Provides information about certificate mapping in DCAS and provides instructions for enabling this feature for DCAS.
Note: This is a technology preview feature only. It is being made available to allow you to test and provide feedback on this new
capability; however, this feature is not intended for production use and it is not supported as such.
Certificate mapping is the mechanism that enables DCAS to convert the information provided by a user certificate into a user
ID that can be used by Enterprise Server for .NET security. A mapping is an association defined between a certificate and
a user ID.
Certificate mapping types
In Enterprise Server for .NET, you can enable either or both of these two types of certificate mapping:
- LDAP certificate mapping
- To use LDAP certificate mapping, define an object of the
LdapEsm module's configured user class with a
userCertificate attribute set to a value in binary DER encoding that matches the certificate.
- Default certificate mapper
- To enable the default certificate mapper, add the following text to the custom configuration information for the region's
security configuration:
[Map]
certificate cn=yes
Note: Be sure to set this in the security configuration, not the security manager configuration.
Certificate mapping process
When DCAS receives a certificate mapping request, it:
- Invokes the Enterprise Server External Security Facility (ESF).
- ESF invokes each configured Security Manager to determine whether or not it uses the
LdapEsm module.
- If ESF finds a Security Manager that uses the
LdapEsm module,
LdapEsm searches its LDAP repository for an object of its configured user class with a
userCertificate attribute set to a value in binary DER encoding that matches the certificate. If the LDAP server returns a match, that user's
name is returned as the user ID. Processing is complete at that point.
Notes:
- Active Directory normally stores a user certificate in binary DER encoding when the certificate is associated with a Windows
user.
- Currently, only the
LdapEsm ESM module supplied with Enterprise Server for .NET supports certificate mapping, so other Security Managers ignore mapping
requests.
- If ESF does not find a Security Manager to map the certificate, and the ESF default certificate mapper is enabled, the default
mapper is invoked. The default mapper extracts the Subject Distinguished Name from the certificate and finds its first (most
specific) CN element, if any. The value of that CN is used as the user ID. This is a simple way to map certificates to user
IDs when using user certificates that are issued with appropriate Subject CNs. Processing is then complete at that point.
- If ESF does not find a Security Manager to map the certificate, and the ESF default certificate mapper is not enabled, the
certificate mapping process fails.