Configure EJBCA with OpenSSO

EJBCA can issue certificates for users authenticating with OpenSSO (formerly Sun Access Manager). In this setup, EJBCA publishes issued certificates to the OpenSSO LDAP directory, allowing OpenSSO to use X.509 client certificate authentication.

Prerequisites

Before you begin, ensure the following:

  • EJBCA is installed and operational.

  • OpenSSO is installed and configured.

  • You have network connectivity and LDAP credentials for the OpenSSO LDAP server.

  • Users already exist in the OpenSSO user directory.

Step 1 - Create an LDAP Publisher in EJBCA

Create a publisher named AMPublisher with the following settings:

  • Publisher Type: LDAP V3 Search Publisher

  • Base DN: The Base DN in the AM LDAP, for example dc=company,dc=com

  • Login parameters to the AM LDAP server

  • Create Nonexisting Users: false

  • Modify Existing Users: true

  • Add multiple certificates per user: false

  • Remove certificates when revoked: true

  • Remove ldap user when certificate revoked: false

  • LDAP location fields from cert DN: CN, Common Name (not really used)

  • Suffix base DN of the LDAP Search: same as Base DN, for example dc=company,dc=com

  • LDAP filter of the search: uid=$USERNAME

Step 2 - Create a Certificate Profile

Create a certificate profile named AMUser with the following settings:

  • Subject DN Fields: UID, CN, O, C is sufficient

  • Default Certificate Profile: AMUser

  • Available Certificate Profiles: AMUser

Step 3 - Create an End Entity Profile

Create an end entity profile named AMUser with the following settings:

  • Subject DN Fields: UID, CN, O, C is sufficient

  • Default Certificate Profile: AMUser

  • Available Certificate Profiles: AMUser

Step 4: Enroll a User Certificate

To issue and publish a certificate for an OpenSSO user:

  1. Create the user in OpenSSO.

  2. Create a corresponding end entity in EJBCA.

    • The EJBCA username and the UID in the certificate subject should match the OpenSSO username.

  3. Enroll the certificate using the EJBCA RA Web or another supported enrollment method.

  4. After issuance, EJBCA publishes the certificate to the OpenSSO LDAP directory.

Once published, OpenSSO can use the certificate for client certificate authentication.

For more information on integrating EJBCA and OpenSSO, refer to Oracle documentation Using OpenSSO To Protect Java EE Applications, Part 1: Setting Up X.509 Client Authentication.