Administrator

Configuring SAP Mobile Platform Server Certificate-based Authentication with a Reverse Proxy

Configure SAP Mobile Platform to allow certificate-based authentication when there is a reverse proxy handling client requests at the network edge, and the SSL is terminated before reaching SAP Mobile Platform Server.

Context

The user's certificate arrives at SAP Mobile Platform Server in a SSL_CLIENT_CERT HTTP header, and you must configure SAP Mobile Platform to trust the header during authentication. Trust is established by requiring a mutual certificate authentication between the reverse proxy and SAP Mobile Platform, where the reverse proxy has a technical user certificate signed by a CA in the SAP Mobile Platform truststore.

You must then ensure that the technical user is in the Impersonator role. Once these requirements are met, SAP Mobile Platform processes the SSL_CLIENT_CERT header and trust that certificate.

Procedure

  1. Add X.509 User Certificate security provider to validate the user certificate presented over the HTTPS connection.
    1. In Management Cockpit, select Start of the navigation path Settings Next navigation step Security Profiles End of the navigation path.
    2. Select the security profile to be used by the application to authenticate the user.
    3. Under Authentication Providers, click New.
    4. Select X.509 User Certificate security provider from the list, then click Create.
    5. Configure the values, and click Save.
    6. Click OK, then click Save.
  2. Update the corresponding role mapping file following the process and map the Impersonator logical role to the subjectDN from the certificate the reverse proxy at the network edge is configured with. This is a required step so that the reverse proxy can be trusted to have validated the end-user certificate presented to it over the mutual authentication connection that the client establishes to the network edge.
    <DefaultMapping>
      <LogicalName>Impersonator</LogicalName>
      <MappedName>Impersonator</MappedName>
      <MappedName>user:EMAILADDRESS=john.doe@sap.com, CN=reverse_proxy_user,OU=SMP, O=SAPAG, ST=CA, C=US</MappedName>
    </DefaultMapping>
  3. Obtain a valid signed server certificate for your SAP Mobile Platform Server.
  4. Import the certificate into the keystore using the "smp_crt" alias.
    1. Import the CA signing certificate used to sign client certificates into the smp_keystore.jks as a trusted CA certificate so that SAP Mobile Platform is able to validate client certificates later.
  5. Restart SAP Mobile Platform Server.