CLI Certificate Mapping Methods
Contents
casso10
Contents
AttrMap Method Sets or Retrieves the Attribute Map for Certificate Mapping
The AttrMap method sets or retrieves the attribute map for Certificate mapping.
Syntax
The AttrMap method has the following format:
Netegrity::PolicyMgtCertMap->AttrMap ([attribute_map])
Parameters
The AttrMap method accepts the following parameter:
- attribute_map(string)(Optional) Specifies the attribute map to be set.
Return Value
The AttrMap method returns one of the following values:
- A new or existing attribute of the Certificate map
- An empty string if the call was unsuccessful
CacheCRL Method Determines whether To Cache Certificate Revocation List (CRL) entries
The CacheCRL method sets or retrieves the flag that determines whether to cache Certificate Revocation List (CRL) entries. Setting this flag causes
CA Single Sign-On
to use cached CRL information until the date specified in the NextUpdate field in the CRL.Syntax
The CacheCRL method has the following format:
Netegrity::PolicyMgtCertMap->CacheCRL([cacheFlag])
Parameters
The CacheCRL method accepts the following parameter:
- cacheFlag(int)(Optional) Specifies whether to cache CRL entries:
- 1 specifies that cache entries are used
- 0 specifies that cache entries are not used
Return Value
The CacheCRL method returns one of the following values:
- The new or existing cache flag setting
- -1 if the call was unsuccessful
CertRequired Method Determines whether Certificate Validation is Required
The CertRequired method sets or retrieves the flag that requires
CA Single Sign-On
to verify that the certificate presented by the user matches the certificate stored in the user's entry in the user directory. The user directory must be an LDAP user directory. Syntax
The CertRequired method has the following format:
Netegrity::PolicyMgtCertMap->CertRequired([certFlag])
Parameters
The CertRequired method accepts the following parameter:
- certFlag(int)(Optional) Specifies whether certificate verification is required:
- 1 certificate verification is required
- 0 certificate verification is not required
Return Value
The CertRequired method returns one of the following values:
- The new or existing flag setting
- -1 if the call was unsuccessful
CRLUserDirectory Method Sets or Retrieves the LDAP Directory where the Certificate Revocation List (CRL) Is Located
The CRLUserDirectory method specifies or retrieves the LDAP user directory where the Certificate Revocation List (CRL) is located.
Syntax
The CRLUserDirectory method has the following format:
Netegrity::PolicyMgtCertMap->CRLUserDirectory([crlDir])
Parameters
The CRLUserDirectory method accepts the following parameter:
- crlDir(PolicyMgtUserDir)(Optional) Specifies the user directory where the CRL is located.
Return Value
The CRLUserDirectory method returns one of the following values:
- A PolicyMgtUserDir object
- undefif the call was unsuccessful
Description Method Sets or Retrieves the Description of the Certificate Map
The Description method sets or retrieves the description of the certificate map.
Syntax
The Description method has the following format:
Netegrity::PolicyMgtCertMap->Description([certMapDesc])
Parameters
The Description method accepts the following parameter:
- certMapDesc(string)(Optional) Specifies the description to set.
Return Value
The Description method returns one of the following values:
- A new or existing certificate map description
- An empty string if the call was unsuccessful
DirectoryType Method Sets or Retrieves the Type of User Directory
The DirectoryType method sets or retrieves the type of user directory involved in the user authentication.
Syntax
The DirectoryType method has the following format:
Netegrity::PolicyMgtCertMap->DirectoryType([dirType])
Parameters
The DirectoryType method accepts the following parameter:
- dirType(int)(Optional) Specifies one of the following types of user directory:
- Sm_PolicyApi_DirType_LDAP
- Sm_PolicyApi_DirType_WinNT
- Sm_PolicyApi_DirType_ODBC
Return Value
The DirectoryType method returns one of the following values:
- The new or existing directory type
- undefif the call was unsuccessful
EnableCRL Method Determines whether To Check the Certificate Revocation List (CRL) for Revoked Certificates
The EnableCRL method sets or retrieves the flag that determines whether to check the Certificate Revocation List (CRL) for revoked certificates.
Syntax
The EnableCRL method has the following format:
Netegrity::PolicyMgtCertMap->EnableCRL([ckCRLFlag])
Parameters
The EnableCRL method accepts the following parameter:
- ckCRLFlag(int)(Optional) Specifies whether to check certificates against the CRL:
- 1 specifies that certificates should be checked
- 0 specifies that certificates should not be checked
Return Value
The EnableCRL method returns one of the following values:
- The new or existing flag setting
- -1 if the call was unsuccessful
Remarks
A CRL is a list of revoked X.509 client certificates published by the Certificate Authority. Comparing a certificate against a CRL is one way to ensure that certificates are valid. When a user with such a certificate tries to access a protected resource,
CA Single Sign-On
finds the user's certificate in the CRL and rejects the authentication.Before you enable CRL checking, call the method PolicyMgtCertMap->CRLUserDirectory to specify the user directory where the CRL is located.
IssuerDN Method Sets or Retrieves the DN of the Certificate Issuer
The IssuerDN method sets or retrieves the DN of the certificate issuer.
Syntax
The IssuerDN method has the following format:
Netegrity::PolicyMgtCertMap->IssuerDN([issuerDN])
Parameters
The IssuerDN method accepts the following parameter:
- issuerDN(string)(Optional) Specifies the issuer DN to set.
Return Value
The IssuerDN method returns one of the following values:
- The new or existing issuer DN
- An empty string if the call is unsuccessful
UseDistributionPoints Method Determines whether Certificate Revocation List (CRL) Searches Use a Distribution Point
The UseDistributionPoints method sets or retrieves the flag indicating whether Certificate Revocation List (CRL) searches should use a distribution point as a starting point for a search.
Syntax
The UseDistributionPoints method has the following format:
Netegrity::PolicyMgtCertMap->UseDistributionPoints([distPointsFlag])
Parameters
The UseDistributionPoints method accepts the following parameters:
- distPointsFlag(int)(Optional) Specifies whether to use distribution points for CRL searches:
- 1 specifies that distribution points should be used
- 0 specifies that the whole CRL should be searched
Return Value
The UseDistributionPoints method returns one of the following values:
- The new or existing flag setting
- -1 if the call was unsuccessful
Remarks
Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. By providing a starting point for a CRL check, distribution points save the processing time that it would take to search the entire CRL.
VerifySignature Method Determines whether
CA Single Sign-On
Verifies the Certificate Authority's SignatureThe VerifySignature method sets or retrieves the flag indicating whether
CA Single Sign-On
should verify the Certificate Authority's signature in the Certificate Revocation List (CRL). Syntax
The VerifySignature method has the following format:
Netegrity::PolicyMgtCertMap->VerifySignature([verifyFlag])
Parameters
The VerifySignature method accepts the following parameter:
- verifyFlag(int)(Optional) Specifies whether to verify the CA's signature in the CRL:
- 1 specifies that the signature should be verified
- 0 specifies that the signature should not be verified
Return Value
The VerifySignature method returns one of the following values:
- The new or existing flag setting
- -1 if the call was unsuccessful