Policy Server Guides › Policy Server Configuration Guide › SiteMinder Test Tool › Certificate-based Authentication Tests

Certificate-based Authentication Tests

The CA SiteMinder® Test Tool simulates user authentication and authorization. Certificate-based authentication schemes require additional configuration.

Different certificate-generation tools sometimes affect the format of the Issuer DN and other attributes of a certificate.

For example, the Issuer DN for a certificate generated with certutil.exe on an IIS web server could use ST= to represent the state. However, the Issuer DN for a certificate generated with OpenSSL tools on an Oracle iPlanet web server could possibly use S= to represent the state.

Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.

To test certificate-based authentication schemes, configure certificate mappings in the Policy Server to accommodate certificates created with different certificate-generation tools.

Certificate Attributes that Require Custom Mappings

Some common certificate attributes differ slightly according to the third-party tool (such as certutil.exe or OpenSSL) used to generate the certificate. Differences between the following attributes could possibly cause errors in the CA SiteMinder® Test Tool:

Email Address

Represented by E or Email depending on the vendor of the certificate-generation tool.

US State

Represented by S or ST depending on the vendor of the certificate-generation tool.

User ID Number

Represented by UID or UserID depending on the vendor of the certificate-generation tool.

Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.

Custom Attribute Mappings for Testing

Using the CA SiteMinder® Test Tool for a certificate authentication scheme sometimes fails, even if it works typically (through a browser and the web server). The authentication log shows that the Test Tool expects a different format of the Issuer DN than the Issuer DN format used in the certificate.

This situation occurs when the Issuer DN and other attributes differ according to the type of certificate-generation tool used. For example, the certutil.exe program on an IIS web server could possibly use ST= to abbreviate the name of the state in the Issuer DN. The OpenSSL tools on an Oracle iPlanet web server, however, could possibly use S= to abbreviate the name of the state.

Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.

The situation is similar for the other attributes listed in Certificate Attributes that Require Custom Mappings.

To resolve this problem, have an administrator create mappings for each Issuer DN format in the Policy Server. Then, the Policy Sever can accept the Issuer DN formats created by different certificate-generation tools.

Issuer DN Mapping

Different certificate-generation tools (such as certutil.exe and OpenSSL) create the Issuer DN in slightly different ways. For example, one tool could possibly create an Issuer DN like the following:

CN=Personal Freemail RSA 2000.8.30, OU=Certificate Services, O=Thawte, L=Cape Town, S=Western Cape, C=ZA

Another tool could possibly create an Issuer DN like the following:

CN=Personal Freemail RSA 2000.8.30, OU=Certificate Services, O=Thawte, L=Cape Town, ST=Western Cape, C=ZA

To support multiple possibilities, have your administrator create mappings in the Policy Server for all Issuer DN formats in your environment.

Note: For more information about the actual values used by a specific certificate-generation tool, see the documentation provided by the vendor of your certificate-generation tool.

Create Custom Certificate Mappings

You can use the certificate-mapping feature of the CA SiteMinder® Policy Server to provide custom mappings for certificates.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create and use a custom attribute in a certificate mapping

1. Click Infrastructure, Directory.
2. Click Certification Mapping, Create Certificate Mapping.

   The Create Certificate Mapping pane opens.

3. Verify that Create a new object is selected, and click OK.

   Certificate mapping settings open.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Enter the full issuer DN in the Issuer DN field.
5. Select the Custom radio button in the Mapping group box.

   The Mapping Expressions field opens.

6. Enter a custom mapping expression.

   This notation is used to specify two different attributes that are acceptable for a certificate mapping.

   • For Email:

     %{E/Email}

   • For ST:

     %{S/ST}

   • For User Id:

     %{UID/UserID}

   Note: More information about custom mapping expressions exists in Certificate Attributes that Require Custom Mappings.

7. Click Submit.

   The custom mapping is saved. The Policy Server now handles requests from different types of certificate-generation tools (such as certutil.exe and OpenSSL) and the CA SiteMinder® Test tool where the Email attribute is represented differently in the issuer DN. You can use this process for any of the other attributes mentioned in Certificate Attributes that Require Custom Mappings.

More Information:

Certificate Mapping for X.509 Client Authentication Schemes