The X.509 Attributes table lists a number of attribute
checks to be run against the client certificate. Each entry tests a number
of certificate attributes in such a way that the check only passes if all of
the configured attribute values match those in the client certificate. In effect,
the attributes listed in a single attribute check are AND-ed together.
For example, imagine the following is configured as an entry in the
X.509 Attributes table:
If the Enterprise Gateway receives a certificate with the following DName, this
attribute check passes because all the configured
attributes match those in the certificate DName:
| | |
|
CN=User1, OU=Eng, O=Company Ltd, L=D4, S=Dublin, C=IE
CN=User2, OU=Eng, O=Company Ltd, L=D2, S=Dublin, C=IE
| |
| | |
|
However, if the Enterprise Gateway receives a certificate with the following DName,
the attribute check fails because the attributes in the DName do not match
all the configured attributes (the OU
attribute has the wrong value):
| | |
|
CN=User1, OU=qa, O=Company Ltd, L=D4, S=Dublin, C=IE
| |
| | |
|
The X.509 Attributes table can contain several attribute
check entries. In such cases, the attribute checks (the entries in the table)
are OR-ed together, so that if any of the checks succeed, the overall
Certificate Attributes filter succeeds.
So to summarize:
-
Attribute values within an attribute check only succeed if
all the configured attribute values match
those in the DName of the client certificate.
-
The filter succeeds if any of the
attribute checks listed in the X.509 Attributes
table succeed.
To configure a Certificate Filter complete the following
fields:
Name:
Enter a suitable name for the filter here.
X.509 Attributes:
To add a new X.509 attribute check, click the Add button
button. In the Add X.509 Attributes dialog, enter a
comma-separated list of name-value pairs representing the X.509
attributes and their values (for example, OU=dev,O=Company ).
The new attribute check is displayed in the X.509 Attributes
table. You can edit and delete existing entries by clicking the Edit
and Remove buttons.
|