Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

X509_AUTHENTICATION

x509_AUTHENTICATION { YES | NO }

Default is NO. If the client provides an X.509 certificate at logon, use it for authentication and database authorization rather than a username/password. By default, the only trusted CA is the root CA of the SERVER_CERTIFICATE_FILE. The SERVER_CERTIFICATE_FILE must provide a complete certificate chain beginning with the certificate of the server and ending with the root CA. The client X.509 certificate must be signed by the same root CA as the server. Combine with VERIFY_CLIENT_CERTIFICATE YES to make X.509 authentication mandatory.

NOTE: X.509 authentication is not supported in combination with LDAP authentication.

If X509_AUTHENTICATION is enabled, the following keywords are used to extract a username from the subject field of a successfully authenticated client X.509 certificate.

NOTE: All name matching is case insensitive, as is the resulting user name used for login.

  • X509_PATH <RDN> - Mandatory. Specifies which relative distinguished name (RDN) component of the full distinguished name (DN) to parse. This should be specified using the short form name, such as CN rather than CommonName. Typical values would be X509_PATH CN or X509_PATH emailAddress
  • X509_PREFIX <prefix> - Optional. If specified the value found in X509_PATH must contain this prefix, which is removed when forming the username.
  • X509_DELIMITER <suffix> - Optional. If specified the value found in X509_PATH must contain this suffix, which is removed when forming the username.
  • X509_REQUIREMENT_PATH <RDN> - Optional. If specified, the DN must contain this RDN.
  • X509_REQUIREMENT <value> - Optional. If specified, the RDN specified by X509_REQUIREMENT_PATH must match this value.

Example

Given the following server configuration:

X509_AUTHENTICATION YES

X509_PATH CN

X509_REQUIREMENT_PATH O

X509_REQUIREMENT faircom inc

A valid certificate with the subject:

Subject: C=US, ST=Missouri, O=FairCom Inc, OU=R&D, CN=John Doe/emailAddress=john.doe@faircom.com

would resolve the user name as “John Doe”.

A valid certificate with the subject:

Subject: C=US, ST=Missouri, O=Acme Inc, OU=R&D, CN=admin/emailAddress=john.doe@gmail.com

would not resolve a user name, as “Acme Inc” does not match the x509_REQUIREMENT “FairCom Inc” and an error would be returned.

TOCIndex