Map certificates to users
Overview
Client-side certificates support access to secured resources from Web or Java clients. A client presents an X.509-compliant digital certificate to perform mutual authentication with a single sockets layer-enabled server. The product security run time attempts to map the certificate to a known user in the associated Lightweight Directory Access Protocol (LDAP) directory or the custom registry. If the certificate successfully maps to a user, then the holder of the certificate is regarded as the user in the registry and is authorized as this user. In the case of LocalOS registry, the DN is parsed and the name between the first equals (=) and comma (,) is used as the mapped name. If the DN does not contain the "=", the complete name is used. If there is no "," in the DN, everything after the "=" is used as the name.
After the single sockets layer-enabled server gets the client certificate, the server needs to map the certificate to a user. WAS supports two techniques for mapping certificates to entries in LDAP registries:
- By exact distinguished name
- By matching attributes in the certificate to attributes of LDAP entries
Procedure
- Map by exact distinguished name (DN).
This approach attempts to map the distinguished name (DN) associated with the Subject field in the certificate to an entry in the LDAP directory. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.
The mapping is case insensitive. For example, the following two DNs match on a case-insensitive comparison:
"cn=Smith, ou=NewUnit, o=NewCompany, c=us" "cn=smith, ou=newunit, o=NewCompany, c=US"If a match is found, authentication succeeds; if no match is found, authentication fails.
- Map by filtering certificate attributes.
This approach maps certificate attributes to attributes of entries in an LDAP directory. For example, one can specify that the common name (CN) attribute of the Subject field in the certificate must match the uid attribute of your LDAP entry. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.
If you are matching the Subject CN field in the certificate to the uid attribute of the LDAP entry, a certificate with the Subject DN "cn=Smith, ou=NewUnit, o=NewCompany, c=us" matches an LDAP user entry with uid=Smith.
To use this mapping technique, request certificate mapping and set up the certificate filter in the administrative console.
What to do next
This specification extracts the CN field from the Subject attribute in the certificate (Smith) and creates a filter (user ID = Smith) from it. The LDAP directory is searched for a user entry that matches the filter. If an entry matches the filter, authentication succeeds.Note: The search and match of the LDAP directory are based in part on how your LDAP directory is configured.