| 311 | When a request is made for secured data an Attribute Certificate is submitted on behalf of the user. This contains a list of roles or attributes that they are entitled to. It is digitally signed by the Attribute Authority service that issued it. |
| 312 | |
| 313 | The `acIssuer` and `acCACertFilePathList` fields enable the Gatekeeper to verify that your organisation's Attribute Authority signed the Attribute Certificate submitted to it. |
| 314 | |
| 315 | Set the `acIssuer` field to the Distinguished Name of the Attribute Authority's X.509 Certificate. The Attribute Authority holds an X.509 certificate on its host machine. This is normally in `/etc/ndg/security/conf/certs`. To check the Distinguished Name: |
| 316 | |
| 317 | {{{ |
| 318 | openssl x509 -in aa.pem -subject |
| 319 | }}} |
| 320 | |
| 321 | The `acCACertFilePathList` should be set to the CA certificate that issued the Attribute Authority's X.509 Certificate. This would be expected to be the one previously obtained in `/etc/ndg/ows_server/conf/cacert.crt`. |
| 322 | |
| 323 | {{{ |
| 324 | # Gatekeeper Attribute Certificate check |
| 325 | # Issuer - should match with the issuer element of the users Attribute |
| 326 | # Certificate submitted in order to gain access |
| 327 | acIssuer: /CN=AttributeAuthority/O=NDG/OU=YourOrganisationName |
| 328 | |
| 329 | # verification of X.509 cert back to CA |
| 330 | acCACertFilePathList: /etc/ndg/ows_server/conf/cacert.crt |
| 331 | }}} |