When configuring an application to do a JNDI lookup via SSL and using the CN of the certificate as the user name, is it possible to send only the SSL certificate without the user name /password?

When configuring an application to do a JNDI lookup via SSL and using the CN of the certificate as the user name, is it possible to send only the SSL certificate without the user name /password?

book

Article ID: KB0084639

calendar_today

Updated On:

Products Versions
TIBCO Enterprise Message Service -
Not Applicable -

Description

Resolution:
Environment:
==========
All

Resolution:
========

If using EMS as a JNDI server, in order for the server to use the CN name in the certificate you will need the following:

1). Enable "ssl_use_cert_username" in tibemsd.conf.

2). Create a user with the same CN name in the server.

When Authorization and "ssl_use_cert_username" are enabled, the SSL connection undergoes a two-phase authentication process.  The first phase involves the SSL hand-shake between the client and server using the certificates of the EMS client and the EMS server; the user name is extracted from the client certificate.  The second-phase authentication involves checking credentials of the extracted user name by matching it with the credentials (password) specified for that particular user in the users.conf file.
    
In your application, you do not need to provide the user name but you do need to provide the password for the user (if the user has a non-empty password).  Otherwise, the authentication will fail in the second phase.

If you do not want to provide a password in the application, in EMS 5.0 and above with TIBCO’s  support for JAAS, you will be able to write your own plug-able security layer.  In this plug-in you can write the checks in so that if the certificate is valid the user is allowed access.

Refer to EMS User's Guide for more information regarding JAAS.

Keywords:
========
JNDI ssl_use_cert_username SSL JAAS authorization

Issue/Introduction

When configuring an application to do a JNDI lookup via SSL and using the CN of the certificate as the user name, is it possible to send only the SSL certificate without the user name /password?