Specifying the certificate user key and subject key attributes to search

When you configure an authentication profile to manage certificate-based authentication for SafeLinx Clients, you can require the SafeLinx Server to verify that attributes in the certificate are valid. Validation can occur through comparison with user information in either the SafeLinx Server user account database or in an enterprise LDAP directory. If validation is managed through the SafeLinx Server user account database, you can use rules to specify the attributes to compare.

Before you begin

For certificate-based authentication profiles for which you enable both of the following options:
  • Verify certificate subject attributes
  • Verify user account attributes

About this task

To verify subject attributes in X.509 certificates that are presented by SafeLinx Clients, you can compare the attributes to information in the SafeLinx Server user account database. If matching values are found, authentication is granted.

To configure attribute matching, you specify attributes twice; first, for the certificate attribute to extract (Certificate subject key match string ), and again for the user record attribute (Certificate user key match string) to use for comparison. The attribute values that you specify in each field must correspond to each other. That is, for each certificate attribute you want to search, specify the equivalent attribute from the account database.

After you enable attribute validation, the SafeLinx Server extracts the specified subject attribute from the subject key of a certificate that a client presents for authentication. The Connection Manager then searches its user account database for a record that contains a matching value for the corresponding attribute.

The default attribute search value is dn, but you can specify a different value. The attribute that you specify can be a single, simple attribute, such as cn. Or you construct an attribute rule, in which you name a second attribute to extract from a base attribute. For example, to match on a CN attribute that is extracted from a base DN attribute, you would use the rule dn:cn. To try to match one of multiple attributes that you extract from a base attribute, provide a list of rules in which a comma separates each rule; for example, dn:o, dn:c. The SafeLinx Server first looks for a match for the organization (O) that it extracts from the DN. Then, if no match is found, it proceeds to look for a matching country (C) attribute.

You can also list multiple rules that do not relate to a common base attribute. Insert a semi-colon (;) between rules. If you list multiple attribute rules, the SafeLinx Server searches for the attribute that is specified by the first rule in the list. Then, if no match is found, it proceeds to the next rule. For example, if you want the SafeLinx Server to try the DN first, but then try other values if there is no DN match, you can list other values after dn.

Procedure

  1. From the SafeLinx Administrator, open the properties for a certificate-based authentication profile and then click the Certificate-based Authentication tab.
  2. In the field Certificate user key match string, type the attribute or attribute rules that you want the SafeLinx Server to search in the user account record
  3. In the Certificate subject key match string field, type the attribute or attribute rules that you want the SafeLinx Server to extract from the client certificate.

    The values that you specify in Step 3 must name attributes that are equivalent to the attributes you specify in Step 2.

Example

The following list provides examples of several possible attribute rules:
  • To instruct the SafeLinx Server to search for the complete DN only, you would specify dn in both the Certificate user key match string and Certificate subject key match string fields.
  • If you want the SafeLinx Server to try the DN first, but then try other values if there is not DN match, you would list the other values after dn. For example, the common name (CN), and then the organization (O) and country (C) values of the DN, type the following rules:
    • In the Certificate user key match string field, type dn; cn; dn:o, dn:c
    • In the Certificate subject key match string, type dn; dn:cn; dn:o, dn:c

    The SafeLinx Server looks for a match between the full user DN in the account database and the full DN that it extracts from the certificate subject key. If there is no match, the SafeLinx Server next compares the CN attribute in the user record with the CN value that it extracts from the DN in the certificate. If there is still no match, it extracts the O and the C attributes from the DNs in both the user record and the certificate subject key. If these values match, authentication is granted.

  • If you want the SafeLinx Server to search for attributes that match users' email addresses only, complete each field as described in the following list:
    • In the Certificate user key match string field, type mail
    • In the Certificate subject key match string, type dn:email

    The SafeLinx Server looks for a match between the email address that is listed in the user account database and the email address portion of the DN in the certificate.

  • f you want the SafeLinx Server to search for attributes that match the organization (o) and the country (c), complete each field as described in the following list:
    • In the Certificate user key match string field, type dn:dc, dn:dc
    • In the Certificate subject key match string, type dn:o, dn:c

    In the preceding example, the user record in the SafeLinx Server account database includes a domain component (DC) attribute.

    The SafeLinx Server first looks for a match between the o value in the certificate's subject DN, and any domain component value.

    If there is a match, then extract the c value from the certificate subject DN, and look for a matching DC value in the DN of the user account record. If the O and the C values match, authentication is granted