#
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#
# Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
#
# The contents of this file are subject to the terms
# of the Common Development and Distribution License
# (the License). You may not use this file except in
# compliance with the License.
#
# You can obtain a copy of the License at
# See the License for the specific language governing
# permission and limitations under the License.
#
# When distributing Covered Code, include this CDDL
# Header Notice in each file and include the License file
# If applicable, add the following below the CDDL Header,
# with the fields enclosed by brackets [] replaced by
# your own identifying information:
# "Portions Copyrighted [year] [name of copyright owner]"
#
# $Id: amAuthCert.properties,v 1.4 2009/12/11 01:43:23 goodearth Exp $
#
#
# Portions Copyrighted 2011-2016 ForgeRock AS
authentication=Authentication Modules
CERTex=Unknown Certificate Authority.
CertNoContext=Unable to set up LDAP context.
CertExpired=Certificate Has Expired.
CertVerifyFailed=Could not verify certificate.
CertNoReg=Error locating registered certificate.
CertRevoked=Certificate has been revoked.
iCertNotValidYet=Certificate is not yet valid.
CertIsNotValid=Certificate is not valid.
iplanet-am-auth-cert-service-description=Certificate
a101=Match Certificate in LDAP
a101.help=The client certificate must exist in the directory for the authentication to be successful.
a1011=Subject DN Attribute Used to Search LDAP for Certificates
a1011.help=This is the attribute used to search the directory for the certificate
a1011.help.txt=The Certificate module will search the directory for the certificate using the search filter based on this attribute \
and the value of the Subject DN taken from the certificate.
a102=Match Certificate to CRL
a102.help=The Client Certificate will be checked against the Certificate Revocation list held in the directory
a102.help.txt=A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client \
certificates to be checked against this list.
a102.help.uri=#tbd
a1023=Match CA Certificate to CRL
a1023.help=The CA certificate that issued the client certificate will also be checked against the CRL.
a1024=Cache CRLs in memory
a1024.help=The CRLs will be cached in memory
a1025=Update CA CRLs from CRLDistributionPoint
a1025.help=Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server
a1025.help.txt=If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set \
OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>\
This property is only used if CA CRL checking is enabled.
a1021=Issuer DN Attribute(s) Used to Search LDAP for CRLs
a1021.help=This is the name of the attribute taken from the CA certificate that will be used to search the CRL.
a1021.help.txt=If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>\
e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>\
If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will \
be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>\
e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be \
<code>cn=CN=Some CA,serialNumber=123456</code><br/>\
The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.
a1022=HTTP Parameters for CRL Update
a1022.help=These parameters will be included in any HTTP CRL call to the Certificate Authority
a1022.help.txt=If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information \
to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>\
The format of the parameter is as follows:<br/><br/>\
<code>param1=value1,param2=value</code>
a103=OCSP Validation
a103.help=Enable Online Certificate Status Protocol validation for OCSP aware certificates
a103.help.txt=If the certificate contains OCSP validation information then OpenAM will use this information to check the validity \
of the certificate as part of the authentication process.<br/><br/>\
<i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work
a104=LDAP Server Where Certificates are Stored
a104.help=Use this list to set the LDAP server used to search for certificates.
a104.help.txt=The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry \
must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a \
LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>\
The local server name is the full name of the server from the list of servers and sites.
a105=LDAP Search Start or Base DN
a105.help=The start point in the LDAP server for the certificate search
a105.help.txt=When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different \
search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>\
The local server name is the full name of the server from the list of servers and sites.
# unused
a106=LDAP Access Authentication Type
a107=LDAP Server Authentication User
a107.help=DN of the user used by the module to authenticate to the LDAP server
a107.help.txt=The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here \
represents the account used for said authentication and must have read/search access to the LDAP server.
a108=LDAP Server Authentication Password
a108.help=The password for the authentication user
# unused
a109=LDAP Attribute for Profile ID
# unused
a109.help=Enter any valid attribute in a user entry (CN, SN) that can be used as the user ID.
a110=Use SSL/TLS for LDAP Access
a111=Certificate Field Used to Access User Profile
a111.help=The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a \
matching certificate.
a1111=Other Certificate Field Used to Access User Profile
a1111.help=This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This \
field allows a custom certificate field to be used as the basis of the user search.
a1112=SubjectAltNameExt Value Type to Access User Profile
a1112.help=Use the Subject Alternative Name Field in preference to one of the standard certificate fields.
a1112.help.txt=Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access \
User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/>\
<i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.
a500=Authentication Level
a500.help=The authentication level associated with this module.
a500.help.txt=Each authentication module has an authentication level that can be used to indicate the level of security \
associated with the module; 0 is the lowest (and the default).
a113=Trusted Remote Hosts
a113.help=A list of IP addresses trusted to supply client certificates.
a113.help.txt=If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used \
to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate \
module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>\
The default value of <i>none</i> disables this functionality
a115=HTTP Header Name for Client Certificate
a115.help=The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.
a1151=Use only Certificate from HTTP request header
a1151.help=Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute
amAuthCert-eeh-debug-desc=Turn on debugging.
amAuthCert-ff-aliases-desc=Certificate User Aliases
amAuthCert-debug.log=Log Messages
emailAddr=emailAddr
emailAddrTag=email address
noCert=User certificate not found
jssSockFactoryFail=Failed to create LDAP connection with JSS
NoCallbackHandler=No callback handler available
certificate=Certificate
wrongLDAPServer=LDAP server and port number are misconfigured.
wrongStartDN=LDAP Start Search DN misconfigured.
noLDAPAttr=No value provided for attribute name to search LDAP.
noCRLAttr=No value provided for attribute name to search CRL.
noOtherAttr=No value provided for other field to access user profile.
noURLCertAuth=URL certificate authentication not enabled.
choiceNone=none
choiceSimple=simple
choiceCRAM-MD5=CRAM-MD5
choiceIssuerDN=issuer DN
choiceIssuerCN=issuer CN
choiceIssuer0=issuer O
choiceSerialNumber=serial number
choiceSubjectDN=subject DN
choiceSubjectCN=subject CN
choiceSubjectUID=subject UID
choiceSubject0=subject O
choiceEmail=email address
choiceOther=other
choiceRFC822Name=RFC822Name
choiceUPN=UPN