Certificate owner - Subject attributes

By default, the attribute entry box associated with the "Subject" entry, within the "Certificate owner" field, contains CN=(.*). With this value, HPE OneView extracts the first user name it encounters within a "CN" attribute within the "Subject" field in the smart card certificate. You can edit the regular expression for the "CN" attribute using regular expressions to refine the list of acceptable values.

You can edit the value if you need HPE OneView to search for the user name within other additional attributes within the certificate "Subject" field. The choices include:

  • CN=(.*)
  • E=(.*)
  • UID=(.*)
  • DN=(.*)

Microsoft Active Directory users must note that the DN is extracted as an aggregate of the subject attributes from the certificate. This should match the DN value configured for the user in the Active Directory. If this is not an exact match, the login operation fails.

Use a comma separated list to include multiple values in the entry field, allowing HPE OneView to search multiple Subject attributes for a valid user name.

NOTE:

You can instruct HPE OneView to search for the user name within the attributes of the "Subject" field of the smart card certificate (either in addition to, or instead of, searching within "Subject Alternative Name" attributes).

Subject multiple attribute entry example

CN=(.*),E=(.*),UID=(.*),DN=(.*)

Variations for the CN attribute: examples

  • To match only user names starting with "J_" use CN=(^J_.*$)

  • To match names in "LastName, FirstName" format use CN=(^[a-zA-Z]*, [a-zA-Z]+$)

  • To match user names containing only numbers CN=(^[0-9]+$)

NOTE:

This is applicable when there are multiple CN attributes configured in a certificate and the user wants to specify a specific attribute rather than the first available in the CN attribute. It is recommended to use patterns that begin with '^' and end with '$' so that the system can perform an exact match.