Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 558

Extension-Specific Policy Module Reference
The standard suggests that if the certificate subject field contains an empty
sequence, then the subject alternative name extension must contain the subject's
alternative name and that the extension be marked critical.
If you're using any of the directory-based authentication methods, you can
configure CMS to retrieve values for any string and byte attributes from the
directory and set them in the certificate request during authentication—you specify
these attributes by entering them in the
ldapByteAttributes
Note that all data related to an end entity is gathered at the servlet level and set on
the request before the request is passed to the policy subsystem.
In general, you can configure which attributes should or shouldn't be stored in the
request; for example, you can exclude sensitive attributes such as passwords from
getting stored in the request with the help of the parameter named
dontSaveHttpParams
this parameter, see the description for
All Interfaces" of CMS Customization Guide. You can also distinguish the attributes
based on their origin—that is, whether they originated from the enrollment form or
where added to the request during the authentication process. Authenticated
attributes have
non-authenticated attributes such as the ones that come from the HTTP input have
HTTP_PARAMS
If enabled, the subject alternative extension policy checks the certificate request for
configured attributes. If the request contains an attribute, the policy reads its value
and sets it in the extension. This way, the extension that gets to added to certificates
contains all the configured attributes.
During installation, CMS automatically creates an instance of the subject
alternative name extension policy, named
default.
Table 11-39 SubjectAltNameExt Configuration Parameters
Parameter
enable
predicate
critical
558 Netscape Certificate Management System Administrator's Guide • February 2003
fields defined in the automated enrollment modules.
defined in the CMS configuration file. For details on using
as prefix (for example,
AUTH_TOKEN
as prefix (for example,
Description
Specifies whether the rule is enabled or disabled. Select to enable, deselect to
disable.
Specifies the predicate expression for this rule. If you want this rule to be applied
to all certificate requests, leave the field blank (default). To form a predicate
expression, see"Using Predicates in Policy Rules," on page 485.
Select to mark critical, deselect to mark noncritical (default).
ldapStringAttributes
in section "JavaScript Used By
HTTP_PARAMS
AUTH_TOKEN.mail
HTTP_PARAMS.csrRequestorEmail
SubjectAltNameExt
and
) and
).
, that is enabled by