org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator の継承関係図

org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator 連携図

公開メンバ関数
void	close ()

void	authenticate (AuthenticationFlowContext context)

void	action (AuthenticationFlowContext context)

CertificateValidator.CertificateValidatorBuilder	certificateValidationParameters (X509AuthenticatorConfigModel config) throws Exception

UserIdentityExtractor	getUserIdentityExtractor (X509AuthenticatorConfigModel config)

UserIdentityToModelMapper	getUserIdentityToModelMapper (X509AuthenticatorConfigModel config)

boolean	requiresUser ()

boolean	configuredFor (KeycloakSession session, RealmModel realm, UserModel user)

void	setRequiredActions (KeycloakSession session, RealmModel realm, UserModel user)

静的公開変数類
static final String	DEFAULT_ATTRIBUTE_NAME = "usercertificate"

static final String	REGULAR_EXPRESSION = "x509-cert-auth.regular-expression"

static final String	ENABLE_CRL = "x509-cert-auth.crl-checking-enabled"

static final String	ENABLE_OCSP = "x509-cert-auth.ocsp-checking-enabled"

static final String	ENABLE_CRLDP = "x509-cert-auth.crldp-checking-enabled"

static final String	CRL_RELATIVE_PATH = "x509-cert-auth.crl-relative-path"

static final String	OCSPRESPONDER_URI = "x509-cert-auth.ocsp-responder-uri"

static final String	MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection"

static final String	MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression"

static final String	MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail"

static final String	MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail"

static final String	MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name"

static final String	MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression"

static final String	MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail"

static final String	MAPPING_SOURCE_CERT_ISSUERDN_CN = "Issuer's Common Name"

static final String	MAPPING_SOURCE_CERT_SERIALNUMBER = "Certificate Serial Number"

static final String	USER_MAPPER_SELECTION = "x509-cert-auth.mapper-selection"

static final String	USER_ATTRIBUTE_MAPPER = "Custom Attribute Mapper"

static final String	USERNAME_EMAIL_MAPPER = "Username or Email"

static final String	CUSTOM_ATTRIBUTE_NAME = "x509-cert-auth.mapper-selection.user-attribute-name"

static final String	CERTIFICATE_KEY_USAGE = "x509-cert-auth.keyusage"

static final String	CERTIFICATE_EXTENDED_KEY_USAGE = "x509-cert-auth.extendedkeyusage"

static final String	CONFIRMATION_PAGE_DISALLOWED = "x509-cert-auth.confirmation-page-disallowed"

限定公開メンバ関数
Response	createInfoResponse (AuthenticationFlowContext context, String infoMessage, Object ... parameters)

X509Certificate []	getCertificateChain (AuthenticationFlowContext context)

静的限定公開変数類
static ServicesLogger	logger = ServicesLogger.LOGGER

静的変数
static final String	DEFAULT_MATCH_ALL_EXPRESSION = "(.*?)(?:$)"

非公開メンバ関数
Response	createErrorResponse (AuthenticationFlowContext context, String subjectDN, String errorMessage, String ... errorParameters)

Response	createSuccessResponse (AuthenticationFlowContext context, String subjectDN)

Response	createResponse (AuthenticationFlowContext context, String subjectDN, boolean isUserEnabled, String errorMessage, Object[] errorParameters)

void	dumpContainerAttributes (AuthenticationFlowContext context)

boolean	userEnabled (AuthenticationFlowContext context, UserModel user)

boolean	invalidUser (AuthenticationFlowContext context, UserModel user)

詳解

著者: Peter Nalyvayko

バージョン

Revision: 1

関数詳解

◆ action()

void org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.action ( AuthenticationFlowContext context )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                           {
         MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
         if (formData.containsKey("cancel")) {
             context.clearUser();
             context.attempted();
             return;
         }
         if (context.getUser() != null) {
             context.success();
             return;
         }
         context.attempted();
     }

