Configuring Authentication Managers - dogtagpki/pki GitHub Wiki

Default Authentication Managers

The following authentication managers are defined in CA’s CS.cfg by default:

auths.instance.TokenAuth.pluginName=TokenAuth
auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.CMCAuth.pluginName=CMCAuth
auths.instance.CMCUserSignedAuth.pluginName=CMCUserSignedAuth
auths.instance.raCertAuth.agentGroup=Registration Manager Agents
auths.instance.raCertAuth.pluginName=AgentCertAuth
auths.instance.flatFileAuth.pluginName=FlatFileAuth
auths.instance.flatFileAuth.fileName=[pki_instance_path]/conf/ca/flatfile.txt
auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
auths.instance.SessionAuthentication.pluginName=SessionAuthentication

The following authentication managers are defined in KRA’s CS.cfg by default:

auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.TokenAuth.pluginName=TokenAuth

The following authentication managers are defined in OCSP’s CS.cfg by default:

auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.TokenAuth.pluginName=TokenAuth

The following authentication managers are defined in TKS’s CS.cfg by default:

auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.TokenAuth.pluginName=TokenAuth

The following authentication managers are defined in TPS’s CS.cfg by default:

auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.TokenAuth.pluginName=TokenAuth
auths.instance.ldap1.authCredName=uid
auths.instance.ldap1.ui.retries=3
auths.instance.ldap1.ui.title.en=LDAP Authentication
auths.instance.ldap1.ui.description.en=This authenticates user against the LDAP directory.
auths.instance.ldap1.ui.id.UID.description.en=LDAP User ID
auths.instance.ldap1.ui.id.UID.name.en=LDAP User ID
auths.instance.ldap1.ui.id.UID.credMap.authCred=uid
auths.instance.ldap1.ui.id.UID.credMap.msgCred.extlogin=UID
auths.instance.ldap1.ui.id.UID.credMap.msgCred.login=screen_name
auths.instance.ldap1.ui.id.PASSWORD.description.en=LDAP Password
auths.instance.ldap1.ui.id.PASSWORD.name.en=LDAP Password
auths.instance.ldap1.ui.id.PASSWORD.credMap.authCred=pwd
auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.extlogin=PASSWORD
auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.login=password
auths.instance.ldap1.dnpattern=
auths.instance.ldap1.ldapByteAttributes=
auths.instance.ldap1.ldapStringAttributes._000=#################################
auths.instance.ldap1.ldapStringAttributes._001=# For isExternalReg
auths.instance.ldap1.ldapStringAttributes._002=#   attributes will be available as
auths.instance.ldap1.ldapStringAttributes._003=#       $<attribute>$
auths.instance.ldap1.ldapStringAttributes._004=#   attributes example:
auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,enrollmenttype,certsToAdd,tokenCUID,registrationtype,tokenType,firstname,lastname,exec-edipi,exec-mail
auths.instance.ldap1.ldapStringAttributes._006=#################################
auths.instance.ldap1.ldapStringAttributes=mail,cn,uid,enrollmenttype,certsToAdd,tokenCUID,registrationtype,tokenType,firstname,lastname,exec-edipi,exec-mail
auths.instance.ldap1.ldap.basedn=[LDAP_ROOT]
auths.instance.ldap1.externalReg.attributes=certsToAdd,tokenCUID,enrollmenttype,registrationtype,tokenType
auths.instance.ldap1.externalReg.certs.recoverAttributeName=certsToAdd
auths.instance.ldap1.externalReg.cuidAttributeName=tokenCUID
auths.instance.ldap1.externalReg.registrationTypeAttributeName=registrationtype
auths.instance.ldap1.externalReg.tokenTypeAttributeName=tokenType
auths.instance.ldap1.ldap.maxConns=15
auths.instance.ldap1.ldap.minConns=3
auths.instance.ldap1.ldap.ldapauth.authtype=BasicAuth
auths.instance.ldap1.ldap.ldapauth.bindDN=
auths.instance.ldap1.ldap.ldapauth.bindPWPrompt=ldap1
auths.instance.ldap1.ldap.ldapauth.clientCertNickname=subsystemCert cert-[pki_instance_name]
auths.instance.ldap1.ldap.ldapconn.host=localhost
auths.instance.ldap1.ldap.ldapconn.port=389
auths.instance.ldap1.ldap.ldapconn.secureConn=false
auths.instance.ldap1.ldap.ldapconn.version=3
auths.instance.ldap1.pluginName=UidPwdDirAuth
auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth

Agent Certificate Authentication

auths.instance.<instance name>.pluginName=AgentCertAuth
auths.instance.<instance name>.agentGroup=Certificate Manager Agents

CertUserDBAuthentication

See also CertUserDBAuthentication.java.

ChallengePhraseAuthentication

CMCAuth

CMCUserSignedAuth

CMC Shared Token Authentication

auths.instance.<instance name>.pluginName=SharedToken
auths.instance.<instance name>.ldap.basedn=ou=people,dc=example,dc=com
auths.instance.<instance name>.ldap.ldapauth.authtype=BasicAuth
auths.instance.<instance name>.ldap.ldapauth.bindDN="cn=Directory Manager"
auths.instance.<instance name>.ldap.ldapauth.bindPWPrompt="Rule SharedToken"
auths.instance.<instance name>.ldap.ldapconn.host=ds.example.com
auths.instance.<instance name>.ldap.ldapconn.port=3389
auths.instance.<instance name>.ldap.ldapconn.secureConn=false
auths.instance.<instance name>.shrTokAttr=shrTok

See also Configuring CMC Shared Token Authentication.

