Authentication for REST Services#
Authentication Methods#
Overview#
PKI server supports the following authentication methods:
user certificate
user password
User certificate authentication can be done with pki CLI as follows:
User password authentication can be done with pki CLI as follows:
Default Configuration#
By default each REST services are configured to accept certain authentication methods only. For example, the REST services in CA are configured as follows:
# Account Services
account = certUserDBAuthMgr,passwdUserDBAuthMgr
# CA Audit Services
audit = certUserDBAuthMgr
# Lightweight SubCA Services
authorities = certUserDBAuthMgr
# CA Certificate Services
certs = certUserDBAuthMgr
# CA Certificate Request Services
certrequests = certUserDBAuthMgr
# CA Group Services
groups = certUserDBAuthMgr
# CA-KRA Connector Services
kraconnectors = certUserDBAuthMgr
# CA Certificate Profile Services
profiles = certUserDBAuthMgr
# Security Domain Install Token Services
securityDomain.installToken = passwdUserDBAuthMgr
# CA SelfTest Services
selftests = certUserDBAuthMgr
# CA User Services
users = certUserDBAuthMgr
# Other Services
default = *
The certUserDBAuthMgr indicates that the service accepts client certificate authentication. The passwdUserDBAuthMgr indicates that the service accepts password authentication. The * indicates that all types of authentication are accepted including no authentication, but some services may require certain roles which can only be provided through proper authentication.
The default configuration files are located in the following locations:
Customization#
To customize the authentication methods, copy the default configuration file into the subsystem configuration folder, for example:
$ cp /usr/share/pki/ca/conf/auth-method.properties /var/lib/pki/pki-tomcat/conf/ca/
Edit it as needed, then restart the server.
See also Enabling Password Authentication.
Authentication for Legacy Servlets#
T.B.A.