Symantec Access Management

Expand all | Collapse all

Mark attribute as "sensitive" or "secret" or ...

  • 1.  Mark attribute as "sensitive" or "secret" or ...

    Posted 07-12-2016 12:19 PM

    I'm pretty sure I know the answer to this, but does anyone have an idea of how I can make a field require some sort of hashing much like the userPassword (password-storage) setting?  I need to mark several attributes this way in hopes of appeasing the all loving auditors.



  • 2.  Re: Mark attribute as "sensitive" or "secret" or ...

    Broadcom Employee
    Posted 07-12-2016 02:17 PM

    Hi Steve,


    Which part of configuration are you referring to?

    Is this related to Siteminder or something else, e.g. attribute inside directory itself?

    If this feature is not documented, then it probably does not exist, then maybe opening a CA Community idea.




  • 3.  Re: Mark attribute as "sensitive" or "secret" or ...

    Posted 07-12-2016 02:44 PM

    Hi Hongxu -


    Nothing to do with any other CA product.  Only to do with is it possible to to provide an attribute in CA Directory, much like the setting (default in later versions) for userPassword (password-storage), whereby the attribute can be hashed.  An encryption method would also be acceptable, although don't need to be that intensive as I believe this would require keys and exchanges, etc, that we really don't want/need to do at this time.


    Basically all I really need to do is provide a means whereby the Directory server will see that the attribute is set to be hashed, so that an application can send an attribute to the Directory server and the server can hash the attribute and compare to the stored value.


    Hope this helps clarify.  BTW, it is also my belief that CA Directory does not have this capability.




  • 4.  Re: Mark attribute as "sensitive" or "secret" or ...

    Posted 07-19-2016 10:44 AM

    HI Steve,


    You are correct in your assumption that CA Directory does not have the capability to hash an attribute value; outside of userpassword. Typically, the application(s) do the hashing and store that value in the directory and then do what needs to be done on retrieval (i.e. compare/present clear text).

    Another way for 'secrecy' is to put an ACI on the attribute so that the attribute is only accessible for authorized end user(s).

    Of course, both can be applied.





  • 5.  Re: Mark attribute as "sensitive" or "secret" or ...

    Posted 07-19-2016 05:35 PM

    Actually, If you define this attribute as an OctetSting in the schema, it will be automatically hashed in the directory. It will pretty much act like a password.




  • 6.  Re: Mark attribute as "sensitive" or "secret" or ...

    Posted 07-19-2016 07:24 PM

    Sorry, no. It is not hashed. Just converted to Binary. My apologies.