Mapping the Impersonator Role to the Reverse Proxy Certificate in XML
Enable the reverse proxy to impersonate an end user who authenticates using a mutual SSL connection, by mapping the Impersonator role to the certificate used by the reverse proxy.
This topic describes how to map the Impersonator role to the reverse-proxy certificate by editing the role-mapping file.
- In Management Cockpit, set the security log level to Debug.
- Perform a client request through the reverse proxy using the HTTPS 8082 port. For example, execute a request to proxy a client’s SSL_CLIENT_CERT, or send a push notification. These fail and are recorded in the server log.
the server log file
In the server log, you see the same DN that SAP Mobile Platform CSI sees. For example, CN = JohnDoe O = Acme C = US, where CN is common name, O is the organization name, and C is the country name.
- Navigate to <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security\CSI, and open the role-mapping file.
Copy the SubjectDN, exactly as it appears in the server log, and paste
it into the role-mapping file, using this format:
<DefaultMapping> <LogicalName>Impersonator</LogicalName> <MappedName>user:<SubjectDN copied from the server log></MappedName> </DefaultMapping>
- Repeat the client request and verify that it succeeds.
- In Management Cockpit, reduce the security log level to a value more appropriate for normal security operations, for example, Info or Warn.