OpenSSL Subject Converter PIP


This PIP is new in Argus 1.3 (EMI).

The OpenSSL Subject Converter PIP transforms on-the-fly an incoming request subject attribute subject-id and/or attribute subject-issuer value from the old, unsupported and wrong OpenSSL oneline format (e.g. “/C=CH/ Doe”) into a correct RFC2253 format value (e.g. “CN=John Doe,,C=CH”) with the correct datatype.


  1. Create a new INI section for you PIP (you may choose any valid INI section name. e.g. OPENSSLSUBJECT_PIP)
  2. Into the PIP INI section add the parserClass property with the value org.glite.authz.pep.pip.provider.OpenSSLSubjectPIPIniConfigurationParser
  3. Configure which subject attribute ID and datatype values must be transformed from the OpenSSL format into the RFC2253 format.

PIP Configuration Properties

Property Description Required? Default Value
opensslSubjectAttributeIDs The space separated list of subject attribute IDs containing an OpenSSL value to convert No urn:oasis:names:tc:xacml:1.0:subject:subject-id
opensslSubjectAttributeDatatypes The space separated list of subject attribute datatypes containing an OpenSSL value to convert No

Example Configuration

The following example shows a PEP server configuration with the OpenSSL Subject Converter PIP enabled, and transforming both the subject attribute IDs urn:oasis:names:tc:xacml:1.0:subject:subject-id and, with the datatype values from the OpenSSL oneline format into the RFC2253 format.

entityId =
hostname =

pdps = http://localhost:8152/authz

trustInfoDir = /etc/grid-security/certificates

parserClass = org.glite.authz.pep.pip.provider.OpenSSLSubjectPIPIniConfigurationParser
opensslSubjectAttributeIDs = urn:oasis:names:tc:xacml:1.0:subject:subject-id
opensslSubjectAttributeDatatypes =