InfoCenter Home >
5: Securing applications -- special topics >
5.5: Certificate-based authentication >
5.5.5: Mapping certificates to users for client authentication and authorization

5.5.5: Mapping certificates to users for client authentication and authorization

Client-side certificates allow access to secured resources from Web clients. A client presents an X.509-compliant digital certificate to perform mutual authentication with a Web server. The WebSphere security run time attempts to map the certificate to a known user in the associated LDAP directory. If the certificate is successfully mapped to a user, then the holder of the certificate is believed to be the user in the registry and is authorized as this user.

After the Web server gets the client's certificate, there must be a way to map the certificate to a user. WebSphere Application Server supports two techniques for mapping certificates to entries in LDAP registries:

  • By exact distinguished name
  • By matching attributes in the certificate to attributes of LDAP entries

Mapping by exact distinguished name

This approach attempts to map the distinguished name (DN) associated with the Subject in the certificate to an entry in the LDAP directory. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.

The mapping is case insensitive. For example, the following two DNs match on a case-insensitive comparison:

"cn=Smith, ou=NewUnit, o=NewCompany, c=us"
"cn=smith, ou=newunit, o=NewCompany, c=US"

If a match is found, authentication succeeds, and if no match is found, authentication fails.

Mapping by filtering certificate attributes

This approach maps certificate attributes to attributes of entries in an LDAP directory. For example, you can specify that the common name (CN) attribute of the Subject field in the certificate is to be matched against the uid attribute of your LDAP entry. If the mapping is successful, the user is authenticated and is authorized according to the privileges granted to the identity in the LDAP directory.

If you are matching the Subject CN field in the certificate to the uid attribute of the LDAP entry, a certificate with the Subject DN "cn=Smith, ou=NewUnit, o=NewCompany, c=us" matches an LDAP user entry with uid=Smith.

To use this mapping technique, you must request Certificate Mapping and set up the certificate filter in the administrative console.

  1. Click Task --> Configure Application Security
  2. Set the Challenge Type to "Certificate"
  3. Click Task --> Global Security Settings --> User Registry
  4. Click the Advanced button
  5. Set the Certificate Mapping choice to "Certificate Filter"
  6. Enter the certificate filter you want to implement. For example, to match the CN attribute of the Subject in the certificate to the uid attribute in the LDAP entry, enter (uid=${SubjectCN})

This specification extracts the CN field from the Subject attribute in the certificate ("Smith") and creates a filter ("uid=Smith") from it. The LDAP directory is searched for a user entry that matches the filter. If an entry matches the filter, authentication succeeds. Note that the search and match of the LDAP directory are based in part on how your LDAP directory is configured.

Go to previous article: Using test certificates Go to next article: Tools for certificates and keys

 

 
Go to previous article: Using test certificates Go to next article: Tools for certificates and keys