The CA SiteMinder® Test Tool simulates user authentication and authorization. Certificate-based authentication schemes require additional configuration.
Different certificate-generation tools sometimes affect the format of the Issuer DN and other attributes of a certificate.
For example, the Issuer DN for a certificate generated with certutil.exe on an IIS web server could use ST= to represent the state. However, the Issuer DN for a certificate generated with OpenSSL tools on an Oracle iPlanet web server could possibly use S= to represent the state.
Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.
To test certificate-based authentication schemes, configure certificate mappings in the Policy Server to accommodate certificates created with different certificate-generation tools.
Some common certificate attributes differ slightly according to the third-party tool (such as certutil.exe or OpenSSL) used to generate the certificate. Differences between the following attributes could possibly cause errors in the CA SiteMinder® Test Tool:
Represented by E or Email depending on the vendor of the certificate-generation tool.
Represented by S or ST depending on the vendor of the certificate-generation tool.
Represented by UID or UserID depending on the vendor of the certificate-generation tool.
Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.
Using the CA SiteMinder® Test Tool for a certificate authentication scheme sometimes fails, even if it works typically (through a browser and the web server). The authentication log shows that the Test Tool expects a different format of the Issuer DN than the Issuer DN format used in the certificate.
This situation occurs when the Issuer DN and other attributes differ according to the type of certificate-generation tool used. For example, the certutil.exe program on an IIS web server could possibly use ST= to abbreviate the name of the state in the Issuer DN. The OpenSSL tools on an Oracle iPlanet web server, however, could possibly use S= to abbreviate the name of the state.
Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.
The situation is similar for the other attributes listed in Certificate Attributes that Require Custom Mappings.
To resolve this problem, have an administrator create mappings for each Issuer DN format in the Policy Server. Then, the Policy Sever can accept the Issuer DN formats created by different certificate-generation tools.
Different certificate-generation tools (such as certutil.exe and OpenSSL) create the Issuer DN in slightly different ways. For example, one tool could possibly create an Issuer DN like the following:
CN=Personal Freemail RSA 2000.8.30, OU=Certificate Services, O=Thawte, L=Cape Town, S=Western Cape, C=ZA
Another tool could possibly create an Issuer DN like the following:
CN=Personal Freemail RSA 2000.8.30, OU=Certificate Services, O=Thawte, L=Cape Town, ST=Western Cape, C=ZA
To support multiple possibilities, have your administrator create mappings in the Policy Server for all Issuer DN formats in your environment.
Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.
You can use the certificate-mapping feature of the CA SiteMinder® Policy Server to provide custom mappings for certificates.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To create and use a custom attribute in a certificate mapping
The Create Certificate Mapping pane opens.
Certificate mapping settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The Mapping Expressions field opens.
This notation is used to specify two different attributes that are acceptable for a certificate mapping.
%{E/Email}
%{S/ST}
%{UID/UserID}
Note: More information about custom mapping expressions exists in Certificate Attributes that Require Custom Mappings.
The custom mapping is saved. The Policy Server now handles requests from different types of certificate-generation tools (such as certutil.exe and OpenSSL) and the CA SiteMinder® Test tool where the Email attribute is represented differently in the issuer DN. You can use this process for any of the other attributes mentioned in Certificate Attributes that Require Custom Mappings.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|