◆ authenticate()

void org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.authenticate ( AuthenticationFlowContext context )

inline

org.keycloak.authentication.Authenticatorを実装しています。

                                                                 {
 
         try {
 
             dumpContainerAttributes(context);
 
             X509Certificate[] certs = getCertificateChain(context);
             if (certs == null || certs.length == 0) {
                 // No x509 client cert, fall through and
                 // continue processing the rest of the authentication flow
                 logger.debug("[X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.");
                 context.attempted();
                 return;
             }
 
             X509AuthenticatorConfigModel config = null;
             if (context.getAuthenticatorConfig() != null && context.getAuthenticatorConfig().getConfig() != null) {
                 config = new X509AuthenticatorConfigModel(context.getAuthenticatorConfig());
             }
             if (config == null) {
                 logger.warn("[X509ClientCertificateAuthenticator:authenticate] x509 Client Certificate Authentication configuration is not available.");
                 context.challenge(createInfoResponse(context, "X509 client authentication has not been configured yet"));
                 context.attempted();
                 return;
             }
 
             // Validate X509 client certificate
             try {
                 CertificateValidator.CertificateValidatorBuilder builder = certificateValidationParameters(config);
                 CertificateValidator validator = builder.build(certs);
                 validator.checkRevocationStatus()
                          .validateKeyUsage()
                          .validateExtendedKeyUsage();
             } catch(Exception e) {
                 logger.error(e.getMessage(), e);
                 // TODO use specific locale to load error messages
                 String errorMessage = "Certificate validation's failed.";
                 // TODO is calling form().setErrors enough to show errors on login screen?
                 context.challenge(createErrorResponse(context, certs[0].getSubjectDN().getName(),
                         errorMessage, e.getMessage()));
                 context.attempted();
                 return;
             }
 
             Object userIdentity = getUserIdentityExtractor(config).extractUserIdentity(certs);
             if (userIdentity == null) {
                 context.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
                 logger.warnf("[X509ClientCertificateAuthenticator:authenticate] Unable to extract user identity from certificate.");
                 // TODO use specific locale to load error messages
                 String errorMessage = "Unable to extract user identity from specified certificate";
                 // TODO is calling form().setErrors enough to show errors on login screen?
                 context.challenge(createErrorResponse(context, certs[0].getSubjectDN().getName(), errorMessage));
                 context.attempted();
                 return;
             }
 
             UserModel user;
             try {
                 context.getEvent().detail(Details.USERNAME, userIdentity.toString());
                 context.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userIdentity.toString());
                 user = getUserIdentityToModelMapper(config).find(context, userIdentity);
             }
             catch(ModelDuplicateException e) {
                 logger.modelDuplicateException(e);
                 String errorMessage = "X509 certificate authentication's failed.";
                 // TODO is calling form().setErrors enough to show errors on login screen?
                 context.challenge(createErrorResponse(context, certs[0].getSubjectDN().getName(),
                         errorMessage, e.getMessage()));
                 context.attempted();
                 return;
             }
 
             if (invalidUser(context, user)) {
                 // TODO use specific locale to load error messages
                 String errorMessage = "X509 certificate authentication's failed.";
                 // TODO is calling form().setErrors enough to show errors on login screen?
                 context.challenge(createErrorResponse(context, certs[0].getSubjectDN().getName(),
                         errorMessage, "Invalid user"));
                 context.attempted();
                 return;
             }
 
             if (!userEnabled(context, user)) {
                 // TODO use specific locale to load error messages
                 String errorMessage = "X509 certificate authentication's failed.";
                 // TODO is calling form().setErrors enough to show errors on login screen?
                 context.challenge(createErrorResponse(context, certs[0].getSubjectDN().getName(),
                         errorMessage, "User is disabled"));
                 context.attempted();
                 return;
             }
             if (context.getRealm().isBruteForceProtected()) {
                 if (context.getProtector().isTemporarilyDisabled(context.getSession(), context.getRealm(), user)) {
                     context.getEvent().user(user);
                     context.getEvent().error(Errors.USER_TEMPORARILY_DISABLED);
                     // TODO use specific locale to load error messages
                     String errorMessage = "X509 certificate authentication's failed.";
                     // TODO is calling form().setErrors enough to show errors on login screen?
                     context.challenge(createErrorResponse(context, certs[0].getSubjectDN().getName(),
                             errorMessage, "User is temporarily disabled. Contact administrator."));
                     context.attempted();
                     return;
                 }
             }
             context.setUser(user);
 
