|
Problem |
This technote provides information on the logical
expression option added to the SSLCertificate directive for Caching Proxy.
Using the SSLCertificate directive, Caching Proxy can distinguish between
a certification authority (CA) issued certificate or a self-assigned
certificate. However, by accepting any CA issued certificate
(ClientAuthRequired option), using this directive can allow users who are
not valid to gain access to the proxy server.
When using the ClientAuthRequired option on the SSLCertificate directive,
you can use the logical expression option to determine which valid users
can access the SSL channel.
The minimum release levels that support this directive are: 5.0.2.37,
5.1.1.13, 6.0.2.4. |
|
Solution |
When an additional logical expression is added to the
SSLCertificate directive, Caching Proxy extracts values from the client
certificate and calculates the logical expression. If the expression is
satisfied by the values in the client certificate, Caching Proxy grants
the client use of the SSL connection; otherwise, the connection is shut
down and closed.
The logical expression option is valid only when used with the
ClientAuthRequired option on the SSLCertificate directive.
Syntax:
SSLCertificate
[ip-address |
dns-hostname ]
certificate-label ClientAuthRequired
logic-expression
Example:
SSLCertificate 9.37.240.50 myproxycert ClientAuthRequired
CN="valid.user.common.name.pattern" &&
(L="accepted.location.pattern" || C!="not.valid.country.pattern")
Where:
The attribute name in the expression can be: IST, ICN, IOU, IC, IL, IO,
IE, ST, CN, OU, C, L, O, E. The attribute name is mapped to the following
fields in the client certificate:
IssuerStateOrProvince (IST)
IssuerCommonName (ICN)
IssuerOrgUnit (IOU)
IssuerCountry (IC)
IssuerLocality (IL)
IssuerOrg (IO)
IssuerEmail (IE)
StateOrProvince (ST)
CommonName (CN)
OrgUnit (OU)
Country (C)
Locality (L)
Org (O)
Email (E)
Note: The value must be delimited with quotation marks. The valid
logic operators are && (AND), || (OR), ! (NOT). |
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|
|