Label
Mandatory
Description
Key
Available options are:
Certificate attribute mapping
User attribute
Allow user not listed in any User Storage
User name may not change during session
Force create user
Create user on failed logon
OCSP AIA
OCSP Responder URL
OCSP Certificate Name
Enable certificate logging
Certificate log folder
Certificate log rotation max files
Certificate log rotation max size (in kB)
Certificate logging on successful authentication only
Value
Certificate attribute mapping
Specify certificate attribute to map to the user attribute in user storage.
Example:
cn in user certificate Subject DN
Note that you need to enter both a certificate attribute and a user attribute for a successful mapping.
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
User attribute
Specify user storage attribute that is mapped to the certificate attribute.
Example:
samAccountName for MS Active Directory
uid for Open LDAP
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
Allow user not listed in any User Storage
Select true or false.
When set to true, users can be authenticated without a Digital Access user account. All access rules of the type user group membership are ignored.
Before authentication, the Policy Service searches the directory service for the user ID using specified search rules. Regardless of whether the user ID is found in the directory service, the user is allowed for authentication.
This is a global Policy Service setting that does not affect the authentication method behavior. To facilitate administration however, it is managed on each applicable authentication method.
Set to false by default.
OCSP AIA
If this extended property is enabled then an OCSP request will be performed to verify the revocation status of the client certificate. The OCSP Provider URL will be retrieved from the Authority Information Access extension (AIA) in the client certificate.
Set to false by default.
OCSP Responder URL
Specifies the OCSP Responder URL. Set this extended property when client certificates don't have the AIA extension. If this extended property is specified then an OCSP request will be performed to verify the revocation status of the client certificate. This setting overrides the "OCSP AIA" extended property.
For example: http://ocsp.example.net:80
OCSP Certificate Name
This extended property specifies the OCSP Certificate to use when performing OCSP requests. The OCSP server may require another certificate than the CA certificate associated with this method then set value to the CA Certificate's display name.
Enable certificate logging
If this extended property is enabled the system will log to a dedicated certificate log file. The name of the method is used as filename and the log format is (all log-elements are separated by space):
Date (yyyy-mm-dd)
Time (hh:mm:ss)
Level (INFO|WARNING)
Certificate method name
Issuer-DN
Subject-DN
Not before date (yyyy-mm-dd)
Not after date (yyyy-mm-dd)
Set to false by default
Certificate log folder
This extended property specifies in which folder to place the certificate log file.
Set to logs by default.
Certificate log rotation max files
This extended property specifies max number of rotated certificate log files.
Set to 3 by default.
Certificate log rotation max size (in kB)
This extended property specifies max size of each certificate log file.
Set to 1000 by default.
Certificate logging on successful authentication only
If this extended property is disabled then the system will log also when certificate authentication fails.
Set to true by default.