Netscape MANAGEMENT SYSTEM 6.0 - PLUG-IN Manual page 233

Attributes in a certificate request are filled in by servlets from the HTTP input
forms used for request submission. Some attributes, such as passwords typed in
the form are not stored in the request. Other attributes regarding the end entity,
such as the user ID, are set on the request after successful authentication. The
servlets can also set additional attributes related to the certificate content on the
request; for example, in automated-enrollment methods, some attributes may be
read from the authentication directory and set in the request as authenticated
attributes.
If you're using any of the directory-based authentication methods, you can
configure Certificate Management System to retrieve values for any string and byte
attributes from the directory and set them in the certificate request during
authentication—you specify these attributes by entering them in the
ldapStringAttributes
enrollment modules. For more information, see Table 1-2 on page 26, Table 1-3 on
page 30, and Table 1-4 on page 38.
Note that all data related to an end entity is gathered at the servlet level and set on
the request before the request is passed to the policy subsystem.
In general, you can configure which attributes should or shouldn't be stored in the
request; for example, you can exclude sensitive attributes such as passwords from
getting stored in the request with the help of the parameter named
dontSaveHttpParams
this parameter, see the description for
All Interfaces" of CMS Customization Guide. You can also distinguish the attributes
based on their origin—that is, whether they originated from the enrollment form or
where added to the request during the authentication process. Authenticated
attributes have
AUTH_TOKEN
non-authenticated attributes such as the ones that come from the HTTP input have
as prefix (for example,
HTTP_PARAMS
If enabled, the subject alternative extension policy checks the certificate request for
configured attributes. If the request contains an attribute, the policy reads its value
and sets it in the extension. This way, the extension that gets to added to certificates
contains all the configured attributes.
During installation, Certificate Management System automatically creates an
instance of the subject alternative name extension policy. See "SubjectAltNameExt
Rule" on page 237.
and
ldapByteAttributes
defined in the CMS configuration file. For details on using
HTTP_PARAMS
as prefix (for example,
HTTP_PARAMS.csrRequestorEmail
Chapter 4
SubjectAltNameExt Plug-in Module
fields defined in the automated
in section "JavaScript Used By
) and
AUTH_TOKEN.mail
Certificate Extension Plug-in Modules
).
233