How to do -X509 Cert mapping for ODBC user store.
Article ID: 376761
Updated On:
Products
Issue/Introduction
How to configure X509 certificate mapping for ODBC user store (e.g MSSQL, Oracle Database etc.)?
Environment
Policy Server: ANY
User Store: ODBC - ANY
Resolution
Instructions:
Step 1. Note the Issuer DN from the user certificate.
Step 2. Create certificate mapping.
Specify the exact Issuer DN from the user certificate.
Specify Directory Type as ODBC
Select Single Attribute mapping and choose the Attribute Name that needs to be mapped from the certificate.
For e.g. choose CN (Common Name) for the mapping from the certificate.
Step 3. Adjust the SQL Schema for the ODBC directory as required. The default SQL schema uses "Name" parameter for user Init as highlighted in the query below.
For e.g. The default InitUser query is : SELECT NAME FROM <DataSource> Where Name = '%s%'
Here, the place holder %s% will be replaced by the mapped attribute extracted from the user's certificate Subject DN.
For e.g. for the below user's certificate , as the "CN" attribute is mapped in the "Cert Mapping" , the CN value "Guest" is extracted and replaced in the %S% place holder in the user Init Sql query as below :
SELECT NAME FROM <DataSource> Where Name = 'Guest'
Sample Log
===========
[Certificate's Issuer DN found in mapping rules][][][][][][][][][][][C=AU,ST=NSW,L=Sydney,O=CA,OU=Support,CN=RootCA,[email protected]]
..
[map subjectDN (C=AU,ST=NSW,L=Melbourne,O=CA,OU=Dev,CN=Guest,[email protected]) using string: '(%{CN})']
..
..
[Name is (CN.CN) Value is (Guest)]
..
[SmAuthenticate][][][][Guest][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Will be authenticating user.]
..
[CDb.cpp:204][CSmRecordset::DoSelect][][][][][][][][][][][][][][][][][][][][][Start processing SQL statement.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SELECT Name FROM SmUser WHERE Name = 'Guest'][][][][][][][][]
Feedback
