Starting E84.10, Remote Access VPN desktop clients support the ability to define a filter for user certificates. This helps to display relevant certificates only when a user has multiple certificates installed on a computer.
The Administrator may define a set of certificate fields and their values. The VPN client will display only those certificate that match a defined criteria. If there is no certificate that matches the filter, the VPN client will display all certificates.
The following certificate fields are supported:
- Extended Key Usage: OID should be set to 1.3.6.1.5.5.7.3.2 (ClientAuth)
- Certificate template
- Distinguished Name (CN, OU, O, etc.):
- Issuer
- Subject
Filters support values with wildcards: *.cp.com
A filter can be defined in the
$FWDIR/conf/trac_client_1.ttm
file on a Security Gateway, and in the
trac.defaults
file that can be embedded in a custom installation package.
To define a filter, add the following record in
trac_client_1.ttm
:certificate_filter (
:gateway (
:default (
:issuer ([filter_vector])
:subject ([filter_vector])
:template ([filter_vector])
:enhanced_key_usage ([filter_vector])
:condition (or|and)
)
)
)
Same settings but in
trac.defaults
file:
Note: Can also use
VPN Configuration Utility (sk122574) to edit trac files
cert_filter_issuer VEC_STR "" GW_USER 0
cert_filter_subject VEC_STR "" GW_USER 0
cert_filter_template VEC_STR "" GW_USER 0
cert_filter_enhanced_key_usage VEC_STR "" GW_USER 0
cert_filter_condition STRING and GW_USER 0
cert_filter_check INT 0 GW_USER 0
where
filter_vector
- is a string or a vector of strings, separated with '&#'. Square brackets denote that the
filter_vector
is optional and are not the part of the filter definition.
It is recommended to enclose the whole filter in quotes (") unless the filter value is a single word, or a vector of single words. If there is a need to exclude a filter configuration for a specific certificate property, one can leave the filter value for such a property empty.
Wildcards '*' and '?' are allowed for defining filter values. '*' denotes zero or more characters, '?' denotes one single character.
Filter definition is case insensitive.A certificate property matches a defined filter if it matches at least one element of a
filter_vector
. The defined condition ('or' or 'and') is applied to calculate if the whole certificate matches the filter.
It is possible to use OR and AND conditions in filter values:
condition |
the certificate is considered matched to the filter if ... |
OR |
at least one of the properties matches to the corresponding filter |
AND |
all properties match to the corresponding filters |
If some field is defined in the
certificate_filter,
but it does not exist in a certificate, the field is considered not matched.
Both v1 and v2 certificate templates are supported. Specify name for v1 or OID for v2 templates in the filter.
To filter by Enhanced Key Usage, specify one or more OIDs.
Example of
trac_client_1.ttm
:
:certificate_filter (
:gateway (
:default (
:issuer ("O=*Check*Point*&#DC=checkpoint&#")
:subject ("OU=users, O=*checkpoint*&#OU=security")
:template ()
:enhanced_key_usage (1.3.6.1.5.5.8.2.2.3.6.1.5.5.7.3.2&#)
:condition (and)
)
)
)
Example of
trac.defaults
:
cert_filter_issuer VEC_STR "O=*Check*Point*&#DC=checkpoint&#" GW_USER 0
cert_filter_subject VEC_STR "OU=users, O=*checkpoint*&#OU=security" GW_USER 0
cert_filter_template VEC_STR "" GW_USER 0
cert_filter_enhanced_key_usage VEC_STR "1.3.6.1.5.5.8.2.2.3.6.1.5.5.7.3.2&#" GW_USER 0
cert_filter_condition STRING and GW_USER 0
cert_filter_check INT 1 GW_USER 0
Here, we require the issuer to have either '
O=Check*Point
' element or '
DC=checkpoint
'. Strings like
O=Check Point
O=CheckPoint Inc.
match the filter.
In case of subject, the first element of filter_vector requires two entities to be defined:
OU=users, O=checkpoint
They should be separated by a comma, followed by exactly one space character. The order, in which they are defined, does not matter: the next filters are equivalent:
OU=users, O=checkpoint
O=checkpoint, OU=users
Enhanced Key Usage certificate property is a set of one or more OIDs. One of them should match either to 1.3.6.1.5.5.8.2.2 or 1.3.6.1.5.5.7.3.2.
To check if a TTM file is correct, run the following command from clish or Expert mode on the Security Gateway:
# vpn check_ttm $FWDIR/conf/trac_client_1.ttm
To disable a certificate filter for a specific site, run the following command on the end-user computer:
trac disable_cert_filter [-s <sitename>]
The filter will start working again after the policy update. The policy update occurs when a client connects to the gateway on which the policy was changed by "install policy".
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|