search cancel

Questions about Certificate Authentication Scheme in Policy Server

book

Article ID: 212826

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running a Policy Server and enabling a Certificate Authentication Scheme, one might like to know:

  • Why the Policy Server can't authenticate with a certificate if the Subject CN value has an Email in it?
  • What are all parameters checked in a certificate?
  • Are there any limitations on encryption it supports or any other limitations?

Resolution

 

Here are the answers:

  • The Policy Server should be able to authenticate using a certificate for which there's an Email in the Subject along with CN value. If not, the full logs, traces, and config will be needed from the environment to understand why it wasn't able to authenticate.
  • Mainly the Subject of the Certificate is used (1).
  • Encryption from certificates is limited to some algorithms (2).

Additional Information

 

(1)

    How SiteMinder Uses Certificate Data to Identify Users

       The Policy Server then performs certificate mapping. The goal of
       certificate mapping is to locate a user by the Subject Name in the
       user certificate.

       First, the Policy Server looks up the appropriate certificate
       mapping in the policy store. The Policy Server uses the
       certificate Issuer DN to locate the mapping. The Issuer DN is part
       of the certificate mapping configuration. After the Policy Server
       finds the mapping, it takes the Subject Name from the certificate
       and applies the mapping to find the user entry in the user
       directory.

    

(2)

    Digital Signing and Private Key Algorithms

      SiteMinder uses the following algorithms for Private Key
      generation (Certificate/Keys):

      Key Algorithm
      RSA
      Sign Algorithms
      MD5withRSA, SHA1withRSA, SHA256withRSA & SHA512withRSA
      Additional algorithms supported from Release 12.8.05: RSASSA-PSS