In an ideal mutual authentication scenario, a user gets an X.509 certificate from a trusted CA. The CA is imported to the Access Manager trust store and Access Manager uses the same CA for authenticating this user.
Access Manager trust store contains many other trusted certificate authorities. If the user submits a certificate issued by a different CA that is trusted by Access Manager, the authentication succeeds. In some scenarios, this behavior is not suitable, such as when smart cards and X.509 authentications are used in an enterprise. You can restrict this behavior and configure to allow the X.509 authentication only for configured CA. After enabling the restriction, the mutual authentication succeeds only when a user submits an X.509 user certificate issued by the specified CA. This restriction does not restrict the certificates available on the client side. This restriction is only applicable during processing or validating the certificates.
For example, an organization has two departments: HR and Finance. Each department issues smart cards to its respective employees. In Access Manager, contracts are configured for both departments as follows:
|
Department |
Contract |
CA |
|---|---|---|
|
HR |
X509_HR |
CA_HR |
|
Finance |
X509_Finance |
CA_ Finance |
Employees of the HR department use the certificate signed by CA_ HR and employees of the Finance department use the certificate signed by CA_ Finance. Both certificates are imported into the trust store.
If not specified, Access Manager does not validate certificates with any specific CA. In this case, employees can authenticate with any certificate that is imported to the trust store irrespective of the contracts they use. As a result, employees of the HR department can use the certificate signed by CA_ Finance and employees of the Finance department can use the certificate signed by CA_ HR for authentication.
When you specify the CA, Access Manager validates the certificates with the configured CA. Therefore, you can restrict employees of the HR department to use the X509_ HR contract and employees of the Finance department to use the X509_ Finance contract. Access Manager validates the certificate with the CA configured in the Access Manager authentication method property.
For information about configuring X.509 authentication, see Configuring X.509 Authentication.