Validating a successful module mapping

To confirm a successful module mapping for users, ensure that a Security Verify Access policy is set for a protected resource to refuse unauthenticated users and allow authenticated ones.

Before you begin

Before accessing this resource in a browser, ensure the client certificate is imported into the browser. See your browser help for instructions on how to import.
  1. When attempting to access a protected resource, the browser prompts you to select a client certificate. Select the client certificate which you just imported into the browser. The WebSEAL log contains trace messages pertinent to the mapping module, indicating success or failure, assuming the debugging level was set appropriately in the WebSEAL configuration file as described in Configure WebSEAL to use the certificate mapping module.
  2. The result of the XSLT transformation dictates whether the mapping module must perform a user registry search or not. The mapping module conducts a user registry search if the result is in the following form: 

      !userreg base='baseDN' attr='attrName' ! ldapSearchFilter!

    Otherwise, the mapping module does not conduct a user registry search. The result of the search is a Security Verify Access user ID or a DN of a user.

    If the mapping is successful and a search was performed in the user registry, the following message displays in the WebSEAL log. The WebSEAL log is typically at /var/pdweb/log/msg_webseal-instance.log on UNIX machines. It is at C:\Program Files\Tivoli\PDWeb\log\msg_webseal-instance.log on Windows machines:

    2012-06-07-16:37:11.113+10:00I----- thread(2) trace.pd.cas.certmap:5 /sandbox/amwebrte611/src/pdwebrte/authn/modules/certmapauthn/AMWCertLDAPUserRegistry.cpp:146: ISAM user identity: testuser

    If no search was performed in the registry, only a message similar to the following is displayed:

    2012-06-07-18:34:29.200+10:00I----- thread(2) trace.pd.cas.certmap:3 /sandbox/amwebrte611/src/pdwebrte/authn/modules/certmapauthn/AMWCertRulesEngine.cpp:219: result: CN=testuser,O=IBM,C=AU

Parent topic: Configure WebSEAL to use the certificate mapping module