This topic describes how you can specify an attribute in a certificate to uniquely identify the user for Public Key Infrastructure (PKI) authentication.
You must specify an attribute with user name or user id, in a certificate, to uniquely identify the user. A certificate may contain user name or user id in Subject DN or Subject Alternative Name field and Security Analytics server must be configured to read the value of this attribute. The Security Analytics server uses the extracted value of this attribute for authorization and retrieves the user groups from an Active Directory (AD) server. By default, Security Analytics server extracts the entire value of the selected attribute, without filtering any characters. You can use regular expression (REGEX) to refine the value extracted.
To configure user principal settings:
- In the Security Analytics menu, select Administration > Security.
The Security view is displayed with the Users tab open.
- Click the Settings tab.
- In the User Principal settings, click Configure.
The User Principal Settings dialog is displayed.
- In the Certificate field, paste the BASE64 encoded user certificate.
- Click Next.
The Subject and Subject Alternative name fields are displayed.
- Select a unique field that reflects the user name or user id.
- Click Test.
The user name or user principal name is extracted and displayed within square brackets.
- If the extracted user principal name does not match the AD username, you can modify the Regex to extract the exact user name and click Test.
- If the extracted value is not the same as the AD user name, you must do one of the following tasks:
- Select a different value.
- If the value is not unique, select a different attribute with a unique value.
- Obtain a new certificate that contains an attribute with a unique value that identifies a user.
For example, if CN attribute has two values (Users and pkitest3), and pkitest3 matches the AD username. Even if you select pkitest3 and click Test, the extracted value is Users.In this case, do one of the following:
- Click Save to update the Security Analytics server.
Note: If the User Principal Setting is incorrect, Security Analytics server will not allow you to access Security Analytics UI. In this case, to access the Security Analytics UI you must revert or disable PKI from the backend. For more information to disable PKI, see Disable PKI.