Amster

CertificateValidationNode

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/product-CertificateValidationNode

Resource version: 1.0

create

Usage

am> create CertificateValidationNode --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate node will use SSL/TLS to access the LDAP server.",
      "propertyOrder" : 1400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
      "propertyOrder" : 1200,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user.",
      "propertyOrder" : 1300,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.",
      "propertyOrder" : 900,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "checkCertificateExpiry" : {
      "title" : "Check Certificate Expiration",
      "description" : "Check to see if the certificate is expired.",
      "propertyOrder" : 200,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in Memory",
      "description" : "The CRLs will be cached in memory.",
      "propertyOrder" : 700,
      "type" : "boolean",
      "exampleValue" : ""
    }
  },
  "required" : [ "sslEnabled", "matchCertificateInLdap", "matchCertificateToCRL", "ocspValidationEnabled", "certificateLdapServers", "checkCertificateExpiry", "updateCRLsFromDistributionPoint", "crlMatchingCertificateAttribute", "ldapCertificateAttribute", "ldapSearchStartDN", "cacheCRLsInMemory" ]
}

delete

Usage

am> delete CertificateValidationNode --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action CertificateValidationNode --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action CertificateValidationNode --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action CertificateValidationNode --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action CertificateValidationNode --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query CertificateValidationNode --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read CertificateValidationNode --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update CertificateValidationNode --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate node will use SSL/TLS to access the LDAP server.",
      "propertyOrder" : 1400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
      "propertyOrder" : 1200,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user.",
      "propertyOrder" : 1300,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.",
      "propertyOrder" : 900,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "checkCertificateExpiry" : {
      "title" : "Check Certificate Expiration",
      "description" : "Check to see if the certificate is expired.",
      "propertyOrder" : 200,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in Memory",
      "description" : "The CRLs will be cached in memory.",
      "propertyOrder" : 700,
      "type" : "boolean",
      "exampleValue" : ""
    }
  },
  "required" : [ "sslEnabled", "matchCertificateInLdap", "matchCertificateToCRL", "ocspValidationEnabled", "certificateLdapServers", "checkCertificateExpiry", "updateCRLsFromDistributionPoint", "crlMatchingCertificateAttribute", "ldapCertificateAttribute", "ldapSearchStartDN", "cacheCRLsInMemory" ]
}