Configure the Principal Name on Certificate Realms
Since Payara Server 5.192
Payara Server Enterprise includes a feature that supports using exclusively the use of the Common-Name (CN
) from a client
certificate for authentication on a secure web application as the subject of any authenticated request.
A new property named common-name-as-principal-name
can be used with any security realm of type com.sun.enterprise.security.auth.realm.certificate.CertificateRealm
in order to control this feature.
The common-name-as-principal-name property is set to false by default if no configuration is provided.
|
Enabling Common Name As Principal Name
You can set this property by using either the Web administration console or the command line.
Using the Web Admin Console
This feature can be configured on the default certificate realm as follows on the Web administration console:
-
Navigate to the applicable configuration page for your use (e.g.
server-config
) under theConfigurations
option in the side menu -
Head to
Security
→Realms
and select thecertificate
realm -
Click the
Add Property
button -
Set the property Name to be
common-name-as-principal-name
and set the Value totrue
Using an asadmin
command
You can also use the following asadmin command to set the value of the property through:
asadmin> set configs.config.${YOUR_INSTANCE_CONFIG}.security-service.auth-realm.certificate.property.common-name-as-principal-name=true
After setting the value of the property, make sure that you restart the server instance for the changes to take effect. |
Using CN
as Subject in Applications
With the feature enabled, users can be correctly authenticated when a valid certificate uses the common name instead of the full domain name. It is also possible to map users to roles in this manner.
For example, if user authorization roles were mapped like this in the payara-web.xml
deployment descriptor:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE payara-web-app PUBLIC "-//Payara.fish//DTD Payara Server 4 Servlet 3.0//EN" "https://raw.githubusercontent.com/payara/Payara-Community-Documentation/master/docs/modules/ROOT/pages/schemas/payara-web-app_4.dtd">
<payara-web-app error-url="">
<context-root>/health-services</context-root>
<security-role-mapping>
<role-name>gl</role-name>
<principal-name>C=UK, S=lak, L=zak, O=kaz, CN=foo</principal-name>
</security-role-mapping>
</payara-web-app>
Then the principal-name
can be simplified by using only the CN part instead:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE payara-web-app PUBLIC "-//Payara.fish//DTD Payara Server 4 Servlet 3.0//EN" "https://raw.githubusercontent.com/payara/Payara-Community-Documentation/master/docs/modules/ROOT/pages/schemas/payara-web-app_4.dtd">
<payara-web-app error-url="">
<context-root>/health-services</context-root>
<security-role-mapping>
<role-name>gl</role-name>
<principal-name>foo</principal-name>
</security-role-mapping>
</payara-web-app>