000022677 - Does RSA ClearTrust support X.509 certificates for authentication using the Runtime API?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022677
Applies ToRSA ClearTrust 5.5 Runtime API
Sun Solaris 2.8
IssueDoes RSA ClearTrust support X.509 certificates for authentication using the Runtime API?
ResolutionFrom the RSA ClearTrust 5.5.3 Developer's Documentation, the Runtime API supports various authentication types including assert certificate. The Administrative API provides a mechanism to extend the Authorization Servers to include additional custom forms of user authentication.

The Runtime API cannot perform certificate authentication. Instead, the API offers the SC_ASSERT_CERT_DN authentication type for Runtime API clients that implement their own, internal certificate authentication routines.

The SC_ASSERT_CERT_DN authentication code may be passed as the desired authentication type in calls to ct_authenticate() and ct_authorize(). Choose this authentication code if you wish to declare the user as authenticated without invoking an RSA ClearTrust authentication routine. This method accepts the user on the basis of only the user?s submitted DN. The Authorization Server will verify only that the submitted DN matches a DN in your user store, and, if it matches one, RSA ClearTrust will declare the user authenticated. The SC_ASSERT_CERT_DN authentication type assumes that the Runtime API client has done the actual verification of the user?s identity. For this reason, this authentication type may only be used by Runtime API clients that have satisfied the connection security threshold set in the cleartrust.runtime_api.security parameter in the Authorization Server?s configuration file (aserver.conf). This allows you to configure your RSA ClearTrust installation so that only an authenticated Runtime API client can verify a user?s identity. Upon success, the SC_CERT result key is set to true, indicating that certificate authentication has succeeded. Note that SC_ASSERT_CERT_DN is provided as an alternative to the SC_CERT (certificate) authentication type, which the API does not support. For this reason the SC_CERT return code continues to be used.

This authentication code should only be used when the calling application has independently authenticated the user?s identity by checking that the user has the valid certificate containing the submitted DN. The Runtime API does not support Certificate Authentication.

The SC_AUTH_TYPE_CERT constant denotes the Certificate authentication mode. For this type of authentication, the other needed properties are (from ct_user_constants.h): CT_RUNAPI_USER_CERT_KEY

For this type of authentication, the possible values for the key CT_AUTH_AUTHENTICATION_RESULT_STR in maps returned from ct_authenticate(), ct_authenticate_pool(), ct_authorize(), or ct_authorize_pool() are (from ct_result_constants.h):


Authentication, done by the RuntimeAPI.authenticate() method, confirms the identity of a user based on a set of credentials supplied by that user. The credentials required for a user authentication operation depend on the type of authentication being performed.

To authenticate a user with SC_ASSERT_CERT_DN authentication, pass the user?s DN as the UserConstants.SC_USER_DN parameter in the user Map. The possible values for the key ResultConstants.AUTHENTICATION_RESULT in Maps returned from authenticate() or authorize() are:

- ResultConstants.VALID_USER (in which case ResultConstants.SC_CERT will be set to true). If the token option is enabled, the returned token will have the SC_CERT key set to true.
- ResultConstants.UNKNOWN_USER
- ResultConstants.INACTIVE_ACCOUNT
- ResultConstants.EXPIRED_ACCOUNT
- ResultConstants.ADMIN_LOCKOUT
Legacy Article IDa29796