InfoCenter Home > 5.5.5: Mapping certificates to users for client authentication and authorizationClient-side certificates allow access to secured resources from Web clients. A client presents an X.509-compliant digital certificate to perform mutual authentication with a Web server. The WebSphere security run time attempts to map the certificate to a known user in the associated LDAP directory. If the certificate is successfully mapped to a user, then the holder of the certificate is believed to be the user in the registry and is authorized as this user. After the Web server gets the client's certificate, there must be a way to map the certificate to a user. WebSphere Application Server supports two techniques for mapping certificates to entries in LDAP registries:
Mapping by exact distinguished nameThis approach attempts to map the distinguished name (DN) associated with the Subject in the certificate to an entry in the LDAP directory. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory. The mapping is case insensitive. For example, the following two DNs match on a case-insensitive comparison: "cn=Smith, ou=NewUnit, o=NewCompany, c=us" "cn=smith, ou=newunit, o=NewCompany, c=US" If a match is found, authentication succeeds, and if no match is found, authentication fails. Mapping by filtering certificate attributesThis approach maps certificate attributes to attributes of entries in an LDAP directory. For example, you can specify that the common name (CN) attribute of the Subject field in the certificate is to be matched against the uid attribute of your LDAP entry. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.
If you are matching the Subject CN field in the certificate to the
uid attribute of the LDAP entry, a certificate with the Subject DN
To use this mapping technique, you must request Certificate Mapping and set up the certificate filter in the administrative console.
This specification extracts the CN field from the Subject attribute in the certificate ("Smith") and creates a filter ("uid=Smith") from it. The LDAP directory is searched for a user entry that matches the filter. If an entry matches the filter, authentication succeeds. Note that the search and match of the LDAP directory are based in part on how your LDAP directory is configured. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|