9.6. Registering Custom Authentication Plug-ins
Custom authentication plug-in modules can be registered through the CA Console. Authentication plug-in modules can also be deleted through the CA Console. Before deleting a module, delete instances that are based on that module.
Note
For writing custom plug-ins, refer to the Authentication Plug-in Tutorial.
- Create the custom authentication class. For this example, the custom authentication plug-in is called
UidPwdDirAuthenticationTestms.java. - Compile the new class.
javac -d . -classpath $CLASSPATH UidPwdDirAuthenticationTestms.java
- Create a directory in the CA's
WEB-INFweb directory to hold the custom classes, so that the CA can access them for the enrollment forms.mkdir /usr/share/pki/ca/webapps/ca/WEB-INF/classes
- Copy the new plug-in files into the new
classesdirectory, and set the owner to the Certificate System system user (pkiuser).cp -pr com /usr/share/pki/ca/webapps/ca/WEB-INF/classes chown -R pkiuser:pkiuser /usr/share/pki/ca/webapps/ca/WEB-INF/classes
- Log into the console.
pkiconsole https://server.example.com:8443/ca
- Register the plug-in.
- In the Configuration tab, click Authentication in the navigation tree.
- In the right pane, click the Authentication Plug-in Registration tab.The tab lists modules that are already registered.
- To register a plug-in, click .The Register Authentication Plug-in Implementation window appears.
- Specify which module to register by filling in the two fields:
- Plugin name. The name for the module.
- Class name. The full name of the class for this module. This is the path to the implementing Java™ class. If this class is part of a package, include the package name. For example, to register a class named
customAuthin a package namedcom.customplugins, the class name iscom.customplugins.customAuth.
- After registering the module, add the module as an active authentication instance.
- In the Configuration tab, click Authentication in the navigation tree.
- In the right pane, click the Authentication Instance tab.
- Click .
- Select the custom module,
UidPwdDirAuthenticationTestms.java, from the list to add the module. Fill in the appropriate configuration for the module.
- Create a new end-entity enrollment form to use the new authentication module.
cd /var/lib/pki/pki-tomcat/ca/profiles/ca cp -p caDirUserCert.cfg caDirUserCertTestms.cfg vi caDirUserCertTestms.cfg desc=Test ms - This certificate profile is for enrolling user certificates with directory-based authentication. visible=true enable=true enableBy=admin name=Test ms - Directory-Authenticated User Dual-Use Certificate Enrollment
auth.instance_id=testms... - Add the new profile to the CA's
CS.cfgfile.Note
Back up theCS.cfgfile before editing it.vim /var/lib/pki/instance-name/ca/conf/CS.cfg profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthKRAstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,
caDirUserCertTestms... profile.caDirUserCertTestms.class_id=caEnrollImpl profile.caDirUserCertTestms.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCertTestms.cfg - Restart the CA.
systemctl restart pki-tomcatd@instance_name.service
