Map certificates to users

Client-side certificates support access to secured resources from Web or Java clients. A client presents an X.509-compliant digital certificate to perform mutual authentication with a single sockets layer-enabled server. The product security run time attempts to map the certificate to a known user in the associated Lightweight Directory Access Protocol (LDAP) directory. If the certificate successfully maps to a user, then the holder of the certificate is regarded as the user in the registry and is authorized as this user.

After the single sockets layer-enabled server gets the client certificate, the server needs to map the certificate to a user. WebSphere Application Server supports two techniques for mapping certificates to entries in LDAP registries:

• By exact distinguished name (DN)
  This approach attempts to map the distinguished name (DN) associated with the Subject field in the certificate to an entry in the LDAP directory. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.

  The mapping is case insensitive. For example, the following two DNs match on a case-insensitive comparison:

    "cn=Smith, ou=NewUnit, o=NewCompany, c=us"
    "cn=smith, ou=newunit, o=NewCompany, c=US"

  If a match is found, authentication succeeds; if no match is found, authentication fails.

• By filtering certificate attributes
  This approach maps certificate attributes to attributes of entries in an LDAP directory. For example, you can specify that the common name (CN) attribute of the Subject field in the certificate must match the uid attribute of your LDAP entry. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.

  If you are matching the Subject CN field in the certificate to the uid attribute of the LDAP entry, a certificate with the Subject DN "cn=Smith, ou=NewUnit, o=NewCompany, c=us" matches an LDAP user entry with uid=Smith.

  To use this mapping technique, request certificate mapping and set up the certificate filter in the administrative console. For more information, see Configure LDAP search filters.

  This specification extracts the CN field from the Subject attribute in the certificate (Smith) and creates a filter (user ID = Smith) from it. The LDAP directory is searched for a user entry that matches the filter. If an entry matches the filter, authentication succeeds.

Note: The search and match of the LDAP directory are based in part on how your LDAP directory is configured.