– Do not store the certificate in the LDAP. The module will check the validity of the certificate and accept whatever valid certificate is presented. This also simplifies the provisioning process as you don’t have to copy the certificates to the Directory and maintain revoked, expired etc certificates.

– Use another identifying attribute, if there is such attribute (an email address ?)

– Sublclass (or modify the source code of the) X509 authentication module to create your own. This would allow you to store a hash key of the serial number in the LDAP and search for the hash instead.

Should anyone have other options, let’s share and discuss this !

Do you have any suggestions on how to do this without storing this number in plain text (apparantly a salted hash is allowed).

Article très intéressent et assez détailé, j’était un des élèves de la java one after glow 😀 .

En passant, un merci pour votre présence.

++

And is there any good document or blog detailing how the Sun Certificate Authentication Module works? Does it interact with a crypto API directly?

In particular, how does the auth module know which certificate is presented by the visitor – does the module itself participate in TLS handshake, does it process certain HTTP headers set by an SSL gateway (or the web container itself), or are there some Java flags and variables set by the web container?

Should your configuration respects the standards, then it will work. Otherwise, writing a custom Authentication module is probably the solution.

Does it use HTTP headers added by an HTTPS-deciphering layer or some local variables and flags in the context of the application server running AMServer/Portal/etc?

We have a project which concerns integration of proprietary cryptography with Sun Portals. There is no stable Java integration yet (the core product is "certified" and unchangeable, and I can only guess it’s written in C). Thus we can’t use the benefits of Java CryptoAPI to directly decipher the HTTPS data in the App Server context.

Instead, we use a separate program which can decipher these algorithms and forward plaintext HTTP to the backend servers (i.e. through a Sun SRA Gateway to the real-backend App Servers) and encodes the responses for the clients. You can consider it an "SSL Accelerator" or "proxy" in some common terms.

This program can also add HTTP headers (i.e. Certificate numbers chain) to the forwarded stream.

Can the Certificate Auth Module be used in this scenario, or are we bound to creation of a new Auth Module as well?