9.6. Registering Custom Authentication Plug-ins


Custom authentication plug-in modules can be registered through the CA Console. Authentication plug-in modules can also be deleted through the CA Console. Before deleting a module, delete instances that are based on that module.

Note

For writing custom plug-ins, refer to the Authentication Plug-in Tutorial.
  1. Create the custom authentication class. For this example, the custom authentication plug-in is called UidPwdDirAuthenticationTestms.java.
  2. Compile the new class.
    javac -d . -classpath $CLASSPATH UidPwdDirAuthenticationTestms.java
  3. Create a directory in the CA's WEB-INF web directory to hold the custom classes, so that the CA can access them for the enrollment forms.
    mkdir /usr/share/pki/ca/webapps/ca/WEB-INF/classes
  4. Copy the new plug-in files into the new classes directory, and set the owner to the Certificate System system user (pkiuser).
    cp -pr com /usr/share/pki/ca/webapps/ca/WEB-INF/classes
    
    chown -R pkiuser:pkiuser /usr/share/pki/ca/webapps/ca/WEB-INF/classes
  5. Log into the console.
    pkiconsole https://server.example.com:8443/ca
  6. Register the plug-in.
    1. In the Configuration tab, click Authentication in the navigation tree.
    2. In the right pane, click the Authentication Plug-in Registration tab.
      The tab lists modules that are already registered.
    3. To register a plug-in, click Register.
      The Register Authentication Plug-in Implementation window appears.
    4. Specify which module to register by filling in the two fields:
      • Plugin name. The name for the module.
      • Class name. The full name of the class for this module. This is the path to the implementing Java™ class. If this class is part of a package, include the package name. For example, to register a class named customAuth in a package named com.customplugins, the class name is com.customplugins.customAuth.
  7. After registering the module, add the module as an active authentication instance.
    1. In the Configuration tab, click Authentication in the navigation tree.
    2. In the right pane, click the Authentication Instance tab.
    3. Click Add.
    4. Select the custom module, UidPwdDirAuthenticationTestms.java, from the list to add the module. Fill in the appropriate configuration for the module.
  8. Create a new end-entity enrollment form to use the new authentication module.
    cd /var/lib/pki/pki-tomcat/ca/profiles/ca
    
    cp -p caDirUserCert.cfg caDirUserCertTestms.cfg
    
    vi caDirUserCertTestms.cfg
    
    desc=Test ms - This certificate profile is for enrolling user certificates with directory-based authentication.
    visible=true
    enable=true
    enableBy=admin
    name=Test ms - Directory-Authenticated User Dual-Use Certificate Enrollment
    auth.instance_id=testms
    ...
  9. Add the new profile to the CA's CS.cfg file.

    Note

    Back up the CS.cfg file before editing it.
    vim /var/lib/pki/instance-name/ca/conf/CS.cfg
    
    profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthKRAstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDirUserCertTestms
    ...
    profile.caDirUserCertTestms.class_id=caEnrollImpl
    profile.caDirUserCertTestms.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCertTestms.cfg
  10. Restart the CA.
    systemctl restart pki-tomcatd@instance_name.service
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.