[
https://issues.apache.org/jira/browse/DISPATCH-200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217989#comment-15217989
]
Ganesh Murthy commented on DISPATCH-200:
----------------------------------------
A new attribute called uidFormat has been added to sslProfile property.
uidFormat contains a list of x509 client certificate fields that will be used
to build a string that will uniquely identify the client certificate owner's
user_id.
For e.g. a value of 'cou' indicates that the user_id will consist of c - common
name concatenated with o - organization-company name concatenated with u -
organization unit; or a value of 'o2' indicates that the uid will consist of o
(organization name) concatenated with 2 (the sha256 fingerprint of the entire
certificate) .
Allowed values can be any combination of comma separated 'c'( ISO3166 two
character country code), 's'(state or province), 'l'(Locality; generally -
city), 'o'(Organization - Company Name), 'u'(Organization Unit - typically
certificate type or brand), 'n'(CommonName) and '1'(sha1 certificate
fingerprint, as displayed in the fingerprints section when looking at a
certificate with say a web browser is the hash of the entire certificate) or 2
(sha256 certificate fingerprint) or 5 (sha512 certificate fingerprint).
The following is an example snippet from the qdrouterd.conf file which shows
how uidFormat is used (in this case the uidFormat uses '5' which is the sha512
fingerprint of the cert)-
{noformat}
sslProfile {
name: ssl-profile1
cert-db: /home/test/opensource/dispatch/tests/config-2/ca-certificate.pem
cert-file:
/home/test/opensource/dispatch/tests/config-2/server-certificate.pem
key-file:
/home/test/opensource/dispatch/tests/config-2/server-private-key.pem
password: server-password
uidFormat: 5
}
{noformat}
In the above case, the user id is set to the sha512 hash of the entire cert
contents which looks like this -
{noformat}
82244216b6d02ffdfb886c8da3c803e0f7a7b330a7b665dccabd30bd25d0f35e2a4fff5f0a2a01d56eb7dbae085c108e71a32b84bab16c9ec243a1f6d014900d
{noformat}
If uidFormat was set to 'cs5' (country;state;sha512 fingerprint)
{noformat}
uidFormat: cs5
{noformat}
the user_id will be a semi colon separated value of
{noformat}
US;NC;82244216b6d02ffdfb886c8da3c803e0f7a7b330a7b665dccabd30bd25d0f35e2a4fff5f0a2a01d56eb7dbae085c108e71a32b84bab16c9ec243a1f6d014900d
{noformat}
You can now associate these user_ids to a more human recognizable display name
(or nick name) by creating this mapping in a json file and specifying it in
"displayNameFile" attribute of the sslProfile property like this
{noformat}
sslProfile {
name: ssl-profile1
cert-db: /home/test/opensource/dispatch/tests/config-2/ca-certificate.pem
cert-file:
/home/test/opensource/dispatch/tests/config-2/server-certificate.pem
key-file:
/home/test/opensource/dispatch/tests/config-2/server-private-key.pem
password: server-password
uidFormat: 1
displayNameFile: /home/test/profile_name_mapping.json
}
{noformat}
Contents of the displayNameFile /home/test/profile_name_mapping.json look
something like this -
{noformat}
{
"da39a3ee5e6b4b0d3255bfef95601890afd80709": "jerry",
"9fb662f6abfe06131afe213c3a103e4fd8d7de56": "elaine",
"4326e0f9aaa836c5141de942bf32465326bf3475": "george"
}
{noformat}
> Flexible mapping from x.509 certificates to an identity
> -------------------------------------------------------
>
> Key: DISPATCH-200
> URL: https://issues.apache.org/jira/browse/DISPATCH-200
> Project: Qpid Dispatch
> Issue Type: New Feature
> Components: Container
> Reporter: Ted Ross
> Assignee: Ganesh Murthy
> Fix For: 0.6
>
>
> x.509 certificates contain structured data. It is necessary to be able to
> generate a unique identity from a certificate for the purpose of indexing
> into access policy.
> The proposed feature will contain a descriptor that is part of an ssl-profile
> configuration that specifies the format and content of the identity in terms
> of the fields of a certificate.
> For example, the identity can be the certificate fingerprint, or the
> distinguished name, or the combination of more than one field.
> A further enhancement is to provide a secondary mapping from the above
> identity to a configured nickname. For example, a user may want to use the
> fingerprint as the identity field but wishes to write policy and view
> management data containing a more friendly "display" name rather than the raw
> fingerprint.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
