000021739 - Certificate authentication not working in RSA ClearTrust Agent 4.6 for Apache - user's certificate identity is not mapped to user in entitlements repository

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021739
Applies ToRSA ClearTrust Agent 4.6 for Apache
IssueCertificate authentication not working in RSA ClearTrust Agent 4.6 for Apache - user's certificate identity is not mapped to user in entitlements repository
CauseWhen a user authenticates to a web server by certificate challenge, the user's authenticated identity is added to the request headers as the certificate's DN. That DN is then used by the ClearTrust agent to map the authenticated user to a user in the entitlements repository for the purpose of authorization. The match between the certificate DN and the user's DN in the entitlements repository is a straightforward string match between the contents of the header and the constructed/retrieved DN from the repository. The DN from the repository is the certDN field, which defaults to the DN of the user object, but may be over-ridden by mapping certDN to a different field in the agent's configuration file, or by explicitly adding the DN to match to the certDN field (e.g. using the Entitlements Manager).

Depending on the web server being used, the certificate DN may be added to the headers in a way that fails to match the certDN, even though they should, logically. Two possibilities are prominent:

1) The DN is added in reverse order (e.g. dc=com,dc=rsasecurity,cn=users,cn=jsmith instead of cn=jsmith,cn=users,dc=rsasecurity,dc=com)

2) slashes ('/') are used instead of commas (e.g. cn=jsmith/cn=users/dc=rsasecurity/dc=com instead of cn=jsmith,cn=users,dc=rsasecurity,dc=com)

NOTE: It's also possible that both the above discrepancies are present
ResolutionTwo parameters in the agent configuration file webagent.conf govern these options, allowing the user to configure the RSA ClearTrust Agent to match the certificate's DN to the certDN field:

1. cleartrust.agent.convert_certificate_dn_delimiter will, when set to true, swap slashes for commas in the DN before passing the request to the auth server

2. cleartrust.agent.reverse_certificate_dn will, when set to true, reverse the order of the key=value pairs that make up the DN
Legacy Article IDa24799

Attachments

    Outcomes