Support Center > Search Results > SecureKnowledge Details
How to filter user certificates in desktop VPN clients Technical Level
Solution
Starting E84.10, Remote Access VPN desktop clients support the ability to define a filter for user certificates. This helps to display relevant certificates only when a user has multiple certificates installed on a computer.

The Administrator may define a set of certificate fields and their values. The VPN client will display only those certificate that match a defined criteria. If there is no certificate that matches the filter, the VPN client will display all certificates.

The following certificate fields are supported:
  1. Extended Key Usage: OID should be set to 1.3.6.1.5.5.7.3.2 (ClientAuth)
  2. Certificate template
  3. Distinguished Name (CN, OU, O, etc.):
    1. Issuer
    2. Subject
Filters support values with wildcards: *.cp.com

A filter can be defined in the $FWDIR/conf/trac_client_1.ttm file on a Security Gateway, and in the trac.defaults file that can be embedded in a custom installation package.

To define a filter, add the following record in trac_client_1.ttm
:certificate_filter (
 :gateway (
  :default (
   :issuer ([filter_vector])
   :subject ([filter_vector])
   :template ([filter_vector])
   :enhanced_key_usage ([filter_vector])
   :condition (or|and)
  )
 )
)

Same settings but in trac.defaults file:
Note: Can also use VPN Configuration Utility (sk122574) to edit trac files

cert_filter_issuer                            VEC_STR        ""            GW_USER    0
cert_filter_subject                           VEC_STR        ""            GW_USER    0
cert_filter_template                          VEC_STR        ""            GW_USER    0
cert_filter_enhanced_key_usage                VEC_STR        ""            GW_USER    0
cert_filter_condition                         STRING         and           GW_USER    0
cert_filter_check                             INT            0             GW_USER    0

where filter_vector - is a string or a vector of strings, separated with '&#'. Square brackets denote that the filter_vector is optional and are not the part of the filter definition.

It is recommended to enclose the whole filter in quotes (") unless the filter value is a single word, or a vector of single words. If there is a need to exclude a filter configuration for a specific certificate property, one can leave the filter value for such a property empty.

Wildcards '*' and '?' are allowed for defining filter values. '*' denotes zero or more characters, '?' denotes one single character.

Filter definition is case insensitive.

A certificate property matches a defined filter if it matches at least one element of a filter_vector. The defined condition ('or' or 'and') is applied to calculate if the whole certificate matches the filter.

It is possible to use OR and AND conditions in filter values:
condition the certificate is considered matched to the filter if ...
OR at least one of the properties matches to the corresponding filter
AND all properties match to the corresponding filters

If some field is defined in the certificate_filter, but it does not exist in a certificate, the field is considered not matched.

Both v1 and v2 certificate templates are supported. Specify name for v1 or OID for v2 templates in the filter.

To filter by Enhanced Key Usage, specify one or more OIDs.

Example of trac_client_1.ttm:

:certificate_filter (
 :gateway (
  :default (
   :issuer ("O=*Check*Point*&#DC=checkpoint&#")
   :subject ("OU=users, O=*checkpoint*&#OU=security")
   :template ()
   :enhanced_key_usage (1.3.6.1.5.5.8.2.2&#1.3.6.1.5.5.7.3.2&#)
   :condition (and)
  )
 )
)

Example of trac.defaults:

cert_filter_issuer    VEC_STR "O=*Check*Point*&#DC=checkpoint&#" GW_USER 0
cert_filter_subject   VEC_STR "OU=users, O=*checkpoint*&#OU=security" GW_USER 0
cert_filter_template  VEC_STR "" GW_USER 0
cert_filter_enhanced_key_usage VEC_STR "1.3.6.1.5.5.8.2.2&#1.3.6.1.5.5.7.3.2&#" GW_USER 0
cert_filter_condition STRING and GW_USER 0
cert_filter_check     INT 1 GW_USER 0

Here, we require the issuer to have either 'O=Check*Point' element or 'DC=checkpoint'. Strings like
O=Check Point
O=CheckPoint Inc.
match the filter.
In case of subject, the first element of filter_vector requires two entities to be defined:
OU=users, O=checkpoint
They should be separated by a comma, followed by exactly one space character. The order, in which they are defined, does not matter: the next filters are equivalent:
OU=users, O=checkpoint
O=checkpoint, OU=users

Enhanced Key Usage certificate property is a set of one or more OIDs. One of them should match either to 1.3.6.1.5.5.8.2.2 or 1.3.6.1.5.5.7.3.2.

To check if a TTM file is correct, run the following command from clish or Expert mode on the Security Gateway:

# vpn check_ttm $FWDIR/conf/trac_client_1.ttm

To disable a certificate filter for a specific site, run the following command on the end-user computer:

trac disable_cert_filter [-s <sitename>]

The filter will start working again after the policy update. The policy update occurs when a client connects to the gateway on which the policy was changed by "install policy".

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment