Thanks Andreas,

And it's really the policy service that matters. OpenSSO need not (as
far as I can ascertain at the moment) require client certificates for
its connections.

So, if you can get access to the client certificate from within the
policy service, that would be great. I'm afraid I don't have much
experience with programming webservices, but I'll try to educate
myself more on the matter as well.

Cheers,
Luchesar


On Tue, Jun 29, 2010 at 16:35, Andreas Maunz <andreas at maunz.de> wrote:
> Luchesar V. ILIEV wrote on 06/29/2010 02:21 PM:
>>
>> So, to summarize, the question is: how easy for the policy service
>> would it be to check the SAN entries in the client certificate used in
>> the SSL/TLS connection against the URL for which a policy is submitted
>> through that secure channel?
>
> I agree SSL is most probably the more sane way. But it is also more
> difficult to set up.
> Currently, the A&A server runs as a virtual machine and SSL connections
> (which are as you know already possible) are currently handled by the host
> machine.
> I would have to forward SSL to the guest machine, where OpenSSO can not be
> switched into "SSL mode" so easily.
>
> Currently I have:
> Tomcat webserver running as webapplication (WAR):
> 1) OpenSSO
> 2) Policy service
>
> Let me check out how this would be possible- the policy service should not
> be the problem.
>
> Best regards
> Andreas
>