OCSPLoginModule

Last modified by RaffaelloPelagalli on 2007/01/23 11:57

OCSPLoginModule

description

This loginModule permits an authentication for your web application based on X509 certificates: it validates their certPath, and checks if some of them are revoked against a OCSP mechanism. this mechanism permits real-time certificate revocation check.

General parameters

namemandatoryvaluesdescription
ocspServerURLyes  
IssuerCACertLocationyes  
OcspSignerCertLocationyes must be signed by CA (signed by another authority is not yet supported)

~~ __a bug has been identified in the 1.0.0 release which rpvent to use this LoginModule. a fix is already present in the bug report, and will be integrated in the forthcoming 1.0.1 bug fix release.__~~

Example

This is a example jGuardAthentication.xml using OCSPLoginModule

...
...
<loginModule>
	<name>net.sf.jguard.ext.authentication.loginmodules.OCSPLoginModule</name>
	<flag>REQUIRED</flag>
	<loginModuleOptions>
		<option>
			<name>debug</name>
			<value>true</value>
		</option>
		<option>
			<name>ocspServerURL</name>
		   	<value>http://127.0.0.1:8080/ejbca/publicweb/status/ocsp</value>
		</option>
		<option>
			<name>IssuerCACertLocation</name>
			<value>/home/user/certificates/AdminCA1.der</value>
		</option>
		<option>
			<name>OcspSignerCertLocation</name>
			<value>/home/user/certificates/AdminCA1.der</value>
		</option>
	</loginModuleOptions>
</loginModule>
...
...

In this example we configure the url of a local OCSP Server using the EJBCA But you can put whatever OCSP server uri your CA permits. Also, at this time, only a CA signed OCSP server certificate can be used and to configure it you must put in the OcspSignerCertLocation the file location of the IssuerCA certificate.

Tags:
Created by diabolo512 on 2006/02/09 14:40

jGuard team copyright 2004-2009
3.1.1