|Applies To||RSA ClearTrust Agent 3.0.1 for BEA WebLogic 6.1|
RSA ClearTrust Agent 3.0.1 for Microsoft IIS 5.0
RSA ClearTrust 5.0.1 Authorization Server (AServer)
|Issue||RSA ClearTrust Agent 3.0.1 for Microsoft Internet Information Services (IIS) 5.0 and BEA WebLogic return different certificate subject DN|
A ClearTrust environment was configured to use certificate based authentication. The environment included ClearTrust Agent 3.0.1 for IIS 5.0, ClearTrust Agent 3.0.1 for WebLogic 6.1, and ClearTrust 5.0.1 Servers using Active Directory as the datastore. A user who can authenticate through the IIS Agent cannot authenticate through the WebLogic Agent or vice versa. For example:
When a user authenticates to the IIS server, the following DN is shown in the aserver.log:
When the same user authenticates to the WebLogic server, the following DN is shown in the aserver.log:
<date/time>,User = CN=user, OU=it, O=dep, C=us, EmailAddressfirstname.lastname@example.org....
|Cause||The ClearTrust Agent for WebLogic sends the certificate subject DN to the Auth Server in a different format than the ClearTrust Agent for IIS. There are two differences:|
1. The spaces in the DN components
2. The email address tag in the DN
If an attribute of type DN was used (just like the default attribute mapping to 'dn'), then the above described problem would not occur. However, using an attribute of type DN (instead of DirectoryString) may not be feasible since Active Directory enforces referential integrity, and any value entered for such an attribute must be an existing DN (and it may be impractical to maintain a separate tree in Active Directory just for this purpose).
|Resolution||This issue has been fixed in hot fix 22.214.171.124 for ClearTrust Agent for WebLogic 6.1. After applying the hot fix, the ClearTrust Agent for WebLogic sends a DN in the same format as the IIS Agent, i.e., with extra spaces removed and the email address tag as 'E' instead of 'EmailAddress'.|
Contact RSA Security Customer Support to request RSA ClearTrust Agent hot fix 126.96.36.199 for WebLogic 6.1, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).
|Workaround||The certificate subject DNs were different than the user object's DNs in Active Directory, so the ldap.conf was updated. The parameter "cleartrust.data.ldap.user.attributemap.certdn" was set to use an attribute 'physicalDeliveryOfficeName' (of type DirectoryString). By default, this parameter is mapped to 'dn'.|
|Legacy Article ID||a18384|