8.5. Registering Custom Authentication Plug-ins

Custom authentication plug-in modules can be registered through the CA Console. Authentication plug-in modules can also be deleted through the CA Console. Before deleting a module, delete instances that are based on that module.

Note

For writing custom plug-ins, refer to the Authentication Plug-in Tutorial.
  1. Create the custom authentication class. For this example, the custom authentication plug-in is called UidPwdDirAuthenticationTestms.java.
  2. Compile the new class. 
    javac -d . -classpath $CLASSPATH UidPwdDirAuthenticationTestms.java
  3. Create a directory in the CA's WEB-INF web directory to hold the custom classes, so that the CA can access them for the enrollment forms. 
    mkdir /usr/share/pki/ca/webapps/ca/WEB-INF/classes
  4. Copy the new plug-in files into the new classes directory, and set the owner to the Certificate System system user (pkiuser). 
    cp -pr com /usr/share/pki/ca/webapps/ca/WEB-INF/classes

chown -R pkiuser:pkiuser /usr/share/pki/ca/webapps/ca/WEB-INF/classes
  5. Log into the console. 
    pkiconsole https://server.example.com:8443/ca
  6. Register the plug-in.
    1. In the Configuration tab, click Authentication in the navigation tree.
    2. In the right pane, click the Authentication Plug-in Registration tab.
      The tab lists modules that are already registered.
    3. To register a plug-in, click Register.
      The Register Authentication Plug-in Implementation window appears.
    4. Specify which module to register by filling in the two fields:
      • Plugin name. The name for the module.
      • Class name. The full name of the class for this module. This is the path to the implementing Java™ class. If this class is part of a package, include the package name. For example, to register a class named customAuth in a package named com.customplugins, the class name is com.customplugins.customAuth.
  7. After registering the module, add the module as an active authentication instance.
    1. In the Configuration tab, click Authentication in the navigation tree.
    2. In the right pane, click the Authentication Instance tab.
    3. Click Add.
    4. Select the custom module, UidPwdDirAuthenticationTestms.java, from the list to add the module. Fill in the appropriate configuration for the module.
  8. Create a new end-entity enrollment form to use the new authentication module. 
    cd /var/lib/pki/pki-ca/profiles/ca

cp -p caDirUserCert.cfg caDirUserCertTestms.cfg

vi caDirUserCertTestms.cfg

desc=Test ms - This certificate profile is for enrolling user certificates with directory-based authentication.
visible=true
enable=true
enableBy=admin
name=Test ms - Directory-Authenticated User Dual-Use Certificate Enrollment
auth.instance_id=testms
...
  9. Add the new profile to the CA's CS.cfg file.

    Note

    Back up the CS.cfg file before editing it. 
    vim /var/lib/pki/instance-name/ca/conf/CS.cfg

profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthKRAstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDirUserCertTestms
...
profile.caDirUserCertTestms.class_id=caEnrollImpl
profile.caDirUserCertTestms.config=/var/lib/pki/pki-ca/profiles/ca/caDirUserCertTestms.cfg
  10. Restart the CA. 
    systemctl restart pki-tomcatd@instance_name.service