|
|
|
If SiteMinder is configured to perform CRL checking, when a user with an invalid client certificate tries to access a protected resource, SiteMinder finds the user’s certificate in the CRL and rejects the authentication.
Note: The Policy Server cannot verify the status of a certificate using a Certificate Revocation List (CRL) that is larger than 64 KB. This limit is due to the third party libraries that are used to parse CRLs.
SiteMinder compares certificates against CRLs stored in an LDAP directory. SiteMinder verifies the signature of the CRL by retrieving the Certificate Authority’s (CA) public certificate from the LDAP directory. SiteMinder supports the following RSA algorithms for signature verification:
CRLs must be kept up-to-date by CA administrators. If SiteMinder retrieves an expired CRL, all certificates from the CA with the expired CRL will be denied access. If multiple CRLs exist, SiteMinder will search for and use the most recent CRL. If a CA’s public certificate is not available or your CRL is signed with an unsupported algorithm, you can turn off signature checking during the CRL verification process.
Note: If signature checking is turned off, make sure that the LDAP directory is protected appropriately.
Note: When you create or modify a Policy Server object in the Policy Server User Interface, use ASCII characters. Object creation or modification with non-ASCII characters is not supported.
To configure CRL checking
CRL checking is an additional level of security that involves retrieving a CRL from an LDAP directory, verifying the CRL, and finally validating that the user’s certificate has not been revoked. If the Perform CRL Checks check box is marked, the Policy Server processes CRL checking.
The LDAP user directory connection must be defined using the SiteMinder User Directory dialog. If the user directory connection has not been defined, click Create to open the SiteMinder User Directory dialog and add the new directory connection.
It is possible to have a CA whose DN in the LDAP directory for CRL checking is different from the Issuer DN in the client certificate. In such a case, you must specify the DN of the CA for the LDAP CRL directory in this field.
When you enable signature verification, the Policy Server checks the CA’s public certificate against a signature stored in the policy database.
Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. The distribution point provides a starting point for a CRL check and saves the processing time that it would take to search the entire CRL for a particular user.
When this check box is marked, SiteMinder looks at a user’s certificate, and retrieves the distribution point from the certificate, then uses it to find the appropriate LDAP directory entry point for the CRL.
When you mark this check box, SiteMinder checks the NextUpdate field in the CRL for the date when the cached CRL information should be deleted and replaced with updated CRL information. SiteMinder uses the cached CRL information until the date specified in the NextUpdate field of the CRL.
The NextUpdate field in the CRL is optional. If there is no value for NextUpdate, SiteMinder will not cache CRL information.
The new mapping appears in the Current Mappings list of the Directory Mappings dialog.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |