000018630 - Certificate DN passed to Auth Server by the IIS Agent is inconsistent with Apache Agent

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018630
Applies ToRSA ClearTrust Agent 4.5 for Microsoft IIS
Microsoft Windows 2000 SP4
IssueCertificate DN passed to ClearTrust Authorization Server by RSA ClearTrust Agent for IIS is inconsistent with that passed by RSA ClearTrust Agent 3.x for Apache
CauseDuring certificate authentication ClearTrust gets the certificate user's name from the Web server in string form. In some cases, Web servers don't conform to the applicable standard for DN string attribute names, and in others, the standard is not precise on all attribute types that may be encountered (e.g. 'E', 'email', and 'MAIL' have all been used for RFC822 email addresses). For certificate authentication to work properly, the attribute names must match the certificate DN attribute names used in the RSA ClearTrust data store. If various Web servers provide certificate DNs in different formats, ClearTrust is unable to authenticate through all those Web Agents.
ResolutionThis issue has been resolved in hot fix 4.5.0.10 for RSA ClearTrust Agent 4.5 for IIS 5.0 and IIS 6.0. Contact RSA Security Customer Support to obtain hot fix 4.5.0.10 for ClearTrust Agent 4.5 for IIS, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

This fix defines a new Web agent configuration entry:

    cleartrust.agent.certdn_attr_name_map=

This entry specifies any necessary mapping (translation) of certificate DN string attribute names using a comma-separated list of 'from:to' mapping pairs.

NOTE: Each 'from' name must be unique, but multiple 'from' names can be mapped to a single 'to' name (a many-to-one relationship). The entry values are case-insensitive. For example, the ClearTrust data store uses 'E' for email address and 'S' for state or province name. However, the Web server produces DN strings that use 'email' or 'MAIL' for email address and 'ST' for state or province name. The following webagent.conf entry will correctly map the server's DN values to ones used in the data store:

    cleartrust.agent.certdn_attr_name_map=email:E,MAIL:E,ST:S

The mapping can also be applied when the server produces an OID string rather than a name string:

    cleartrust.agent.certdn_attr_name_map=1.2.840.113549.1.9.1:email,ST:S
Legacy Article IDa21330

Attachments

    Outcomes