OCSPLoginModule

description

This loginModule permits an authentication for your web application based on X509 certificates: it validates their certPath, and checks if some of them are revoked against a OCSP mechanism. this mechanism permits real-time certificate revocation check.

General parameters

namemandatoryvaluesdescription
ocspServerURLyes  
IssuerCACertLocationyes  
OcspSignerCertLocationyes must be signed by CA (signed by another authority is not yet supported)

~~ __a bug has been identified in the 1.0.0 release which rpvent to use this LoginModule. a fix is already present in the bug report, and will be integrated in the forthcoming 1.0.1 bug fix release.__~~

Example

This is a example jGuardAthentication.xml using OCSPLoginModule

...
...
<loginModule>
	<name>net.sf.jguard.ext.authentication.loginmodules.OCSPLoginModule</name>
	<flag>REQUIRED</flag>
	<loginModuleOptions>
		<option>
			<name>debug</name>
			<value>true</value>
		</option>
		<option>
			<name>ocspServerURL</name>
		   	<value>http://127.0.0.1:8080/ejbca/publicweb/status/ocsp</value>
		</option>
		<option>
			<name>IssuerCACertLocation</name>
			<value>/home/user/certificates/AdminCA1.der</value>
		</option>
		<option>
			<name>OcspSignerCertLocation</name>
			<value>/home/user/certificates/AdminCA1.der</value>
		</option>
	</loginModuleOptions>
</loginModule>
...
...

In this example we configure the url of a local OCSP Server using the EJBCA But you can put whatever OCSP server uri your CA permits. Also, at this time, only a CA signed OCSP server certificate can be used and to configure it you must put in the OcspSignerCertLocation the file location of the IssuerCA certificate.

Version 1.5 last modified by Xavier Francisco on 23/01/2007 at 11:57

Comments 0

No comments for this document

Attachments 0

No attachments for this document
Menu

 
Creator: Charles Gay on 2006/02/09 14:40
jGuard team copyright 2004-2007
1.1.1