Amster

CertificateValidationNode

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/product-CertificateValidationNode

Resource version: 2.0

create

Usage

am> create CertificateValidationNode --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "mtlsSecretLabel" : {
      "title" : "mTLS Secret Label Identifier",
      "description" : "Label identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br> AM uses this identifier to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.certificate.validation.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
      "propertyOrder" : 1350,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "checkCertificateExpiry" : {
      "title" : "Check Certificate Expiration",
      "description" : "Check to see if the certificate is expired.",
      "propertyOrder" : 200,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in Memory",
      "description" : "The CRLs will be cached in memory.",
      "propertyOrder" : 700,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server. If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 1200,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate node will use SSL/TLS to access the LDAP server.",
      "propertyOrder" : 1400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user. If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 1300,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : ""
    },
    "mtlsEnabled" : {
      "title" : "mTLS Enabled",
      "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set SSL enabled to <code>true</code>. <li>The values for <code>LDAP Server Authentication User</code> and <code>LDAP Server Authentication Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.",
      "propertyOrder" : 1325,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.",
      "propertyOrder" : 900,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "type" : "boolean",
      "exampleValue" : ""
    }
  },
  "required" : [ "certificateLdapServers", "checkCertificateExpiry", "cacheCRLsInMemory", "ldapCertificateAttribute", "sslEnabled", "updateCRLsFromDistributionPoint", "matchCertificateToCRL", "ldapSearchStartDN", "crlMatchingCertificateAttribute", "mtlsEnabled", "ocspValidationEnabled", "matchCertificateInLdap" ]
}

delete

Usage

am> delete CertificateValidationNode --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action CertificateValidationNode --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action CertificateValidationNode --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action CertificateValidationNode --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action CertificateValidationNode --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query CertificateValidationNode --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read CertificateValidationNode --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update CertificateValidationNode --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "mtlsSecretLabel" : {
      "title" : "mTLS Secret Label Identifier",
      "description" : "Label identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br> AM uses this identifier to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.certificate.validation.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label identifier can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
      "propertyOrder" : 1350,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates.<br><br>The Certificate authentication node will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br><code>ldap_server:port</code><br><br>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br><code>local server name | server:port</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "checkCertificateExpiry" : {
      "title" : "Check Certificate Expiration",
      "description" : "Check to see if the certificate is expired.",
      "propertyOrder" : 200,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in Memory",
      "description" : "The CRLs will be cached in memory.",
      "propertyOrder" : 700,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the node to authenticate to the LDAP server.<br><br>The Certificate node authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server. If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 1200,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate.<br><br>The Certificate node will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate node will use SSL/TLS to access the LDAP server.",
      "propertyOrder" : 1400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority.<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br><br>The format of the parameter is as follows:<br><code>param1=value1,param2=value</code>",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server.<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if needed (i.e. CRL is out-of-date).<br>This property controls if the update should be performed.<br>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in thedirectory.<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate and CRL search.<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br><code>local server name | base dn</code><br><br>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user. If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 1300,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', search filter used will be <code>(CN=Some CA)</code>.<br><br>If several attribute names are specified, they have to separated by ,. The resulting ldap search filter value will be a comma separated list of name attribute values, the search attribute will be cn e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN, serialNumber', search filter used will be <code>cn=CN=Some CA,serialNumber=123456</code>. The order of the values of the attribute names matteras they must match the value of the cn attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : ""
    },
    "mtlsEnabled" : {
      "title" : "mTLS Enabled",
      "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set SSL enabled to <code>true</code>. <li>The values for <code>LDAP Server Authentication User</code> and <code>LDAP Server Authentication Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.",
      "propertyOrder" : 1325,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates.<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check thevalidity of the certificate as part of the authentication process.<br><br>The OpenAM server must have Internet connectivity for OCSP to work.",
      "propertyOrder" : 900,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "type" : "boolean",
      "exampleValue" : ""
    }
  },
  "required" : [ "certificateLdapServers", "checkCertificateExpiry", "cacheCRLsInMemory", "ldapCertificateAttribute", "sslEnabled", "updateCRLsFromDistributionPoint", "matchCertificateToCRL", "ldapSearchStartDN", "crlMatchingCertificateAttribute", "mtlsEnabled", "ocspValidationEnabled", "matchCertificateInLdap" ]
}