Getting access denied when using SmX509CertAuth Version 3.7.3

Document ID : KB000040931
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

When using the SmX509CertAuth scheme, the end user gets "403 access denied" on the browser upon trying to authenticate.

Environment:     

Any policy server that supports Certificate mapping

Cause: 

Below is the workflow of this AuthScheme:

  1. User requests the protected resource
  2. The client certificate is submitted from the browser to the web server.
  3. Web Agent to extract a user certificate from the web server.
  4. After the Web Agent collects certificate information, it passes the data to the Policy Server for verification.
  5. The policy server uses the client certificate IssuerDN to locate the Certificate Mapping in the policy store.
  6. When Certificate Mapping IssuerDN matches, it takes the Subject Name from the certificate and applies the mapping to find the user entry in the user directory.

The end user gets an error :403 access denied", when IssuerDN of the certificate mapping in the policy store does not match to that of the client certificate. Below can be observed in the smtracedefault.log:

03/09/2016][13:16:38][13:16:38.398][][][][][][8040][11112][][][][][][][][][][SmAuthUser.cpp:701][ServerTrace][][][][][][][][][][][][][][][][][][][][][][][][Finished parsing cert.][][][SmX509CertAuth:parseCert: Finished parsing cert.]

[03/09/2016][13:16:38][13:16:38.398][][][][][][8040][11112][][][][][][][][][][SmAuthUser.cpp:701][ServerTrace][][][][][][][][][][][][][][][][][][][][][][][][Certificate Mappings loaded - processing list][][][SmX509CertAuth: Certificate Mappings loaded - processing list]

The policy server checked all the certificate mapping IssuerDN's in the policy store but could not find any matching to that of client IssuerDN.  

Below can be observed in smtracedefault.log when policy server fails to find matching certificate mapping:

[03/09/2016][13:16:38][13:16:38.398][][][][][][8040][11112][][][][][][][][][][SmAuthUser.cpp:701][ServerTrace][][][][][][][][][][][][][][][][][][][][][][][][Issuer DNs did NOT match][][][SmX509CertAuth: Issuer DNs did NOT match]

[03/09/2016][13:16:38][13:16:38.398][][][][][][8040][11112][][][][][][][][][][SmAuthUser.cpp:692][][][][][][][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-02740] SmX509CertAuth:doCertMapping: Failed to get Cert Mapping Object from policy store!]

Resolution:

Please follow the below steps to review the certificate mapping IssuerDN value:

  1. Login to the AdministrativeUI
  2. Click Directory>Certificate Mappings
  3. Select the certificate mapping in the picture.
  4. Match the IssuerDN in the certificate mapping to the client certificate.

Example: If client certificate IssuerDN == C=US,O=CA Tech,OU=ABC,OU=XYZ,CN=ABC ID CA-33 and certificate mapping IssuerDN == C=US,O=CA Tech,OU=ABC,OU=XYZ,CN=ABC  CA-33

We can see above that there are two additional characters in client IssuerDN that are, "I" and "D", therefore the policy server will fail to find matching mapping. 

To fix the issue, provide the same IssuerDN value in certificate mapping as the client certificate.