Specifying the certificate user key and subject key attributes to search
When you configure an authentication profile to manage certificate-based authentication for SafeLinx Clients, you can require the SafeLinx Server to verify that attributes in the certificate are valid. Validation can occur through comparison with user information in either the SafeLinx Server user account database or in an enterprise LDAP directory. If validation is managed through the SafeLinx Server user account database, you can use rules to specify the attributes to compare.
Before you begin
- Verify certificate subject attributes
- Verify user account attributes
About this task
To configure attribute matching, you specify attributes twice; first, for the certificate attribute to extract (Certificate subject key match string ), and again for the user record attribute (Certificate user key match string) to use for comparison. The attribute values that you specify in each field must correspond to each other. That is, for each certificate attribute you want to search, specify the equivalent attribute from the account database.
After you enable attribute validation, the SafeLinx Server extracts the specified subject attribute from the subject key of a certificate that a client presents for authentication. The Connection Manager then searches its user account database for a record that contains a matching value for the corresponding attribute.The default attribute search value is dn
, but you can
specify a different value. The attribute that you specify can be a single, simple attribute, such as
cn
. Or you construct an attribute rule, in which you name a second attribute to
extract from a base attribute. For example, to match on a CN attribute that is
extracted from a base DN attribute, you would use the rule
dn:cn
. To try to match one of multiple attributes that you extract from a base
attribute, provide a list of rules in which a comma separates each rule; for example, dn:o,
dn:c
. The SafeLinx Server first looks for a match for the organization
(O) that it extracts from the DN. Then, if no match is
found, it proceeds to look for a matching country (C) attribute.
You can
also list multiple rules that do not relate to a common base attribute. Insert a semi-colon (;)
between rules. If you list multiple attribute rules, the SafeLinx Server searches for the
attribute that is specified by the first rule in the list. Then, if no match is found, it proceeds
to the next rule. For example, if you want the SafeLinx Server to try the DN
first, but then try other values if there is no DN match, you can list other
values after dn
.
Procedure
- From the SafeLinx Administrator, open the properties for a certificate-based authentication profile and then click the Certificate-based Authentication tab.
-
In the field Certificate user key match string, type the attribute or
attribute rules that you want the SafeLinx Server to search in the user account record
-
In the Certificate subject key match string field, type the attribute or
attribute rules that you want the SafeLinx Server to extract from the client certificate.
The values that you specify in Step 3 must name attributes that are equivalent to the attributes you specify in Step 2.
Example
- To instruct the SafeLinx Server to search for the complete DN only, you would specify dn in both the Certificate user key match string and Certificate subject key match string fields.
- If you want the SafeLinx Server to try the DN first, but then try other
values if there is not DN match, you would list the other values after
dn
. For example, the common name (CN), and then the organization (O) and country (C) values of the DN, type the following rules:- In the Certificate user key match string field, type
dn; cn; dn:o, dn:c
- In the Certificate subject key match string, type
dn; dn:cn; dn:o, dn:c
The SafeLinx Server looks for a match between the full user DN in the account database and the full DN that it extracts from the certificate subject key. If there is no match, the SafeLinx Server next compares the CN attribute in the user record with the CN value that it extracts from the DN in the certificate. If there is still no match, it extracts the O and the C attributes from the DNs in both the user record and the certificate subject key. If these values match, authentication is granted.
- In the Certificate user key match string field, type
- If you want the SafeLinx Server to search for attributes that match users' email addresses
only, complete each field as described in the following list:
- In the Certificate user key match string field, type
mail
- In the Certificate subject key match string, type
dn:email
The SafeLinx Server looks for a match between the email address that is listed in the user account database and the email address portion of the DN in the certificate.
- In the Certificate user key match string field, type
- f you want the SafeLinx Server to search for attributes that match the organization (o) and
the country (c), complete each field as described in the following list:
- In the Certificate user key match string field, type
dn:dc, dn:dc
- In the Certificate subject key match string, type
dn:o, dn:c
In the preceding example, the user record in the SafeLinx Server account database includes a domain component (DC) attribute.
The SafeLinx Server first looks for a match between the o value in the certificate's subject DN, and any domain component value.
If there is a match, then extract the c value from the certificate subject DN, and look for a matching DC value in the DN of the user account record. If the O and the C values match, authentication is granted
- In the Certificate user key match string field, type