Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › Certificate Mapping for X.509 Client Authentication Schemes › Configure a Certificate Mapping

Configure a Certificate Mapping

Configure a certificate mapping that lets SOA Security Manager determine how to compare user certificate information with the information stored in the user directory.

To configure a certificate mapping

1. Click Infrastructure, Directory.
2. Click Certificate Mapping, Create Certificate Mapping.

   The Create Certificate Mapping pane opens.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. Type the certificate issuer DN in the Issuer DN field. Enter the Issuer DN exactly as it appears in the certificate. Do not add any additional spaces or characters.

   When entering the DN, escape reserved special characters with a backslash (\). Special characters include:

   • semicolons (;)
   • quotes (")
   • backslashes (\)
   • plus character (+)
   • greater than character (>)
   • less than character (<)

   More information about reserved special characters for DNs exists at http://www.faqs.org/rfcs/rfc2253.html.

   Note: Issuer DNs cannot exceed 255 characters if a relational database is used as a policy store and cannot exceed 1000 characters if an LDAP directory is used as a policy store.

4. Select the directory type against which the certificate is mapped.

   For LDAP directories only, you can configure the Policy Server to verify that the certificate the user presents matches the certificate stored in the user record in the user directory. The Certificate Required in Directory check box lets you require this verification.

   Note: The certificate in the LDAP directory must be base64-encoded without embedded newlines.; Binary certificates, PEM certificates, and multiline base64-encoded certificates are not supported.

5. Specify how to map X.509 user certificate information to a user entry in the user directory in the Mapping group box. The Policy Server can apply a mapping using a single attribute, a custom mapping expression, or the entire Subject Name from the user certificate to locate the correct user entry.
6. (Optional) Select Perform CRL Checks in the Certificate Revocation List (CRL) Checking group box, and specify the CRL settings in the group box.

   If you do not select CRLs, you can use OCSP.

7. Click Submit.

   The Create Certificate Mapping task is submitted for processing.