Reading certificates in Active Directory

The procedure for logging in a user whose X.509 certificates are held in Active Directory is similar to that used for any LDAP Directory.

Obtaining the user password

Prompt the user for the password.

SecureStringBuffer pwd = new SecureStringBuffer(...);

A user's password must contain the following.

  • at least 8 characters

  • at least one uppercase character

  • at least one lowercase character

  • at least one numeric character

A user's password may contain the following.

  • non-alpha-numeric characters

  • uppercase and lowercase characters

  • spaces

  • repeated characters

By default, a user's password has no expiry date, but if a user changes a password, it cannot be the same as one of the previous eight passwords chosen by that user.

Creating a user

Create a user object.

com.entrust.toolkit.User user = new User();

Setting the credential reader

Instantiate a credential reader with the Entrust profile in the <profile_path> file path.

FilenameProfileReader credReader = new FileInputStream(<profile_path>);

Setting the credential writer

Set a credential writer object, in this case, the FilenameProfileWriter.

FilenameProfileWriter profileWriter = new FilenameProfileWriter(<profile_path>);
user.setCredentialWriter(profileWriter);

Setting the communications

Create an object to control data transmission with the Active Directory through a proxy server.

String directoryServerURL = "http://" + <AD_proxy_IP> + ":" + <AD_proxy_port>;
LdapDirectory dir = new HttpsDirectoryClient(directoryServerURL, 0);

Create an object to control communication with the Registration Authority of the CA.

int authorityPortNumber = 829;
ManagerTransport emt = new ManagerTransport(managerIPAddress, authorityPortNumber);

The key management server port number for PKIX-CMP communications is 829.

Set the connections prepared in the previous two steps.

user.setConnections(dir, emt);

Loggin into Active Directory

Complete the user's authentication.

int status = user.login(credReader, password);

Check the password status after logging in.

if((status & User.WARNING_PW_EXPIRED) != 0)
{
System.out.println("WARNING_PW_EXPIRED");
System.out.println("Password lifetime was " + user.getClientSettings().getPasswordRuleTester().getExpirationTimeInWeeks() +" weeks");
}
if((status & User.WARNING_PW_NOT_VALID) != 0)
{
System.out.println("WARNING_PW_NOT_VALID");
}

Reading certificates in Active Directory

Read the certificates in the Active Directory.

String caName = user.getCaCertificate().getSubjectDN().toString();
System.out.println("CA distinguished name: " + "\"" + caName + "\"");
byte[][] attr = user.getDirectory().getAttr(caName, "caCertificate");
if(attr.length > 0)
{
FileOutputStream ostream = new FileOutputStream("caCertificate.cer");
ostream.write(attr[0]);
ostream.close();
}