Client Identification
Client Identification Methods
Rule matching is based on the client identity and the client request.
There are two client identification methods:
X.509 Certificate Authentication
X.509 certificates identify an entity. An entity can be a program, person, or host computer. When an X.509 certificate is authenticated, it authenticates that the entity is who it claims to be.
X.509 certificates are utilized in UACL entries by first mapping a client certificate to a UACL certificate identifier. The certificate identifier then is used in the UACL entries. A certificate identifier provides for:
- Concise representation of certificates in UACL entries. There are a large number of certificate fields that may be used and many of the fields have lengthy, tedious naming formats. A certificate map only needs to be defined once and then the concise certificate identifier can be used in the UACL entries.
- Mapping of one or more certificates to a single certificate identity. A group of entities that share a common security access level may be represented by one certificate identity reducing the number of UACL entries to maintain.
UACL certificate map entries are searched sequentially (that is, top to bottom) matching the client certificate to each entry until a match is found. The certificate map defines a set of X.509 certificate fields that may be used as matching criteria.
Certificate Map Matching Criteria
The following table defines the certificate map matching criteria.
Criteria | Description |
---|---|
SUBJECT | Matches the X.509 subject field. The subject field is formatted as an X.501 Distinguished Name (DN). A DN is a hierarchical list of attributes referred to as Relative Distinguished Names (RDNs).
The RDN attributes must be listed in the same order as they are defined in the certificate to be considered matched.
Whether or not an RDN value is case sensitive depends on the format in which the value is stored. The certificate creator has some control over which format is used. All formats except for printableString are case sensitive. |
Matches the X.509 emailAddress attribute of the subject field and rfc822Name of the subjectAltName extension value. Both fields format the email address as an RFC 822 addr-spec in the form of identifier@domain.
RFC 822 names are not case sensitive. | |
HOSTNAME | Matches the following X.509 fields in the order listed:
Some example HOSTNAME values are:
The values are not case sensitive. |
IPADDRESS | Matches the X.509 iPAddress field of the subjectAltName extension value.
|
SERIALNUMBER | Matches the X.509 serialNumber value.
|
Certificate Identifier Field
If a certificate map rule is found that matches the client certificate, the rule's identifier is assigned to the client's request. The certificate identifier is then used in matching certificate-based UACL entries.
The following table defines the certificate identifier field as used in UACL entries.
Field | Description |
---|---|
CERTID | Matches the certificate identifier defined by the certificate map entry. The CERTID value has the following syntax:
|
Client IP Address Identification
TCP/IP provides a method to obtain a client's IP address. The IP address typically identifies the host computer on which the client is executing. However, there are exceptions to this. Networks can be configured with Network Address Translation (NAT) systems between the client and the Broker that hides the client's IP address. In addition to the client IP address, Universal Agent clients provide a user account name with which they are executing that is used to further refine the client's identity.
UACL entries are searched matching the client's IP address and user account to each entry until a match is found.
Client IP Address - Matching Criteria
The following table defines possible matching criteria for IP address and user account client identification.
Field | Description |
---|---|
HOST | Matches the TCP/IP address of the remote user.
|
REMOTE_USER | Matches the user name with which the remote user is executing as on the remote system.
|