Principal Propagation Configuration Properties

The Principal Propagation (X.509) provider enables single sign-on (SSO) access to back-end resources. To use this provider, an authentication provider must first authenticate clients, and you must select X.509 as the SSO mechanism.


Configure the Principal Propagation provider by:
  • Generating a certificate and private key to use in the public-key infrastructure (PKI) system
  • Importing to a back-end system, a public version of the CA signing key, as a trusted CA for the temporary user certificates that this login module will generate and sign
  • Importing the certificate and the private key to the SAP Mobile Platform keystore, and configuring the alias, using the keytool utility
  • Configuring the Principal Propagation provider with the alias of the imported certificate and private key
  • Configuring an authentication provider, in the same security profile
  • Entering appropriate values for the properties below


Table 67: Principal Propagation Configuration Properties
Property Name Default Value Description
Provider Description None Differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
CA Signing Certificate Alias None An alias in the system keystore that corresponds to the CA signing certificate and private key to sign the dynamically generated certificate for the authenticated user.
Subject Pattern CN=${name} Pattern for the generated subject distinguished name. If you specify the variable ${name}, the authenticated principal name is substituted for it.
Certificate Validity Period 10 The number of minutes for which the generated certificate is valid. After the validity period, a new certificate is generated for SSO to the back end. Performance declines if you set this value too low.
Clock Skew Tolerance 10 Number of additional minutes a certificate remains valid. Compensates for differences in time between the machine on which SAP Mobile Platform Server is running and the back-end machine that receives the certificate generated by the Principal Propagation credential.

By default, a generated certificate is valid for 10 minutes. If the clock skew tolerance is 10, a generated certificate is valid for an additional 10 minutes in both directions. For example, if the time on the server clock is 12:00, the certificate is valid between 11:50 and 12:20. If the time on the receiving server is within 10 minutes of the time on the sending server, it receives a valid certificate; if the time on the receiving server is more than 10 minutes behind, or more than 20 minutes ahead of, the time on the sending server, it receives an invalid certificate.

Signature Algorithm SHA256 Algorithm used to sign the X.509 certificate. Each Secure Hash Algorithm (SHA) is a one-way function that cannot be decrypted, and works well for password validation, challenge hash authentication, antitamper, and digital signatures. Select one of:
  • SHA1 – SHA-1 produces a 160-bit (20-byte) hash value known as a message digest.

  • SHA224 – a SHA-224 hash value is computed by first generating an SHA-256 hash value, then truncating the resulting 256-bit hash value to 224 bits.

  • SHA256 – generates an almost-unique, fixed size 256-bit (32-byte) hash, one of the strongest hash functions available.

  • SHA384 – both SHA-384 and SHA-512 are good enough for almost any collision-resistance application. Generally, the determining factor for which hash to use is how many bits of output you need. For example, if you need the hash to generate both a 256-bit hash message authentication code (HMAC) key and a 128-bit encryption key, SHA-384 is a good choice.

  • SHA512 – select if you need as much output as possible, for example, a pseudorandom number generator or for random padding.

To validate your settings, click Test Settings. A message reports either success or failure; if validation fails, invalid settings are highlighted.