Symantec Access Management

Back to discussions

Expand all | Collapse all

Mark attribute as "sensitive" or "secret" or ...

1. Mark attribute as "sensitive" or "secret" or ...

0 Recommend
Anon Anon
Posted Jul 12, 2016 12:19 PM

Reply Reply Privately
I'm pretty sure I know the answer to this, but does anyone have an idea of how I can make a field require some sort of hashing much like the userPassword (password-storage) setting? I need to mark several attributes this way in hopes of appeasing the all loving auditors.

Thanks!
2. Re: Mark attribute as "sensitive" or "secret" or ...

0 Recommend
Broadcom Employee

Hongxu Liu
Posted Jul 12, 2016 02:17 PM

Reply Reply Privately
Hi Steve,

Which part of configuration are you referring to?
Is this related to Siteminder or something else, e.g. attribute inside directory itself?
If this feature is not documented, then it probably does not exist, then maybe opening a CA Community idea.

Thanks,
Hongxu
3. Re: Mark attribute as "sensitive" or "secret" or ...

0 Recommend
Anon Anon
Posted Jul 12, 2016 02:44 PM

Reply Reply Privately
Hi Hongxu -

Nothing to do with any other CA product. Only to do with is it possible to to provide an attribute in CA Directory, much like the setting (default in later versions) for userPassword (password-storage), whereby the attribute can be hashed. An encryption method would also be acceptable, although don't need to be that intensive as I believe this would require keys and exchanges, etc, that we really don't want/need to do at this time.

Basically all I really need to do is provide a means whereby the Directory server will see that the attribute is set to be hashed, so that an application can send an attribute to the Directory server and the server can hash the attribute and compare to the stored value.

Hope this helps clarify. BTW, it is also my belief that CA Directory does not have this capability.

Thanks,
Steve
4. Re: Mark attribute as "sensitive" or "secret" or ...

0 Recommend
RSros
Posted Jul 19, 2016 10:44 AM

Reply Reply Privately
HI Steve,

You are correct in your assumption that CA Directory does not have the capability to hash an attribute value; outside of userpassword. Typically, the application(s) do the hashing and store that value in the directory and then do what needs to be done on retrieval (i.e. compare/present clear text).
Another way for 'secrecy' is to put an ACI on the attribute so that the attribute is only accessible for authorized end user(s).
Of course, both can be applied.

cheers,
Robert
Rackspace
5. Re: Mark attribute as "sensitive" or "secret" or ...

0 Recommend
Marline_ODea
Posted Jul 19, 2016 05:35 PM

Reply Reply Privately
Actually, If you define this attribute as an OctetSting in the schema, it will be automatically hashed in the directory. It will pretty much act like a password.

Cheers,
Marline
6. Re: Mark attribute as "sensitive" or "secret" or ...

0 Recommend
Marline_ODea
Posted Jul 19, 2016 07:24 PM

Reply Reply Privately
Sorry, no. It is not hashed. Just converted to Binary. My apologies.

Symantec Access Management

Mark attribute as "sensitive" or "secret" or ...

Anon AnonJul 12, 2016 12:19 PM

Hongxu LiuJul 12, 2016 02:17 PM

Anon AnonJul 12, 2016 02:44 PM

RSrosJul 19, 2016 10:44 AM

Marline_ODeaJul 19, 2016 05:35 PM

Marline_ODeaJul 19, 2016 07:24 PM

1. Mark attribute as "sensitive" or "secret" or ...

2. Re: Mark attribute as "sensitive" or "secret" or ...

3. Re: Mark attribute as "sensitive" or "secret" or ...

4. Re: Mark attribute as "sensitive" or "secret" or ...

5. Re: Mark attribute as "sensitive" or "secret" or ...

6. Re: Mark attribute as "sensitive" or "secret" or ...