             // Check whether to display the identity confirmation
             if (!config.getConfirmationPageDisallowed()) {
                 // FIXME calling forceChallenge was the only way to display
                 // a form to let users either choose the user identity from certificate
                 // or to ignore it and proceed to a normal login screen. Attempting
                 // to call the method "challenge" results in a wrong/unexpected behavior.
                 // The question is whether calling "forceChallenge" here is ok from
                 // the design viewpoint?
                 context.forceChallenge(createSuccessResponse(context, certs[0].getSubjectDN().getName()));
                 // Do not set the flow status yet, we want to display a form to let users
                 // choose whether to accept the identity from certificate or to specify username/password explicitly
             }
             else {
                 // Bypass the confirmation page and log the user in
                 context.success();
             }
         }
         catch(Exception e) {
             logger.errorf("[X509ClientCertificateAuthenticator:authenticate] Exception: %s", e.getMessage());
             context.attempted();
         }
     }

◆ certificateValidationParameters()

CertificateValidator.CertificateValidatorBuilder org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.certificateValidationParameters ( X509AuthenticatorConfigModel config ) throws Exception

inlineinherited

                                                                                                                                                   {
         return CertificateValidatorConfigBuilder.fromConfig(config);
     }

◆ close()

void org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.close ( )

inline

org.keycloak.provider.Providerを実装しています。

                         {
 
     }

◆ configuredFor()

boolean org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.configuredFor	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inlineinherited

org.keycloak.authentication.Authenticatorを実装しています。

                                                                                             {
         return true;
     }

◆ createErrorResponse()

Response org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.createErrorResponse	(	AuthenticationFlowContext	context,
		String	subjectDN,
		String	errorMessage,
		String ...	errorParameters
	)

inlineprivate

                                                                      {
 
         return createResponse(context, subjectDN, false, errorMessage, errorParameters);
     }

◆ createInfoResponse()

Response org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.createInfoResponse	(	AuthenticationFlowContext	context,
		String	infoMessage,
		Object ...	parameters
	)

inlineprotectedinherited

                                                                                                                         {
         LoginFormsProvider form = context.form();
         return form.setInfo(infoMessage, parameters).createInfoPage();
     }

◆ createResponse()

Response org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.createResponse	(	AuthenticationFlowContext	context,
		String	subjectDN,
		boolean	isUserEnabled,
		String	errorMessage,
		Object []	errorParameters
	)

inlineprivate

                                                                    {
 
         LoginFormsProvider form = context.form();
         if (errorMessage != null && errorMessage.trim().length() > 0) {
             List<FormMessage> errors = new LinkedList<>();
 
             errors.add(new FormMessage(errorMessage));
             if (errorParameters != null) {
 
                 for (Object errorParameter : errorParameters) {
                     if (errorParameter == null) continue;
                     for (String part : errorParameter.toString().split("\n")) {
                         errors.add(new FormMessage(part));
                     }
                 }
             }
             form.setErrors(errors);
         }
 
         MultivaluedMap<String,String> formData = new MultivaluedHashMap<>();
         formData.add("username", context.getUser() != null ? context.getUser().getUsername() : "unknown user");
         formData.add("subjectDN", subjectDN);
         formData.add("isUserEnabled", String.valueOf(isUserEnabled));
 
         form.setFormData(formData);
 
         return form.createX509ConfirmPage();
     }

◆ createSuccessResponse()

