You can use the ClientCertLoginModule configuration options to determine the user ID based on rules for the certificate V3 extension SubjectAlternativeName . You can configure that the AS Java authenticates users either based on extension attribute fields rfc822name or on extension attribute fields OtherName .
For more information about X.509 certificate extensions and the structure X.509 certificates, see Internet standard RFC 3280.
The ClientCertLoginModule uses the value for the Rule <n> . OID option to find the AttributeName that identifies the user ID. You provide values using the Abstract Syntax Notation Object Identifier (ASN.1 OID) for the attribute. Entering the ASN.1 OID 2.5.29.17 enables you to retrieve the user ID from an attribute field in the certificate V3 extension SubjectAlternativeName .
For this value,the ClientCertLoginModule chooses for a user ID the first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName .
The ClientCertLoginModule searches the OtherName attribute fields in the certificate V3 extension SubjectAlternativeName for an attribute with the specified ASN.1 OID . If an OtherName attribute with a matching the ASN.1 OID you enter is found, the ClientCertLoginModule uses its value for the user ID.
This is a mandatory configuration step. Not providing a value for the rule option Rule <n> .AttributeName results in the certificates used for authentication being rejected.
For example, you can choose values for the configuration options of ClientCertLoginModule as shown in the table below:
Name | Value |
---|---|
Rule1.getUserFrom |
expertMode |
Rule1.OID |
2.5.29.17 |
Rule1.AttributeName |
OID=1.3.6.1.4.1.311.20.2.3 |
For this configuration, the ClientCertLoginModule determines the user ID from an OtherName attribute in the certificate V3 extension SubjectAlternativeName . The OID of this attribute is 1.3.6.1.4.1.311.20.2.3
Users who authenticate to the AS Java with client certificates can log on with user IDs that correspond to the rule for the certificate V3 extension that you configured.
Assumptions
The examples below assume that a user provides a X.509 certificate with the following fields:
CN= myuser, OU= people, OU= CA, O= mycompany, C= DE
CN= DE User CA 1, OU= DE 010, OU= CA, O= mycompany, C= DE
Determine user ID from first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName
Option | Value |
---|---|
Rule1.getUserFrom |
expertMode |
Rule1.OID |
2.5.29.17 |
Rule1.AttributeName |
rfc822Name |
Result: the authenticated user ID is myuser@mycompany.com .
Determine user ID from a field of type OtherName with ASN.1 OID= 1.3.6.1.4.1.311.20.2.3 in the certificate V3 extension SubjectAlternativeName
Option | Value |
---|---|
Rule1.getUserFrom |
expertMode |
Rule1.OID |
2.5.29.17 |
Rule1.AttributeName |
oid= 1.3.6.1.4.1.311.20.2.3 |
Result: the authenticated user ID is t006472@mycompany.com .