Configure EJBCA with OpenSSO

EJBCA can issue certificates to be used when protecting sites using OpenSSO (Sun's Access Manager). EJBCA will then be configured to publish issued certificates to the AM LDAP server.

After installing EJBCA, follow these configuration steps:

Step 1: Create a Publisher, AMPublisher with the following properties

    • Publisher Type: LDAP V3 Search Publisher
    • Base DN: The Base DN in the AM LDAP, for example dc=company,dc=com
    • Login parameters to the AM LDAP server
    • Create Nonexisting Users: false
    • Modify Existing Users: true
    • Add multiple certificates per user: false
    • Remove certificates when revoked: true
    • Remove ldap user when certificate revoked: false
    • LDAP location fields from cert DN: CN, Common Name (not really used)
    • Suffix base DN of the LDAP Search: same as Base DN, for example dc=company,dc=com
    • LDAP filter of the search: uid=$USERNAME

Step 2: Create a Certificate Profile, AMUser

    • Use ENDUSER as template when creating the profile
    • Extended Key Usage: Client Authentication
    • Publishers: AMPublisher

Step 3: Create an End Entity Profile, AMUser

    • Subject DN Fields: UID, CN, O, C is sufficient
    • Default Certificate Profile: AMUser
    • Available Certificate Profiles: AMUser

To add a new user:

  • Create a new user in AM
  • Create a new user in EJBCA with the same username and UID as the username in AM
  • Get the certificate for the user, for example with the user's browser on the public web pages of EJBCA

When the users certificate is created, the certificate is published to the AM LDAP server and certificate authentication can be configured and used in AM.

For more information on integrating EJBCA and OpenSSO, refer to the article Using OpenSSO To Protect Java EE Applications, Part 1: Setting Up X.509 Client Authentication by Bruno Bonfil. Also see the Integration between EJBCA and OpenSSO for information on Integration between EJBCA and OpenSSO.