User Manager Classes

This section lists and briefly describes the classes in User Manager. For more details, refer to the Javadoc.

The UserManagerFactory constructs the desired UserManager. The factory configuration parameters are:

Either:

  • CONFIG_URL—URL of the CredentialManager service in ActivID CMS.

Or both of the following:

  • CONFIG_HOST_NAME—Hostname of the CredentialManager service in ActivID CMS.

  • CONFIG_HOST_PORT—Port number of the CredentialManager service in ActivID CMS.

And:

  • CONNECT_TIMEOUT—Represents the client timeout used when connecting to the ActivID CMS HTTP server hosting the corresponding ActivID CMS service. A value of zero (0) means that there is no client timeout; the client timeout is determined by the server settings. The timeout value is for each connection attempt; the default value is zero (0).

  • CONNECT_RETRY—Represents the number of retry attempts permitted for connecting to the ActivID CMS service host. The default value is 1.

For Java implementations:

  • CONFIG_TRUSTSTORE (optional)—Truststore containing the root or intermediate certificate that issued the server certificate. If not present, the default Java truststore is used.

  • CONFIG_TRUSTSTORE_PWD (optional)—Password to the truststore.

  • CONFIG_KEYSTORE (mandatory)—Keystore which contains client certificate.

  • CONFIG_KEYSTORE_PWD (mandatory)—Password to the keystore.

  • CONFIG_ TRUSTMANAGERS (optional)—TrustManagers containing the root certificate.

  • CONFIG_ KEYMANAGERS (optional)—KeyManagers containing client certificate.SSL

A User object in CCM represents the holder of a SecurityModule such as a card. The createUser method takes a User object as its only parameter. This object contains a UserId attribute and an array of EnrollmentData Identifiers.

When creating a user, the CCM application should populate the EnrollmentData array with the minimum items required to create the user based on the information about the user in the underlying IDMS An Identity Management System (IDMS) is a system that manages and protects the identity information of PIV card applicants. The IDMS generally falls within the IDPRS domain. or user data repository.

When a User object is retrieved for an existing user, its EnrollmentData array is populated by ActivID CMS with using data retrieved from the underlying IDMS or user data repository.

The EnrollmentData and EnrollmentDataValue classes are used for conveying all enrollment data (user attributes) to ActivID CMS. The type attribute of the EnrollmentData class can accept the following value:

  • EnrollmentData.ENROLLMENT_DATA_TYPE_STRING

  • EnrollmentData.ENROLLMENT_DATA_ENCODING_NONE

  • EnrollmentData.ENROLLMENT_DATA_ENCODING_BASE64

The identifiers of EnrollmentData are user attribute identifiers. The names of these attributes may be prefixed to indicate whether they are associated with a particular enrollment plug-in An enrollment plug-in is involved every time a user attribute is set or retrieved by ActivID CMS. This makes it possible to map user attributes to repositories other than ActivID CMS’ standard LDAP (for example, such as IDMS, databases, or XML files). or with the ActivID CMS LDAP repository. Therefore:

  • When getEnrollmentData is performed on a prefixed identifier, this invokes the getAttribute method of the relevant server generic (enrollment) plug-in.

  • When addEnrollmentData is performed on a prefixed identifier, this invokes the setAttribute method of the relevant server generic (enrollment) plug-in.

  • Deleting enrollment data where a prefixed attribute is provided triggers setting the data to empty using the setAttributes method of the relevant server generic (enrollment) plug-in.

For more information, read about enrollment plug-ins in Defining a Generic Plug-In.

Behavior with Multi-Valued Attributes

The CCM API supports the LDAP concept of multi-valued attributes. To add initial or additional values to a multi-valued attribute, something similar to the following code example needs to be used:

Copy 
EnrollmentDataValue[] addData = {
new EnrollmentDataValue("favFruit","orange"), new EnrollmentDataValue("favFruit","apple") };
userMgr.addEnrollmentData(userId, addData);

For this example, there are two enrollment attributes that have the same ID, favFruit. In retrieving favFruit using the getEnrollmentData method, there are two entries with the same ID. However, they have different values that would be returned (as shown in this code example).

To delete an individual value from the list of values for favFruit:

Copy 
String delData[] = { "favFruit~apple" };
userMgr.deleteEnrollmentData(userId, delData);

The tilde (~) denotes the value of an EnrollmentDataValue. The left side of the ~ shows the enrollment data ID. The right side of the ~ identifies the value to be removed. The tilde notation can also be used with the addEnrollmentData method, as shown in the following example:

Copy 
EnrollmentDataValue[] addData3 = {
new EnrollmentDataValue("favFruit~lemon","apple") };
userMgr.addEnrollmentData(userId, addData3);

In this example, the ~ is interpreted as a replace. To delete all values from an attribute, treat the multi-valued attribute enrollment data the same as any other normal enrollment data item. An attribute's schema must have been declared as multi-valued before you can use these features. Otherwise, CCM treats it like a normal single-valued attribute.