000020704 - RSA ClearTrust Agent 3.0.1 for Microsoft Internet Information Services (IIS) 5.0 and BEA WebLogic return different certificate subject DN

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020704
Applies ToRSA ClearTrust Agent 3.0.1 for BEA WebLogic 6.1
RSA ClearTrust Agent 3.0.1 for Microsoft IIS 5.0
RSA ClearTrust 5.0.1 Authorization Server (AServer)
IssueRSA ClearTrust Agent 3.0.1 for Microsoft Internet Information Services (IIS) 5.0 and BEA WebLogic return different certificate subject DN
A ClearTrust environment was configured to use certificate based authentication. The environment included ClearTrust Agent 3.0.1 for IIS 5.0, ClearTrust Agent 3.0.1 for WebLogic 6.1, and ClearTrust 5.0.1 Servers using Active Directory as the datastore. A user who can authenticate through the IIS Agent cannot authenticate through the WebLogic Agent or vice versa. For example:

When a user authenticates to the IIS server, the following DN is shown in the aserver.log:
        <date/time>,User =CN=user,OU=it,O=dep,C=us,E=user@some.com,WebServer....

When the same user authenticates to the WebLogic server, the following DN is shown in the aserver.log:
        <date/time>,User = CN=user, OU=it, O=dep, C=us, EmailAddress=user@some.com....
CauseThe ClearTrust Agent for WebLogic sends the certificate subject DN to the Auth Server in a different format than the ClearTrust Agent for IIS. There are two differences:

1. The spaces in the DN components

and

2. The email address tag in the DN

If an attribute of type DN was used (just like the default attribute mapping to 'dn'), then the above described problem would not occur. However, using an attribute of type DN (instead of DirectoryString) may not be feasible since Active Directory enforces referential integrity, and any value entered for such an attribute must be an existing DN (and it may be impractical to maintain a separate tree in Active Directory just for this purpose).
ResolutionThis issue has been fixed in hot fix 3.0.2.12 for ClearTrust Agent for WebLogic 6.1. After applying the hot fix, the ClearTrust Agent for WebLogic sends a DN in the same format as the IIS Agent, i.e., with extra spaces removed and the email address tag as 'E' instead of 'EmailAddress'.

Contact RSA Security Customer Support to request RSA ClearTrust Agent hot fix 3.0.2.12 for WebLogic 6.1, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).
WorkaroundThe certificate subject DNs were different than the user object's DNs in Active Directory, so the ldap.conf was updated. The parameter "cleartrust.data.ldap.user.attributemap.certdn" was set to use an attribute 'physicalDeliveryOfficeName' (of type DirectoryString). By default, this parameter is mapped to 'dn'.
Legacy Article IDa18384

Attachments

    Outcomes