Response org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.createSuccessResponse	(	AuthenticationFlowContext	context,
		String	subjectDN
	)

inlineprivate

                                                              {
         return createResponse(context, subjectDN, true, null, null);
     }

◆ dumpContainerAttributes()

void org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.dumpContainerAttributes ( AuthenticationFlowContext context )

inlineprivate

                                                                             {
 
         Enumeration<String> attributeNames = context.getHttpRequest().getAttributeNames();
         while(attributeNames.hasMoreElements()) {
             String a = attributeNames.nextElement();
             logger.tracef("[X509ClientCertificateAuthenticator:dumpContainerAttributes] \"%s\"", a);
         }
     }

◆ getCertificateChain()

X509Certificate [] org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getCertificateChain ( AuthenticationFlowContext context )

inlineprotectedinherited

                                                                                        {
         try {
             // Get a x509 client certificate
             X509ClientCertificateLookup provider = context.getSession().getProvider(X509ClientCertificateLookup.class);
             if (provider == null) {
                 logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?",
                         X509ClientCertificateLookup.class);
                 return null;
             }
 
             X509Certificate[] certs = provider.getCertificateChain(context.getHttpRequest());
 
             if (certs != null) {
                 for (X509Certificate cert : certs) {
                     logger.tracev("\"{0}\"", cert.getSubjectDN().getName());
                 }
             }
 
             return certs;
         }
         catch (GeneralSecurityException e) {
             logger.error(e.getMessage(), e);
         }
         return null;
     }

◆ getUserIdentityExtractor()

UserIdentityExtractor org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getUserIdentityExtractor ( X509AuthenticatorConfigModel config )

inlineinherited

                                                                                                {
         return UserIdentityExtractorBuilder.fromConfig(config);
     }

◆ getUserIdentityToModelMapper()

UserIdentityToModelMapper org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.getUserIdentityToModelMapper ( X509AuthenticatorConfigModel config )

inlineinherited

                                                                                                        {
         return UserIdentityToModelMapperBuilder.fromConfig(config);
     }

◆ invalidUser()

boolean org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.invalidUser	(	AuthenticationFlowContext	context,
		UserModel	user
	)

inlineprivate

                                                                                    {
         if (user == null) {
             context.getEvent().error(Errors.USER_NOT_FOUND);
             return true;
         }
         return false;
     }

◆ requiresUser()

boolean org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.requiresUser ( )

inlineinherited

org.keycloak.authentication.Authenticatorを実装しています。

                                   {
         return false;
     }

◆ setRequiredActions()

void org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.setRequiredActions	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user
	)

inlineinherited

org.keycloak.authentication.Authenticatorを実装しています。

240 {

241 }

◆ userEnabled()

boolean org.keycloak.authentication.authenticators.x509.X509ClientCertificateAuthenticator.userEnabled	(	AuthenticationFlowContext	context,
		UserModel	user
	)

inlineprivate

                                                                                    {
         if (!user.isEnabled()) {
             context.getEvent().user(user);
             context.getEvent().error(Errors.USER_DISABLED);
             return false;
         }
         return true;
     }

メンバ詳解

◆ CERTIFICATE_EXTENDED_KEY_USAGE

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CERTIFICATE_EXTENDED_KEY_USAGE = "x509-cert-auth.extendedkeyusage"

staticinherited

◆ CERTIFICATE_KEY_USAGE

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CERTIFICATE_KEY_USAGE = "x509-cert-auth.keyusage"

staticinherited

◆ CONFIRMATION_PAGE_DISALLOWED

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CONFIRMATION_PAGE_DISALLOWED = "x509-cert-auth.confirmation-page-disallowed"

staticinherited

◆ CRL_RELATIVE_PATH

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CRL_RELATIVE_PATH = "x509-cert-auth.crl-relative-path"

staticinherited

◆ CUSTOM_ATTRIBUTE_NAME

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.CUSTOM_ATTRIBUTE_NAME = "x509-cert-auth.mapper-selection.user-attribute-name"

staticinherited

◆ DEFAULT_ATTRIBUTE_NAME

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.DEFAULT_ATTRIBUTE_NAME = "usercertificate"

staticinherited

◆ DEFAULT_MATCH_ALL_EXPRESSION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.DEFAULT_MATCH_ALL_EXPRESSION = "(.*?)(?:$)"

