How to log Client Certificate Common Name
Article ID: 5272
Updated On:
Products
CA API Gateway
Issue/Introduction
Since CA API Gateway 9.0, the logging output of the "Require SSL or TLS Transport with Client Certificate Authentication" assertion has been changed. The Client Certificate Common Name (CN) is not logged anymore.
Previous Version 8.4 <certificate CN> was the actual CN of the Client Certificate. Since Version 9.0 the logged CN is from the client certificates issuer CA.
Environment
Release:
Component: APIGTW
Resolution
Please use an "Add Audit Details" assertion that has the value "Found client certificate for user ${request.ssl.clientCertificate.subject.cn}" which will log the actual CN of the Client Certificate.
In version 10.x,
Extract Attributes From Certificate Assertion can be used for certificate attributes.
In a policy, the Extract Attributes from Certificate assertion must be preceded by the following criteria in case the Source variable is not specified in the assertion:
At least one credential source assertion:
Require SSL or TLS Transport with Client Authentication
Require WS-Secure Conversation
Require WS-Security Signature Credentials
Require SAML Token Profile
(Subject Confirmation: Holder of Key, Require Message Signature)
An identity assertion (for example, Authenticate User or Group)
${ <prefix> .subject.dn} Contains the subject DN in a format that is easier to read.
${ <prefix> .subject.dn.canonical} Contains the subject DN in a format suitable for comparisons (limited subset of entity ID names; strict sorting, whitespace, and case rules).
${ <prefix> .subject.dn.rfc2253} Contains the subject DN in a format that is technically precise, yet maintains readability. This only includes RFC 2253 entity ID names.
${ <prefix> .subject.cn} Contains the "cn" value of the subject (e.g., jsmith)
${ <prefix> .subject.dn.canonical} Contains the subject DN in a format suitable for comparisons (limited subset of entity ID names; strict sorting, whitespace, and case rules).
${ <prefix> .subject.dn.rfc2253} Contains the subject DN in a format that is technically precise, yet maintains readability. This only includes RFC 2253 entity ID names.
${ <prefix> .subject.cn} Contains the "cn" value of the subject (e.g., jsmith)
Some additional certificate attributes are also available through the assertion.
Feedback
Yes
No
Powered by
