MashZone NextGen Administration : MashZone NextGen Security : Authentication with Digital Certificates/SSL
Authentication with Digital Certificates/SSL
 
Configure the MashZone NextGen REST API to Use Certificate Authentication
Configure Alternate User ID Extraction
Configure Dynamic User Support
Configure Additional Certificate Validation
There are two aspects of authentication for MashZone NextGen that you can configure for digital certificates: 1) whether MashZone NextGen accepts certificates for user authentication and 2) what information MashZone NextGen uses from the certificates to perform authentication.
Certificate authentication in MashZone NextGen uses Personal Digital Certificates (PDC) from a client. The default authentication process when MashZone NextGen receives a certificate looks for a user ID in the CN portion of the certificate's subjectDN. This user ID is authenticated against the User Repository.
If it is a valid user ID, this ends authentication. MashZone NextGen continues with authorization for the request. If the user ID is not valid, the request is rejected.
To enable authentication based on digital certificates
1. Configure the MashZone NextGen Server to use mutual SSL. See Configure MashZone NextGen for SSL and Digital Certificates for instructions.
2. Using any text or XML editor, edit the applicationContext-security.xml file in the web-apps-home/presto/WEB-INF/classes directory and:
a. Remove the comment markers from the <import> statement for the applicationContext-security-authn-x509.xml file.
The configuration would look something like this:
<beans>
<import resource="applicationContext-security-authn-rememberme.xml" />
<import resource="applicationContext-security-scheduler.xml" />
<import resource="applicationContext-security-authn-x509.xml" />
<!--<import resource="applicationContext-security-authn-rsa.xml" /> -->
...
</beans>
b. Save your changes to this file.
3. If needed, change the default certificate authentication behavior with one or more of these options:
*Configure Alternate User ID Extraction to change where MashZone NextGen obtains the user ID.
*Configure Dynamic User Support to enable MashZone NextGen to accept certificates for user IDs not found in the User Repository.
*Configure Additional Certificate Validation beyond simple user IDs.
4. Enable certificate authentication for the MashZone NextGen REST API. See Configure the MashZone NextGen REST API to Use Certificate Authentication for instructions.
5. If needed, enable certificate caching for the MashZone NextGen Server.
By default, the MashZone NextGen Server does not cache user certificates. This ensures that any changes to user identification or authorization are detected as soon as possible but can impact performance. To turn caching on:
a. Using any text or XML editor, edit the applicationContext-security-authn-x509.xml file in the web-apps-home/presto/WEB-INF/classes directory.
b. Find the x509AutheticationProvider bean.
c. Add <property name="certificateCachingEnabled" value="true" /> to the list of properties for this bean.
d. Save your changes to this file.
6. To apply these changes, restart the MashZone NextGen Server.
Copyright © 2013-2016 Software AG, Darmstadt, Germany.

Product LogoContact Support   |   Community   |   Feedback