Symantec Access Management

Expand all | Collapse all

Has anyone used the config\SMX509CertAuthSettings.cfg file for Client Cert Auth?

Jump to Best Answer
  • 1.  Has anyone used the config\SMX509CertAuthSettings.cfg file for Client Cert Auth?

    Posted 01-29-2016 03:10 PM

    We have a need to be able to create multiple mapping expressions for the same certificate IssuerDN.  In the WAMUI, the certificate mappings area does not allow you to create multiple certificate mappings with the same IssuerDN.

     

    We stumbled upon the config\SMX509CertAuthSettings.cfg file, which contains verbiage that makes it seem like this might be possible.  However, when trying to implement this cfg file, it seems we only get about halfway through the necessary steps.

     

    The problem I'm seeing, via the tracelog, is that the "CertMap" value I entered does not seem to work when trying to match IssuerDN.   It appears that the policy server only looks at cert mappings from the policy store, and not from the contents of the SmX509CertAuthSettings.cfg file.  However, it is definitely processing from that file because it is successfully pulling the necessary attribute from the "mappingexpression" portion of "CertMap" and successfully disambiguating my user against our user store. 

     

    After disambiguating my user, it should then search the CertMap for the issuerDN that's on the certificate.  However, I receive:

    [13:06:33][Unable to find issuer DN in certificate mapping rules]

     

    The funny thing is that earlier in the logs, when it's loading data from the SMX509CertAuthSettings.cfg file, it logs this line:

    [13:06:30][SmX509CertAuth: Mapping Expression from Configuration File: C=US,O=Entrust,OU=Certification Authorities,OU=Entrust Managed Services SSP CA^IDAttribute=%{REMOVED}]

     

     

    Questions:

    1. Has anyone ever successfully used this file for configuring certificate authentication?

    2. Is this the correct syntax for certificate mapping?
    CertMap=C=US,O=Entrust,OU=Certification Authorities,OU=Entrust Managed Services SSP CA^IDAttribute=%{REMOVED}

     

    Am I missing something?  Or do you HAVE to have a certificate mapping AS WELL in the PolicyStore?

     

    Thanks,

    Dave



  • 2.  Re: Has anyone used the config\SMX509CertAuthSettings.cfg file for Client Cert Auth?
    Best Answer

    Posted 01-29-2016 05:08 PM

    Figured out the issue.  Turns out this file works in CONJUNCTION with the IssuerDN mappings in the policy store.  You can create the multiple mapping expressions in the .cfg file, but you also have to have a blank IssuerDN (without mapping expression) in the certificate mappings area of the policy store/wamui.

     

    Correct Syntax for multiple mappings is:

    CertMap=C=US,O=Entrust,OU=Certification Authorities,OU=Entrust Managed Services SSP CA^IDAttribute=%{REMOVED}^

    & CertMap=C=US,O=Entrust,OU=Certification Authorities,OU=Entrust Managed Services SSP CA^AnotherIDAttribute=%{AnotherREMOVEDExpression}



  • 3.  Re: Has anyone used the config\SMX509CertAuthSettings.cfg file for Client Cert Auth?

    Posted 02-03-2016 04:04 AM

    Thank you so much for taking time and posting back the solution. I am sure this is going to be useful