We have a need to be able to create multiple mapping expressions for the same certificate IssuerDN. In the WAMUI, the certificate mappings area does not allow you to create multiple certificate mappings with the same IssuerDN.
We stumbled upon the config\SMX509CertAuthSettings.cfg file, which contains verbiage that makes it seem like this might be possible. However, when trying to implement this cfg file, it seems we only get about halfway through the necessary steps.
The problem I'm seeing, via the tracelog, is that the "CertMap" value I entered does not seem to work when trying to match IssuerDN. It appears that the policy server only looks at cert mappings from the policy store, and not from the contents of the SmX509CertAuthSettings.cfg file. However, it is definitely processing from that file because it is successfully pulling the necessary attribute from the "mappingexpression" portion of "CertMap" and successfully disambiguating my user against our user store.
After disambiguating my user, it should then search the CertMap for the issuerDN that's on the certificate. However, I receive:
[13:06:33][Unable to find issuer DN in certificate mapping rules]
The funny thing is that earlier in the logs, when it's loading data from the SMX509CertAuthSettings.cfg file, it logs this line:
[13:06:30][SmX509CertAuth: Mapping Expression from Configuration File: C=US,O=Entrust,OU=Certification Authorities,OU=Entrust Managed Services SSP CA^IDAttribute=%{REMOVED}]
Questions:
1. Has anyone ever successfully used this file for configuring certificate authentication?
2. Is this the correct syntax for certificate mapping?
CertMap=C=US,O=Entrust,OU=Certification Authorities,OU=Entrust Managed Services SSP CA^IDAttribute=%{REMOVED}
Am I missing something? Or do you HAVE to have a certificate mapping AS WELL in the PolicyStore?
Thanks,
Dave