Configuring certificate authentication in Jazz Authorization Server
Jazz Authorization Server serves as an OpenID Connect provider (OIDC) for single sign-on (SSO) for Engineering Lifecycle Management applications. You can configure the Jazz Authorization Server running on IBM® WebSphere® Liberty to log in using a User Certificate (.p12) file or a smart card, which are more secure than logging in with a user name and password. Although a certificate file and a smart card are different, they are both certificates that are used for authentication. Certificate authentication uses HTTP over SSL and authentication occurs by using a public key certificate that is issued by a trusted organization, which is known as a certificate authority.
Before you begin
- Configure Jazz Authorization Server to use LDAP user registry
- Ensure that a certificate authority and user certificates already exist and that the certificate authority's public certificate is available to the administrator. For information about how to create SSL certificates, see SSL Certificates HOWTO.
- Copy the root certificate authority's public certificate to the computer that hosts Jazz Authorization Server.
- Smart card authentication is available for Windows operating systems only.
There are three components involved in this configuration:
- WebSphere Liberty server Profile hosting Jazz Authorization Server.
- OpenID Connect provider (OIDC)
- Clients
Configure WebSphere Liberty server to accept certificates
About this task
Procedure
Configure the default KeyStore
About this task
Procedure
Configure the default TrustStore
About this task
Configure the default TrustStore with the certificate authority’s root certificate, so that the server trusts the client certificates.
Procedure
Configure Liberty Profile to map incoming certificates to users in the registry
About this task
- Certificate filter
-
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to
map attributes in the client certificate to entries in the LDAP registry. If more than one LDAP
entry matches the filter specification at run time, authentication fails because the result is an
ambiguous match. The syntax for this filter is:
LDAP attribute=${Client certificate attribute}
.An example of a simple certificate filter is:
uid=${SubjectCN}
. For more information see the related Liberty Documentation.Here is an example of an LDAP configuration with certificate filter mode enabled:
<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm" host="myldap.ibm.com" port="389" ignoreCase="true" baseDN="o=ibm,c=us" certificateMapMode="CERTIFICATE_FILTER" certificateFilter="uid=${SubjectCN}" userFilter="(&(uid=%v)(objectclass=ePerson))" groupFilter="(&(cn=%v)(|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember; groupOfNames:member;groupOfUniqueNames:uniqueMember" ldapType="IBM Tivoli Directory Server" searchTimeout="8m" />
Configure OpenID connect provider configuration to require certificate-based authentication
About this task
Procedure
Configure web browsers to authenticate applications via user certificates
Procedure
- Import the user certificate into the browser as personal certificates.
-
On Microsoft Windows, double-click on the user certificate and follow the steps in the wizard to import the certificate
to your web browser.
After the import completes, on accessing any of the Engineering Lifecycle Management applications, the imported certificates are listed.
- Select the appropriate user certificate to log in to Engineering Lifecycle Management.
-
check the user name that is displayed at the top-right corner and confirm the certificate if it
matches your user ID.
Configure Eclipse and Visual Studio clients to authenticate applications via user certificates
Procedure
- Create a new repository connection and configure it to use the certificate authentication.
- Change authentication type to SSL certificate.
-
Browse the user certificate you want to use and enter the password.
- Click Finish to log in.
Repotools Utility
Repotools supports the use of certificate authentication using the certificateFile parameter. The adminPassword parameter is the password for the certificate provided. Below is an example of using a User Certificate and password to execute repotools commands
Example
> repotools-ccm.bat -backupJFSIndexes repositoryURL=https://ibmclm.vapp.com:9443/ccm
certificateFile="C:\Certs\MyCert.p12" adminPassword="MyPassword" toFile=C:\Test\CCMIndexBackup.zip