For the Policy Server to use a certificate to identify a user, it compares the certificate information to a user record in the user directory. A certificate mapping defines how the Policy Server uses the Subject Name from the user certificate to locate a CA SiteMinder® user in a user directory and then authenticate that user.
You can configure certificate mapping for users whose authentication information is stored in a Microsoft SQL Server, Oracle, or LDAP user directory.
To determine how to compare user certificate information with the information stored in the user directory, configure a certificate mapping.
Follow these steps:
When entering the DN, escape reserved special characters with a backslash (\). Special characters include:
More information about reserved special characters for DNs exists at http://www.faqs.org/rfcs/rfc2253.html.
Note: If you use a relational database as a policy store, Issuer DNs cannot exceed 255 characters. If you use an LDAP directory as a policy store, verify the character limit for your specific directory.
For LDAP directories only, you can configure the Policy Server to verify that the certificate the user presents matches the certificate that is stored in the user record in the user directory. The Certificate Required in Directory option lets you require this verification.
Note: The attribute in the user record where the certificate is stored is named usercertificate.
If you do not select CRLs, you can use OCSP.
The certificate is mapped with the selected user directory.
Testing a certificate mapping displays the search string the Policy Server is to use to map client certificates to user directory attributes.
Follow these steps:
The Certificate Map Test pane opens.
Note: The Directory list includes all of the existing directory connections of the type you selected when creating the certificate mapping.
The contents of the Directory Information group box change depending on the type of user directory connection. For WinNT, ODBC and OCI user directory connections, the group box displays the Directory Type you are testing. For LDAP directory connections, the group box displays the Directory Type and the Lookup Start and Lookup End values used to locate a user DN within the LDAP directory.
The Policy Server tests the certificate mapping and the Certificate Map Test group box provides the results.
The Certificate Map Test group box closes.
You can use custom mapping expressions for complex multiple attribute mapping. Custom mapping expressions allow you to specify multiple user attributes to extract from a user DN to establish a certificate mapping.
Note: Custom mapping expressions are also useful when simulating certificate-based authentications through the Test Tool.
The syntax for a custom mapping expression is a parsing specification that is designed to enable full mapping flexibility. The syntax indicates which information to take from the certificate and where to apply it in the user directory. The basic syntax is as follows:
UserAttribute=%{CertificateAttribute},
UserAttribute2=%{CertificateAttribute}
When you create a custom certificate mapping for an LDAP user directory, the resulting search query string incorrectly includes the LDAP User DN Lookup Start and End strings. (Only the mapping expression that you specify on the Create Certificate Mapping pane is required.) The resulting query is invalid, as seen in the following example:
(samAccountName=
)
(mail=%{E})
(samAccountName=(mail=%{E}))
To omit the User DN Lookup Start and End strings from the search query, navigate to \Netegrity\SiteMinder\CurrentVersion\PolicyServer\ and set the EnableCustomExprOnly registry key to 1. The resulting search query string is valid, as seen in this example:
mail=%{E}
mail=%{E}
Note: If the EnableCustomExprOnly registry key is 0 (the default) or the key does not exist, the User DN Lookup Start and End strings are included in the resulting search query.
To use LDAP syntax to create search filters that contain logic operators, enable the LegacyCertMapping registry key. Enabling the registry key allows legacy behavior in certificate mapping, which ensures that users are authenticated using the specified LDAP search criteria.
KeyType: DWORD
Values: 0 (disabled) and 1 (enabled)
Default: 0
To enable the registry key on Windows
Note: If a value other than 0x1 is set, or the registry value does not exist, the registry key is disabled.
LegacyCertMapping is enabled, and LDAP search filter syntax can be used with custom mapping.
To enable the registry key on UNIX
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ PolicyServer=XXXXX LegacyCertMapping=0X1 REG_DWORD
LegacyCertMapping is enabled, and LDAP search filter syntax can be used with custom mapping.
If a user certificate contains:
SubjectDN: CN=John Smith, UID=JSMITH, OU=development, O=CompanyA
You can specify the following custom mapping:
CN=%{UID}, OU=%{OU}, O=%{O}
The resulting UserDN is:
CN=JSMITH, OU=development, O=CompanyA
The custom mapping syntax also handles more complex mappings, as illustrated in the example:
If the user certificate contains:
Subject DN: CN=John Smith + UID=jsmith +EMAIL=jsmith@companyA.com, ou=development, o=companyA
You can specify the following custom mapping:
CN=%{CN.CN}+UID=%{CN.UID}, OU=%{O}
The resulting UserDN is:
CN=John Smith+UID=JSMITH, OU=companyA
In the previous example, the CN contained multiple attributes. The syntax indicated which components of the CN to take and apply to the CN of the UserDN by specifying “CN.CN or CN.UID.” This syntax indicates that the custom expression uses both the CN and UID parts of the CN.
Note: You cannot use the “+” operator to disambiguate multiple attributes in a user directory. The “+” operator is used like any other character in the user DN for a user that is present in the user directory.
Static text can be represented in a custom expression by leaving it outside of the bracket notation.
The user certificate contains:
Subject DN: CN=John Smith, UID=JSMITH, OU-development
You can specify the following mapping:
CN=%{UID}, OU=%{OU}, O=companyA
The resulting UserDN is:
CN=JSMITH, OU=development, O=CompanyA
The template string is composed of text and hash-bracketed expressions %{…}. All text outside the brackets is returned unchanged. The hash-bracketed expressions are evaluated based on the following rules:
Certificate Mapping supports mapping of the CertSerialNumber and IssuerDN attributes, which are not part of the subjectDN. These attributes in the subjectDN of user certificates can be mapped to default or custom user-attributes, such as UID or CN in the user directory.
To map these attributes, add the following notation in the Mapping Expressions field in the Certificate Mapping pane:
Some certificates can have multiple attributes of the same type in their Subject DN. CA SiteMinder® supports a simple method for using a custom certificate mapping to see attributes other than the first attribute of a particular type. The syntax is as follows:
%{attribute_name} for the first occurrence of attribute_name
%{attribute_nameN} for the Nth occurrence of attribute_name
For example, If the Subject DN of the certificate contains the following attributes, you can set up a custom certificate mapping to any of the sn attributes:
CN=user,ou=dev,sn=1234,sn=2345,sn=3456,o=company,c=us
So, to map to the first sn, enter %{sn} as the custom mapping. To map to the second sn, you could enter %{sn2} as the custom mapping.
Sometimes, certificates for individuals can be slightly different. For example, some users can have two account numbers, while others have a single number. In these cases, you can map to the second of the numbers when a second attribute exists. You can do so using the following notation:
%{attribute_name2/attribute_name}
In the previous example, you could enter %{SN2/SN} as a custom mapping to indicate that the second number in the Subject DN should be used if it exists; otherwise, the first occurrence of the account number attribute should be used.
This notation can also be used to specify two different attributes that are acceptable for a certificate mapping. For example, to indicate that the SN should be used, but a CN can be used if the SN does not exist, you can enter %{SN/CN}.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|