Administrator

X.509 User Certificate Configuration Properties

The X.509 User Certificate provider enables mutual authentication. Use this provider when certificates are authenticated by the container.

Description

You can use X.509 User Certificate with other providers that support certificate authentication, for example, Directory Service (LDAP/AD). If you use multiple providers, set X.509 User Certificate to be called first.

You can use this provider to validate client certificates only when HTTPS listeners are configured to use mutual authentication.

Add and configure X.509 User Certificate properties, or accept the default settings.

Properties

Table 57: X.509 User Certificate General Configuration Properties
Property Default Value Description
Control Flag Optional
Indicates how the security provider is used in the login sequence.
  • Optional – the authentication provider is not required, and authentication proceeds down the authentication provider list, regardless of success or failure.
  • Sufficient – the authentication provider is not required, and subsequent behavior depends on whether authentication succeeds or fails.
  • Required – the authentication provider is required, and authentication proceeds down the authentication provider list.
  • Requisite – the authentication provider is required, and subsequent behavior depends on whether authentication succeeds or fails.
Provider Description None

Differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.

Validated Certificate Is Identity False (Optional) Whether the certificate should set the authenticated subject as the user ID. If X.509 User Certificate is used with other providers that establish user identity based on the validated certificate, set this value to false.
Certificate Attribute as Principal None (Optional) The attribute to use as the principal name.

For example, if set to cn, and a client certificate subject DN is cn=johnsmith, OU=marketing, DC=acme, DC=com, the generated subject principal name is johnsmith; if undefined, the entire DN value is used.

Validate Certificate Path True If true, performs certificate chain validation, starting with the certificate being validated. Verifies that the issuer of that certificate is valid, and that the certificate has been issued by a trusted certificate authority (CA). If not, the provider looks up the issuer of the certificate to verify it is valid and is issued by a trusted CA (going up the chain to find a CA that is in the trusted certificate store). If the trusted store does not contain any of the issuers in the certificate chain, validation fails.
Enable Revocation Checking False (Only if Validate Certificate Path is True) Enables revocation checking during certificate-path validation in PKIXParameters.
You must set the corresponding Java system properties in the props.ini file, and set security properties in the java.security file, for example:
  • Enable Certificate Revocation List Distribution Points (CRLDP) checking by setting the system property com.sun.security.enableCRLDP to true.
  • Enable OCSP in the java.security file—see Enabling the Online Certificate Status Protocol.

If set to true, certificate authentication fails if:

  • The certificate has been revoked, and
  • OCSP/CRLDP extensions exist in the certificate, and either OCSP is enabled in java.security or CRLDP is enabled in the JVM system property.
Table 58: X.509 User Certificate Advanced Configuration Properties
Property Default Value Description
Credential Name SSL_CLIENT_CERT Name to be associated with the credential added by this provider to store the validated certificate.
Key / Value None (Only if OCSP/CRLDP checking is disabled)
  • Key – a string to identify the certificate revocation list (CRL), in this format: crl.<ID>.uri, for example, crl.1.uri. The CRL is checked against a static CRL that has been either downloaded locally or imported into an LDAP server.
  • Value – a URL that points to the CRL.

The content from the URL is passed to java.security.cert.CertificateFactory.generateCRLs.

See the definition of the CertificateFactory classInformation published on non-SAP site.

To validate your settings, click Test Settings. A message reports either success or failure; if validation fails, invalid settings are highlighted.