Directory-based Authentication

auths.instance.<instance name>.pluginName=UidPwdDirAuth
auths.instance.<instance name>.ldap.basedn=dc=example,dc=com
auths.instance.<instance name>.ldap.ldapauth.authtype=BasicAuth
auths.instance.<instance name>.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.<instance name>.ldap.ldapauth.bindPWPrompt=internaldb
auths.instance.<instance name>.ldap.ldapconn.host=pki.example.com
auths.instance.<instance name>.ldap.ldapconn.port=389
auths.instance.<instance name>.ldap.ldapconn.secureConn=false
auths.instance.<instance name>.pluginName=UidPwdDirAuth
auths.instance.<instance name>.ldap.maxConns=15
auths.instance.<instance name>.ldap.minConns=3
auths.instance.<instance name>.ldap.ldapauth.authtype=BasicAuth
auths.instance.<instance name>.ldap.ldapauth.bindDN=
auths.instance.<instance name>.ldap.ldapauth.bindPWPrompt=ldap1
auths.instance.<instance name>.ldap.ldapauth.clientCertNickname=subsystemCert cert-[pki_instance_name]
auths.instance.<instance name>.ldap.ldapconn.host=localhost
auths.instance.<instance name>.ldap.ldapconn.port=389
auths.instance.<instance name>.ldap.ldapconn.secureConn=false
auths.instance.<instance name>.ldap.ldapconn.version=3
auths.instance.<instance name>.authCredName=uid
auths.instance.<instance name>.ui.retries=3
auths.instance.<instance name>.ui.title.en=LDAP Authentication
auths.instance.<instance name>.ui.description.en=This authenticates user against the LDAP directory.
auths.instance.<instance name>.ui.id.UID.description.en=LDAP User ID
auths.instance.<instance name>.ui.id.UID.name.en=LDAP User ID
auths.instance.<instance name>.ui.id.UID.credMap.authCred=uid
auths.instance.<instance name>.ui.id.UID.credMap.msgCred.extlogin=UID
auths.instance.<instance name>.ui.id.UID.credMap.msgCred.login=screen_name
auths.instance.<instance name>.ui.id.PASSWORD.description.en=LDAP Password
auths.instance.<instance name>.ui.id.PASSWORD.name.en=LDAP Password
auths.instance.<instance name>.ui.id.PASSWORD.credMap.authCred=pwd
auths.instance.<instance name>.ui.id.PASSWORD.credMap.msgCred.extlogin=PASSWORD
auths.instance.<instance name>.ui.id.PASSWORD.credMap.msgCred.login=password
auths.instance.<instance name>.dnpattern=
auths.instance.<instance name>.ldapByteAttributes=
auths.instance.<instance name>.ldapStringAttributes._000=#################################
auths.instance.<instance name>.ldapStringAttributes._001=# For isExternalReg
auths.instance.<instance name>.ldapStringAttributes._002=#   attributes will be available as
auths.instance.<instance name>.ldapStringAttributes._003=#       $<attribute>$
auths.instance.<instance name>.ldapStringAttributes._004=#   attributes example:
auths.instance.<instance name>.ldapStringAttributes._005=#mail,cn,uid,enrollmenttype,certsToAdd,tokenCUID,registrationtype,tokenType,firstname,lastname,exec-edipi,exec-mail
auths.instance.<instance name>.ldapStringAttributes._006=#################################
auths.instance.<instance name>.ldapStringAttributes=mail,cn,uid,enrollmenttype,certsToAdd,tokenCUID,registrationtype,tokenType,firstname,lastname,exec-edipi,exec-mail
auths.instance.<instance name>.ldap.basedn=[LDAP_ROOT]
auths.instance.<instance name>.externalReg.attributes=certsToAdd,tokenCUID,enrollmenttype,registrationtype,tokenType
auths.instance.<instance name>.externalReg.certs.recoverAttributeName=certsToAdd
auths.instance.<instance name>.externalReg.cuidAttributeName=tokenCUID
auths.instance.<instance name>.externalReg.registrationTypeAttributeName=registrationtype
auths.instance.<instance name>.externalReg.tokenTypeAttributeName=tokenType

See also Configuring Directory-Authenticated Certificate Profiles.

HashAuthentication

NullAuthentication

PasswdUserDBAuthentication

SSLclientCertAuthentication

SSLClientCertAuthentication

Token Authentication

auths.instance.<instance name>.pluginName=TokenAuth

ProfileAuthenticator

FlatFileAuth

auths.instance.<instance name>.pluginName=FlatFileAuth
auths.instance.<instance name>.authAttributes=PWD
auths.instance.<instance name>.deferOnFailure=true
auths.instance.<instance name>.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.<instance name>.keyAttributes=UID

See Also

⚠️ **GitHub.com Fallback** ⚠️