Experimented with a sample JNDI realm hooked up with the "CLIENT-CERTS" authentication method. This was done using tomcatjss at the connector level. Going to the page asks for the cert. Research indicates that there is a way to create a custom JNDI tomcat Realm that overrrides the getPricipal(X509Cert certs) method. We could add code to both make use of the JNDI realm and actually compare the incoming cert to the cert in the LDAP database already encoded.

Progress:

Was able to put together a rough custom JNDI realm hooked up to our tomcatjss SSL Connector port. The realm does nothing but override "getPrincipal(X509Cert usercert) and extracts the uid of the incoming user from the cert's subject name.That uid is sent into getPrincipal(String username). The JNDI part of the realm is configured simply to search for the user from a base dn using a simple search pattern.

The next step is to put in some code to do the certificate comparison that we do in our system already.

The solid concept it here. There will be a bit more investigation to finish this off.

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/585

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.