Certificate Identity Store

Since Payara Server 5.194

The Payara API provides the @CertificateIdentityStoreDefinition and @CertificateAuthenticationMechanismDefinition annotations that create an identity store and authentication mechanism to authenticate users using the certificate realm.


The Certificate realm authentication mechanism and identity store are defined through the @CertificateAuthenticationMechanismDefinition and @CertificateIdentityStoreDefinition annotations. Specifying this in a valid place as defined by the Jakarta EE Security API will create the mechanism. Often this may mean that any class is a valid position. If a Certificate realm is not found with the defined name then a new Certificate realm is registered on the server using the create-auth-realm asadmin command, otherwise the existing Certificate realm instance is used to authenticate the users.


The following code sample illustrates how to configure Certificate realm identity store:

@DeclareRoles({ "a", "b" })
public class MyRestApp extends Application {


The Certificate realm identity store can be configured with both @CertificateIdentityStoreDefinition annotation attributes and�MicroProfile Config properties. The annotation and MicroProfile properties have several configuration options.

They are detailed as shown below.

Option MP Config property Description Default Required


The name of the certificate realm.




The users are assigned membership to these groups for the purposes of authorization decisions.

Note : If both an annotation attribute and a MicroProfile Config property are defined for the same option then the MicroProfile Config property value always takes precedence over the @CertificateIdentityStoreDefinition annotation value.