Programming Guides › Programming Guide for Perl › CLI Policy Management Methods › CLI Certificate Mapping Methods

CLI Certificate Mapping Methods

AttrMap Method—Sets or Retrieves the Attribute Map for Certificate Mapping

The AttrMap method sets or retrieves the attribute map for Certificate mapping.

Syntax

The AttrMap method has the following format:

Netegrity::PolicyMgtCertMap‑>AttrMap ([attribute_map])

Parameters

The AttrMap method accepts the following parameter:

attribute_map (string)

(Optional) Specifies the attribute map to be set.

Return Value

The AttrMap method returns one of the following values:

• A new or existing attribute of the Certificate map
• An empty string if the call was unsuccessful

CacheCRL Method—Determines whether To Cache Certificate Revocation List (CRL) entries

The CacheCRL method sets or retrieves the flag that determines whether to cache Certificate Revocation List (CRL) entries. Setting this flag causes SiteMinder to use cached CRL information until the date specified in the NextUpdate field in the CRL.

Syntax

The CacheCRL method has the following format:

Netegrity::PolicyMgtCertMap‑>CacheCRL([cacheFlag])

Parameters

The CacheCRL method accepts the following parameter:

cacheFlag (int)

(Optional) Specifies whether to cache CRL entries:

• 1 specifies that cache entries are used
• 0 specifies that cache entries are not used

Return Value

The CacheCRL method returns one of the following values:

• The new or existing cache flag setting
• -1 if the call was unsuccessful

CertRequired Method—Determines whether Certificate Validation is Required

The CertRequired method sets or retrieves the flag that requires SiteMinder to verify that the certificate presented by the user matches the certificate stored in the user's entry in the user directory. The user directory must be an LDAP user directory.

Syntax

The CertRequired method has the following format:

Netegrity::PolicyMgtCertMap‑>CertRequired([certFlag])

Parameters

The CertRequired method accepts the following parameter:

certFlag (int)

(Optional) Specifies whether certificate verification is required:

• 1 certificate verification is required
• 0 certificate verification is not required

Return Value

The CertRequired method returns one of the following values:

• The new or existing flag setting
• -1 if the call was unsuccessful

CRLUserDirectory Method—Sets or Retrieves the LDAP Directory where the Certificate Revocation List (CRL) Is Located

The CRLUserDirectory method specifies or retrieves the LDAP user directory where the Certificate Revocation List (CRL) is located.

Syntax

The CRLUserDirectory method has the following format:

Netegrity::PolicyMgtCertMap‑>CRLUserDirectory([crlDir])

Parameters

The CRLUserDirectory method accepts the following parameter:

crlDir (PolicyMgtUserDir)

(Optional) Specifies the user directory where the CRL is located.

Return Value

The CRLUserDirectory method returns one of the following values:

• A PolicyMgtUserDir object
• undef if the call was unsuccessful

Description Method—Sets or Retrieves the Description of the Certificate Map

The Description method sets or retrieves the description of the certificate map.

Syntax

The Description method has the following format:

Netegrity::PolicyMgtCertMap‑>Description([certMapDesc])

Parameters

The Description method accepts the following parameter:

certMapDesc (string)

(Optional) Specifies the description to set.

Return Value

The Description method returns one of the following values:

• A new or existing certificate map description
• An empty string if the call was unsuccessful

DirectoryType Method—Sets or Retrieves the Type of User Directory

The DirectoryType method sets or retrieves the type of user directory involved in the user authentication.

Syntax

The DirectoryType method has the following format:

Netegrity::PolicyMgtCertMap‑>DirectoryType([dirType])

Parameters

The DirectoryType method accepts the following parameter:

dirType (int)

(Optional) Specifies one of the following types of user directory:

• Sm_PolicyApi_DirType_LDAP
• Sm_PolicyApi_DirType_WinNT
• Sm_PolicyApi_DirType_ODBC

Return Value

The DirectoryType method returns one of the following values:

• The new or existing directory type
• undef if the call was unsuccessful

EnableCRL Method—Determines whether To Check the Certificate Revocation List (CRL) for Revoked Certificates

The EnableCRL method sets or retrieves the flag that determines whether to check the Certificate Revocation List (CRL) for revoked certificates.

Syntax

The EnableCRL method has the following format:

Netegrity::PolicyMgtCertMap‑>EnableCRL([ckCRLFlag])

Parameters

The EnableCRL method accepts the following parameter:

ckCRLFlag (int)

(Optional) Specifies whether to check certificates against the CRL:

• 1 specifies that certificates should be checked
• 0 specifies that certificates should not be checked

Return Value

The EnableCRL method returns one of the following values:

• The new or existing flag setting
• -1 if the call was unsuccessful

Remarks

A CRL is a list of revoked X.509 client certificates published by the Certificate Authority. Comparing a certificate against a CRL is one way to ensure that certificates are valid. When a user with such a certificate tries to access a protected resource, SiteMinder finds the user's certificate in the CRL and rejects the authentication.

Before you enable CRL checking, call the method PolicyMgtCertMap‑>CRLUserDirectory to specify the user directory where the CRL is located.

IssuerDN Method—Sets or Retrieves the DN of the Certificate Issuer

The IssuerDN method sets or retrieves the DN of the certificate issuer.

Syntax

The IssuerDN method has the following format:

Netegrity::PolicyMgtCertMap‑>IssuerDN([issuerDN])

Parameters

The IssuerDN method accepts the following parameter:

issuerDN (string)

(Optional) Specifies the issuer DN to set.

Return Value

The IssuerDN method returns one of the following values:

• The new or existing issuer DN
• An empty string if the call is unsuccessful

UseDistributionPoints Method—Determines whether Certificate Revocation List (CRL) Searches Use a Distribution Point

The UseDistributionPoints method sets or retrieves the flag indicating whether Certificate Revocation List (CRL) searches should use a distribution point as a starting point for a search.

Syntax

The UseDistributionPoints method has the following format:

Netegrity::PolicyMgtCertMap‑>UseDistributionPoints([distPointsFlag])

Parameters

The UseDistributionPoints method accepts the following parameters:

distPointsFlag (int)

(Optional) Specifies whether to use distribution points for CRL searches:

• 1 specifies that distribution points should be used
• 0 specifies that the whole CRL should be searched

Return Value

The UseDistributionPoints method returns one of the following values:

• The new or existing flag setting
• -1 if the call was unsuccessful

Remarks

Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. By providing a starting point for a CRL check, distribution points save the processing time that it would take to search the entire CRL.

VerifySignature Method—Determines whether SiteMinder Verifies the Certificate Authority's Signature

The VerifySignature method sets or retrieves the flag indicating whether SiteMinder should verify the Certificate Authority's signature in the Certificate Revocation List (CRL).

Syntax

The VerifySignature method has the following format:

Netegrity::PolicyMgtCertMap‑>VerifySignature([verifyFlag])

Parameters

The VerifySignature method accepts the following parameter:

verifyFlag (int)

(Optional) Specifies whether to verify the CA's signature in the CRL:

• 1 specifies that the signature should be verified
• 0 specifies that the signature should not be verified

Return Value

The VerifySignature method returns one of the following values:

• The new or existing flag setting
• -1 if the call was unsuccessful