CertificateValidationNode
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/product-CertificateValidationNode
Resource version: 1.0
create
Usage
am> create CertificateValidationNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.", "propertyOrder" : 900, "type" : "boolean", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "type" : "boolean", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 500, "type" : "string", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "checkCertificateExpiry" : { "title" : "Check Certificate Expiration", "description" : "Check to see if the certificate is expired.", "propertyOrder" : 200, "type" : "boolean", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate node will use SSL/TLS to access the LDAP server.", "propertyOrder" : 1400, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.", "propertyOrder" : 1200, "type" : "string", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 400, "type" : "boolean", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user.", "propertyOrder" : 1300, "type" : "string", "format" : "password", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in Memory", "description" : "The CRLs will be cached in memory.", "propertyOrder" : 700, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "ldapSearchStartDN", "matchCertificateToCRL", "crlMatchingCertificateAttribute", "certificateLdapServers", "matchCertificateInLdap", "ldapCertificateAttribute", "cacheCRLsInMemory", "sslEnabled", "updateCRLsFromDistributionPoint", "checkCertificateExpiry", "ocspValidationEnabled" ] }
delete
Usage
am> delete CertificateValidationNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action CertificateValidationNode --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action CertificateValidationNode --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage
am> action CertificateValidationNode --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action CertificateValidationNode --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query CertificateValidationNode --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read CertificateValidationNode --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update CertificateValidationNode --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "ocspValidationEnabled" : { "title" : "OCSP Validation", "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.", "propertyOrder" : 900, "type" : "boolean", "exampleValue" : "" }, "updateCRLsFromDistributionPoint" : { "title" : "Update CA CRLs from CRLDistributionPoint", "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.", "propertyOrder" : 800, "type" : "boolean", "exampleValue" : "" }, "crlMatchingCertificateAttribute" : { "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs", "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.", "propertyOrder" : 500, "type" : "string", "exampleValue" : "" }, "ldapCertificateAttribute" : { "title" : "Subject DN Attribute Used to Search LDAP for Certificates", "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.", "propertyOrder" : 300, "type" : "string", "exampleValue" : "" }, "checkCertificateExpiry" : { "title" : "Check Certificate Expiration", "description" : "Check to see if the certificate is expired.", "propertyOrder" : 200, "type" : "boolean", "exampleValue" : "" }, "crlHttpParameters" : { "title" : "HTTP Parameters for CRL Update", "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "sslEnabled" : { "title" : "Use SSL/TLS for LDAP Access", "description" : "The certificate node will use SSL/TLS to access the LDAP server.", "propertyOrder" : 1400, "type" : "boolean", "exampleValue" : "" }, "matchCertificateInLdap" : { "title" : "Match Certificate in LDAP", "description" : "The client certificate must exist in the directory for the authentication to be successful.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" }, "ldapSearchStartDN" : { "title" : "LDAP Search Start or Base DN", "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1100, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "certificateLdapServers" : { "title" : "LDAP Server Where Certificates are Stored", "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 1000, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userBindDN" : { "title" : "LDAP Server Authentication User", "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.", "propertyOrder" : 1200, "type" : "string", "exampleValue" : "" }, "matchCertificateToCRL" : { "title" : "Match Certificate to CRL", "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.", "propertyOrder" : 400, "type" : "boolean", "exampleValue" : "" }, "userBindPassword" : { "title" : "LDAP Server Authentication Password", "description" : "The password for the authentication user.", "propertyOrder" : 1300, "type" : "string", "format" : "password", "exampleValue" : "" }, "cacheCRLsInMemory" : { "title" : "Cache CRLs in Memory", "description" : "The CRLs will be cached in memory.", "propertyOrder" : 700, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "ldapSearchStartDN", "matchCertificateToCRL", "crlMatchingCertificateAttribute", "certificateLdapServers", "matchCertificateInLdap", "ldapCertificateAttribute", "cacheCRLsInMemory", "sslEnabled", "updateCRLsFromDistributionPoint", "checkCertificateExpiry", "ocspValidationEnabled" ] }