Skip to Main Content
Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Delivered
Created by Guest
Created on Oct 22, 2019

Certificate Filter should allow access to the Subject Alternative Name fields

Hi

We deployed certificate based authentication to work with IBM Rational CLM products to support Federal mandate (2F Authentication using smart card know as PIV). From past few years this solution worked with no issues. However, VA is migrating its users from an internal VA card system to General Services Administration (GSA) managed USAccess card issuance system

Current VA internal PIV certificates RDN value is based on FIPS 201/201-1. It is the directory value utilized at VA current SSP for issued certificate directory locations. For my PIV certificate my RDN is currently ‘CN = PUBLIC E. USER 110381,0.9.2342.19200300.100.1.1 = public.user@va.gov, OU = people, O = internal, DC = va, DC = gov'.
######################
In WAS for Global security > Advanced Lightweight Directory Access Protocol (LDAP) user registry settings --> we configured certificate filter as mail=${SubjectUID}. With this configuration all our Rational CLM products worked perfectly.
######################
With the planned changes to align VA internal PIV certificates with USAccess certificate my next issuance (from the internal system) would become ‘0.9.2342.19200300.100.1.1 = 1002854694236001, CN = PUBLIC E. USER 110381, OU = people, O = internal, DC = va, DC = gov'. This shows the change to OID 0.9.2342.19200300.100.1.1 but the remaining RDN will not be modified.

* Now, with these planned changes we tried to use in certificate filter cn=${SubjectCN} OR userCertificate=${SubjectCN} but none of them worked. We received following error:

SECJ0150E: Cannot map the credential of the given credential token for certificate subject DN CN=Ugandhar N Munagala 312744 (affiliate), UID=ugandhar.munagala@va.gov, OU=people, O=internal, DC=va, DC=gov with filter cn=Ugandhar N Munagala 312744 (affiliate) into LDAP because no entry in LDAP matches the DN or filter.

However, we worked with VA PKI department (deals with security and certificates) and they suggested to use principle name which is listed in subject alter name of the certificate some thing like:
userPrincipalName=${SubjectsubjectAltName}
But WAS won't support this parameter. We are in desperate need of help at this time requesting IBM to develop this enhancement immediately.

Idea priority Urgent
RFE ID 137521
RFE URL
RFE Product WebSphere Application Server
  • Guest
    Reply
    |
    May 23, 2022

    Adding to this discussion and consideration - TWAS-I-80; along with the one being discussed and considerable impact based on this.

    TWAS-I-300. Missing source IP in SMF record type 80 when accessing with WAS or IHS

  • Guest
    Reply
    |
    May 5, 2022

    Although WebSphere does not provide the ability to map using the SAN in our configuration, we provide the ability for users to implement their own UserMapping class to map certificates in whatever way is necessary (using the SAN, or any other field that is desired).

    See the documentation for the UserMapping interface, here --> https://www.ibm.com/docs/en/ibm-http-server/8.5.5?topic=SSEQTJ_8.5.5/com.ibm.websphere.javadoc.doc/web/spidocs/com/ibm/websphere/security/package-summary.html

  • Guest
    Reply
    |
    May 9, 2020

    It is also imperative to have the capability to filter down to a substring of the read certificate attribute if necessary as what is stored on the cert may have additional characters relative to the repository attribute that it needs to be matched to. For example my repository may store a PIV in a attribute as 0123456789012345, however, on the card it may be stored in the SAN UPN as 0123456789012345@domain. Thus we need the ability to match to only the first 16 characters of the SAN UPN off the cert.
    Weve encountered the same when trying to match the subjectCN to repository attributes except in that case we only wanted to pull the last 10 characters off the subjectCN. The ability to take substrings of certificate attributes is critical in bridging the gap due to the independent management of user repositories and user certificates. Having the capability will provide robust mapping abilities and should be sufficient to bridge the gap in most instances.

  • Guest
    Reply
    |
    May 6, 2020

    I agree that this RFE is CRITICAL for use of websphere with government agencies as they are being mandated to move to PIV authentication. This necessitates the need to be able to filter against the UPN in the SAN of the certificate.