Caching Proxy support of the logical expression option on the SSLCertificate directive
 Technote (FAQ)
 
Problem
This technote provides information on the logical expression option added to the SSLCertificate directive for Caching Proxy.

Using the SSLCertificate directive, Caching Proxy can distinguish between a certification authority (CA) issued certificate or a self-assigned certificate. However, by accepting any CA issued certificate (ClientAuthRequired option), using this directive can allow users who are not valid to gain access to the proxy server.

When using the ClientAuthRequired option on the SSLCertificate directive, you can use the logical expression option to determine which valid users can access the SSL channel.

The minimum release levels that support this directive are: 5.0.2.37, 5.1.1.13, 6.0.2.4.
 
Solution
When an additional logical expression is added to the SSLCertificate directive, Caching Proxy extracts values from the client certificate and calculates the logical expression. If the expression is satisfied by the values in the client certificate, Caching Proxy grants the client use of the SSL connection; otherwise, the connection is shut down and closed.

The logical expression option is valid only when used with the ClientAuthRequired option on the SSLCertificate directive.

Syntax:
SSLCertificate [ip-address | dns-hostname ]   certificate-label   ClientAuthRequired  logic-expression

Example:
SSLCertificate 9.37.240.50   myproxycert ClientAuthRequired CN="valid.user.common.name.pattern" && (L="accepted.location.pattern" || C!="not.valid.country.pattern")

Where:
The attribute name in the expression can be: IST, ICN, IOU, IC, IL, IO, IE, ST, CN, OU, C, L, O, E. The attribute name is mapped to the following fields in the client certificate:

IssuerStateOrProvince (IST)
IssuerCommonName (ICN)
IssuerOrgUnit (IOU)
IssuerCountry (IC)
IssuerLocality (IL)
IssuerOrg (IO)
IssuerEmail (IE)
StateOrProvince (ST)
CommonName (CN)
OrgUnit (OU)
Country (C)
Locality (L)
Org (O)
Email (E)

Note: The value must be delimited with quotation marks. The valid logic operators are && (AND), || (OR), ! (NOT).
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Edge Component
Operating system(s): Windows
Software version: 6.0.2
Software edition:
Reference #: 1217779
IBM Group: Software Group
Modified date: Sep 8, 2005