Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Maintenance
Obtaining the username from the certificate
The username is extracted from the client browser's certificate according to the patterns defined in the
Regex and Username format fields on the Certificate-based authentication configuration page:
Regex and Username format fields on the Certificate-based authentication configuration page:
n
In the Regex field, use the (?<name>regex) syntax to supply names for capture groups so that
matching sub-patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
matching sub-patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
.
Note that the regex defined here must conform to PHP regex guidelines [
].
n
The Username format field can contain a mixture of fixed text and the capture group names used in
the Regex. Delimit each capture group name with #, for example, prefix#Group1#suffix.
Each capture group name will be replaced with the text obtained from the regular expression
processing.
the Regex. Delimit each capture group name with #, for example, prefix#Group1#suffix.
Each capture group name will be replaced with the text obtained from the regular expression
processing.
You can use the
page to test the outcome of applying different Regex and
Username format combinations to a certificate.
Client certificate testing
The Client certificate testing page (
Maintenance > Certificate management > Client certificate
testing
) is used to check client certificates before enabling
. You can:
n
test whether a client certificate is valid when checked against the VCS's current trusted CA list
and, if loaded, the revocation list (note that the system tests only against the manually uploaded
CRL file; any automatically uploaded CRL files are ignored)
and, if loaded, the revocation list (note that the system tests only against the manually uploaded
CRL file; any automatically uploaded CRL files are ignored)
n
test the outcome of applying the regex and template patterns that retrieve a certificate's
authorization credentials (the username)
authorization credentials (the username)
You can test against:
n
a certificate on your local file system
n
the browser's currently loaded certificate
To test if a certificate is valid:
1. Select the Certificate source. You can choose to:
l
upload a test file from your file system in either PEM or plain text format; if so click Browse to
select the certificate file you want to test
select the certificate file you want to test
l
test against the certificate currently loaded into your browser (only available if the system is
already configured to use Certificate validation and a certificate is currently loaded)
already configured to use Certificate validation and a certificate is currently loaded)
2. Ignore the Certificate-based authentication pattern section - this is only relevant if you are
extracting authorization credentials from the certificate.
3. Click Check certificate.
4. The results of the test are shown in the Certificate test results section.
4. The results of the test are shown in the Certificate test results section.
To retrieve authorization credentials (username) from the certificate:
1. Select the Certificate source as described above.
2. Configure the Regex and Username format fields as required. Their purpose is to extract a
2. Configure the Regex and Username format fields as required. Their purpose is to extract a
username from the nominated certificate by supplying a regular expression that will look for an
appropriate string pattern within the certificate. The fields default to the currently configured
settings on the
appropriate string pattern within the certificate. The fields default to the currently configured
settings on the
Certificate-based authentication configuration
page but you can change them
as required.
l
In the Regex field, use the (?<name>regex) syntax to supply names for capture groups so
that matching sub-patterns can be substituted in the associated Username format field, for
example, /(Subject:.*, CN=(?<Group1>.*))/m.
that matching sub-patterns can be substituted in the associated Username format field, for
example, /(Subject:.*, CN=(?<Group1>.*))/m.
Note that the regex defined here must conform to PHP regex guidelines [
].
Cisco VCS Administrator Guide (X6.1)
Page 201 of 401