X509CertificateLoginModule
Use X509CertificateLoginModule to verify one or more than one X.509 certificate. The login module builds all chains of trust and at least one chain must end at the Trust Anchor. All certificates in the chain are verified according to the Public Key Infrastructure extensions (PKIX). The module checks the statuses of the certificates against Certificate Revocation Lists (CRLs). It can import missing certificates from PKCS#7 files. To get the CRL, the validation of the login module supports CRL distribution point (CRL DP). To enable CRL DP, you can set the value of the Java system property com.sun.security.enableCRLDP to true. The login module also provides direct trust. This means that the module checks whether the end entity certificate is part of the truststore. If it is, direct trust is created and further CRL checks are disabled.
The following table outlines the parameters of the X509CertificateLoginModule. The parameters allow you to extend the login module functionality and plug in other certificate validation methods in it.
Parameter | Description |
truststore_url | URL of the keystore that contains the Trust Anchors. This is the RootCA or certificate authority (CA) certificates that are trusted. |
truststore_ password | Password of the trust keystore. |
truststore_type | Optional. Type of the trust keystore. Valid values are PKCS7, PKCS12, or JKS (default). |
check_crl_status | Boolean. Valid values are: true. The status of the end entity certificate is checked against a URL. In this case, the crl_url parameter must be set. false (default). The login module is set to use direct trust. |
crl_url | Required when the check_crl_status is set to true. Defines the URLs of the CRL for the end entity certificate. The URLs are separated by a space. |
overwrite_ username | Optional. Boolean. Valid values are: true (default). The user name is overwritten with the certificate subject distinguished name (DN). false. The module accomplishes only validation of the certificates. |
additional_ certificates_ container_url | Optional. URL of the container of additional certificates. |
additional_ certificates_ container_type | Optional. Type of the container of additional certificates. Valid values are PKCS7, PKCS12, or JKS (default). |
additional_ certificates_ container_ password | Required when the additional_certificates_container_type parameter is set to JKS or PKCS12. Password of the certificate container. |
The following sample outlines X509CertificateLoginModule and the corresponding configuration that is included in a login context of a JAAS configuration file. The example also shows how the login context reads crl_url, truststore_url, and truststore_password from the Java system parameters. Note that every Java system parameter that is included in the JAAS configuration file must have a value that differs from NULL or the empty string. Failure to do so may cause an exception on the system.
/** Login Configuration for the X509CertificateLoginModule **/
X509Login {
com.softwareag.security.jaas.login.modules.X509CertificateLoginModule required
check_crl_status=true
crl_url="${com.softwareag.security.crl.url}"
truststore_url="${com.softwareag.security.truststore.url}"
truststore_password="${com.softwareag.security.truststore.password}"
truststore_type=jks
overwrite_username=false
additional_certificates_container_url=
"${com.softwareag.security.certificate.container.url}"
additional_certificates_container_type="jks"
additional_certificates_container_password=
"${com.softwareag.security.certificate.container.password}";
};