staticpackageinherited

◆ ENABLE_CRL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.ENABLE_CRL = "x509-cert-auth.crl-checking-enabled"

staticinherited

◆ ENABLE_CRLDP

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.ENABLE_CRLDP = "x509-cert-auth.crldp-checking-enabled"

staticinherited

◆ ENABLE_OCSP

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.ENABLE_OCSP = "x509-cert-auth.ocsp-checking-enabled"

staticinherited

◆ logger

ServicesLogger org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.logger = ServicesLogger.LOGGER

staticprotectedinherited

◆ MAPPING_SOURCE_CERT_ISSUERDN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression"

staticinherited

◆ MAPPING_SOURCE_CERT_ISSUERDN_CN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_CN = "Issuer's Common Name"

staticinherited

◆ MAPPING_SOURCE_CERT_ISSUERDN_EMAIL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail"

staticinherited

◆ MAPPING_SOURCE_CERT_SERIALNUMBER

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER = "Certificate Serial Number"

staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail"

staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTDN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression"

staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTDN_CN

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name"

staticinherited

◆ MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail"

staticinherited

◆ MAPPING_SOURCE_SELECTION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection"

staticinherited

◆ OCSPRESPONDER_URI

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.OCSPRESPONDER_URI = "x509-cert-auth.ocsp-responder-uri"

staticinherited

◆ REGULAR_EXPRESSION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.REGULAR_EXPRESSION = "x509-cert-auth.regular-expression"

staticinherited

◆ USER_ATTRIBUTE_MAPPER

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.USER_ATTRIBUTE_MAPPER = "Custom Attribute Mapper"

staticinherited

◆ USER_MAPPER_SELECTION

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.USER_MAPPER_SELECTION = "x509-cert-auth.mapper-selection"

staticinherited

◆ USERNAME_EMAIL_MAPPER

final String org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.USERNAME_EMAIL_MAPPER = "Username or Email"

staticinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/oidc-service/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java

公開メンバ関数

静的公開変数類

限定公開メンバ関数

静的限定公開変数類

静的変数

非公開メンバ関数

詳解

関数詳解

◆ action()

◆ authenticate()

◆ certificateValidationParameters()

◆ close()

◆ configuredFor()

◆ createErrorResponse()

◆ createInfoResponse()

◆ createResponse()

◆ createSuccessResponse()

◆ dumpContainerAttributes()

◆ getCertificateChain()

◆ getUserIdentityExtractor()

◆ getUserIdentityToModelMapper()

◆ invalidUser()

◆ requiresUser()

◆ setRequiredActions()

◆ userEnabled()

メンバ詳解

◆ CERTIFICATE_EXTENDED_KEY_USAGE

◆ CERTIFICATE_KEY_USAGE

◆ CONFIRMATION_PAGE_DISALLOWED

◆ CRL_RELATIVE_PATH

◆ CUSTOM_ATTRIBUTE_NAME

◆ DEFAULT_ATTRIBUTE_NAME

◆ DEFAULT_MATCH_ALL_EXPRESSION

◆ ENABLE_CRL

◆ ENABLE_CRLDP

◆ ENABLE_OCSP

◆ logger

◆ MAPPING_SOURCE_CERT_ISSUERDN

◆ MAPPING_SOURCE_CERT_ISSUERDN_CN

◆ MAPPING_SOURCE_CERT_ISSUERDN_EMAIL

◆ MAPPING_SOURCE_CERT_SERIALNUMBER

◆ MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL

◆ MAPPING_SOURCE_CERT_SUBJECTDN

◆ MAPPING_SOURCE_CERT_SUBJECTDN_CN

◆ MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL

◆ MAPPING_SOURCE_SELECTION

◆ OCSPRESPONDER_URI

◆ REGULAR_EXPRESSION

◆ USER_ATTRIBUTE_MAPPER

◆ USER_MAPPER_SELECTION

◆ USERNAME_EMAIL_MAPPER