I'm working on SSL Client Verification as shown here: https://docs.bmc.com/docs/display/DISCO113/Configuring+Web+authentication+settings#ConfiguringWebauthenticationsettings-SSL
I'm not sure how to format the Extract Key so it matched the value that is being used in our LDAPS query (userPrincipalName). The default value for Extract Key: emailAddress - was tried and doesn’t work. The username in userPrincipalName is in the format of 'a number @ a domain'. So for example email@example.com. LDAPS is working and is able to find the user and the user is already mapped to Discovery groups. HTTPS is also working and enabled.
From the documentation I see you can use subjectAltName and a sub value in this kind of format:
subjectAltName—The entire extension name
subjectAltName.emailAddress—Email address (as defined in RFC 822; for example, firstname.lastname@example.org "Taylor, Timothy")
The value on the User's card that matches userPrincipalName is found under 'subjectAltName' -> 'otherName' and has an OID associated with a label called 'Principal Name'. No combination of these values I've tried has allowed us to login and there are just no examples in the documentation other than "emailAddress".
This is what we see when we investigate the user's certificate:
The standard OID for subjectAlternativeName is 220.127.116.11 and the value we want is under this OID. (some documentation on it here and other places https://www.alvestrand.no/objectid/18.104.22.168.html)
Extracting my user authentication certificate and viewing it using the command:
certutil -dump -v mycert.cer
Gives this relevent section:
22.214.171.124: Flags = 0, Length = 30
Subject Alternative Name
Principal Name = email@example.com
AltName: 1 entries:
AltName CERT_ALT_NAME_OTHER_NAME: 126.96.36.199.4.1.xxx.xx.x.x Principal Name:
CERT_RDN_UTF8_STRING, Length = 22 (22 Characters)
After this there is like a hex-code fingerprint that describes the data. The value shown here: firstname.lastname@example.org is the one we want, and this matches what LDAPS is finding with userPrincipalName. As long as we can get there, like the doucmentation seems to indicate, this value should work. The question is how do I format the Extract Key to get this value? I've tried a variety of combinations of the subjectAltName, otherName, the oid, and used dots and colons and nothing works.
What happens is ihe user is prompted to select a certificate and enter a pin when accessing Discovery but after selecting the user's certificate and entering the correct pin, Discovery just goes to a "Page cannot be displayed" page.
Have run this with debug on and don't see much that's helpful (like what value, if any, has been tried or matched and what's being presented or the error message), but I see the certificate authority it's trying to validate against and it's valid but we end up with:
ui.web.sso.webauth.sslclientcert: DEBUG: SSL_CLIENT_VERIFY found: NONE
ui.web.sso.webauth.sslclientcert: DEBUG: SSL_CLIENT_VERIFY is not SUCCESS
We've also worked through How to troubleshoot SSL client certificate issues? and KnowledgeArticle - BMC
Given all this, I'm still not sure how to properly configure the Extract Key when it's not "emailAddress".