.NAM support X.509 certificate mutual authentication. Mutual authentication is used when a user is issued an X.509 certificate from a trusted source, and certificate is then used to identify the user. Trusted Certificate Authority has to import to NAM trust store. This is an issue in some of the use cases.
NAM trust store hold many other trusted certificate authorities. It means that if user submits User certificate issued with different certificate authority, authentication will be succeeded. This behaviour is not one want in some of the scenarios where many smart cards and X.509 authentications are used in an enterprise. So desired behaviour is, contract should succeed only if user submit X.509 user certificate one issued from one particular certificate authority. For example, trusted authority is godaddy, user authentication should succeed only if x509 certificate issued from godaddy.
Why is this useful?
This solution will help to limit mutual authentication contract to certain group people where user certificates are issued from one trusted authority. Any other user certificates issued by another trusted certificate authority authentication will fail even though this trusted certificate authority is in NAM trust store.
NetIQ Access Manager provides documentation which enlists steps how to configure X.509 authentication. Please read them, that will help in configuring this solution with NAM. This solution has new extended class for X.509 class, this has to be configured as custom class. This Solution will guide basic steps to setting up NAM custom X.509 authentication.
Copy the jar file to NAM IDP lib folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
Copy the custom properties file to classes folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes
Restart IDP /etc/init.d/novell-idp restart
Login to Admin Console
Create custom X.509 authentication
Navigate to Local --> classes --> New
Select “Java Class” as “Other” from dropdown list
Type display name
“Java class path” as “com.novell.nidp.authentication.local.X509ExtClasss”
Properties add the following property, “TRUSTED_CERT_ALIAS” as name and enter values with comma separated of certificate authority chain alias names given while importing to NAM trust store. ( complete certificate chain, root, intermediate etc.,)
If one need additional configuration of X.509 class like crl, ocsp settings etc., please do map X.509 authentication class configuration from UI to following properties. The following properties are associated with default x509 class. If any property is configured with default x509 need to be configured with custom class as name=value under properties section. (try to map values to default x509 class properties) Note: in case no values configured properties configuration not required, you can ignore one attribute mandatory with default x509 class, with custom class we don’t use it)