Administrator

Mapping the Impersonator Role to the Reverse Proxy Certificate in XML

Enable the reverse proxy to impersonate an end user who authenticates using a mutual SSL connection, by mapping the Impersonator role to the certificate used by the reverse proxy.

Context

This topic describes how to map the Impersonator role to the reverse-proxy certificate by editing the role-mapping file.

Procedure

  1. In Management Cockpit, set the security log level to Debug.
  2. Perform a client request through the reverse proxy using the HTTPS 8082 port. For example, execute a request to proxy a client’s SSL_CLIENT_CERT, or send a push notification. These fail and are recorded in the server log.
  3. Open the server log file <SMP_HOME>\Server\log\<hostName>-smp-server.log.

    In the server log, you see the same DN that SAP Mobile Platform CSI sees. For example, CN = JohnDoe O = Acme C = US, where CN is common name, O is the organization name, and C is the country name.

  4. Navigate to <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security\CSI, and open the role-mapping file.
  5. Copy the SubjectDN, exactly as it appears in the server log, and paste it into the role-mapping file, using this format:
    <DefaultMapping>
    <LogicalName>Impersonator</LogicalName>
    <MappedName>user:<SubjectDN copied from the server log></MappedName>
    </DefaultMapping>
  6. Repeat the client request and verify that it succeeds.
  7. In Management Cockpit, reduce the security log level to a value more appropriate for normal security operations, for example, Info or Warn.