manager. Login Password: Use login to the User Data Store LDAP location fields from cert DN: Use UID, Unique Identifier Click Save and Test Connection, it should say Connection Tested Successfully 5(10)

Create the certificate profile We will use a certificate profile to control that all certificates issued using this profile is published to OpenSSO. Click on Edit Certificate Profiles 6(10)

Add a new certificate profile called OpenSSO by typing OpenSSO in the input field, selecting ENDUSER in the list and clickin on Use selected as templet (this saves us a few clicks later). Select OpenSSO and click Edit Certificate Profile. Go down almost to the bottom of the page and select OpenSSOPublisher. Click Save. Create the end entity profile We will use an end entity profile to control which user attributes are registered when we add the user. Click on Edit End Entity Profiles Add a new end entity profile called OpenSSO. Select the profile and click Edit End Entity Profile. Select UID in Subject DN Fields and click Add. Select OpenSSO as both Default Certificate Profile and Available Certificate Profiles. Click Save. 7(10)

Creating the user When the user is added in EJBCA, a username and password is created. Using this username and password the user can enroll for a certificate, using a regular web browser. When the certificate is issued to the user, it is also published to the OpenSSO User Data Store so it can be used by OpenSSO. Adding the user in EJBCA This step will add the user in EJBCA's user database. During this step the user is issued a username and password. In different organizations this can be done in thousands of different ways, the step shown here is only one example. In the EJBCA aministration console go to Add End Entity. Select OpenSSO as end entity profile in the drop-down. Username: certuser Password: certuser CN: Certificate User UID: certuser Click Add End Entity 8(10)

Issuing the certificate Using the username and password registered above we can now enroll for a certificate in our web browser. In this example we will use FireFox, but Internet Explorer works just as well. Go to the EJBCA Public Web, there is a link from the administration console. Click Create Browser Certificate. Username: certuser Password: certuser On the next page click OK to get the certificate issued and installed in your browser. Using the certificate for authentication in OpenSSO The new user has now been created in EJBCA and in the OpenSSO User Data Store. You can view the user in OpenSSO. In the OpenSSO administration console go to Subjects. You should see Certificate User in the user list. Next we want to test if the user can be authenticated in OpenSSO and the certificate is located. Close down the browser, in order for the EJBCA administrator to be logged out. Start the browser again and go to the OpenSSO administration console login. Edit the login URL to use SSL with client certificate authentication and the Certificate login module: https://localhost:8443/opensso/ui/login?module=certificate 9(10)

Other Deployment Architectures In a larger deployment neither EJBCA or OpenSSO is designed to do user provisioning. In such an installation a separate provisioning product would typically be used, or even several different ones. More information For more information and documentation about EJBCA, visit http://www.ejbca.org/. Form information about support and maintenance subscriptions and training for EJBCA, visit http://www.primekey.se/. For more information and documentation about OpenSSO, visit http://opensso.dev.java.net/ 10(10)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information