How to log Client Certificate Common Name
search cancel

How to log Client Certificate Common Name

book

Article ID: 5272

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Since CA API Gateway 9.0, the logging output of the "Require SSL or TLS Transport with Client Certificate Authentication" assertion has been changed. The Client Certificate Common Name (CN) is not logged anymore.

Previous Version 8.4 <certificate CN> was the actual CN of the Client Certificate. Since Version 9.0 the logged CN is from the client certificates issuer CA. 

Environment

Release:
Component: APIGTW

Resolution

Please use an "Add Audit Details" assertion that has the value "Found client certificate for user ${request.ssl.clientCertificate.subject.cn}" which will log the actual CN of the Client Certificate. 

In version 10.x,

Extract Attributes From Certificate Assertion can be used for certificate attributes. 
In a policy, the Extract Attributes from Certificate assertion must be preceded by the following criteria in case the Source variable is not specified in the assertion:
At least one credential source assertion:
Require SSL or TLS Transport with Client Authentication
Require WS-Secure Conversation
Require WS-Security Signature Credentials
Require SAML Token Profile 
(Subject Confirmation: Holder of Key, Require Message Signature)
An identity assertion (for example, Authenticate User or Group)
 
 
${ <prefix> .subject.dn} Contains the subject DN in a format that is easier to read.
${ <prefix> .subject.dn.canonical} Contains the subject DN in a format suitable for comparisons (limited subset of entity ID names; strict sorting, whitespace, and case rules).
${ <prefix> .subject.dn.rfc2253} Contains the subject DN in a format that is technically precise, yet maintains readability. This only includes RFC 2253 entity ID names.
${ <prefix> .subject.cn} Contains the "cn" value of the subject (e.g., jsmith)
 
Some additional certificate attributes are also available through the assertion.