Migrating to Rule-Based Certificate Mapping

Use

Use this procedure to migrate your certificate mappings in the USREXTID table to rule-based mapping. Rule-based certificate mapping reduces the cost of operating an X.509 certificate infrastructure by enabling you to convert most mappings to rules. You can carry over any remaining mappings as exceptions.

Prerequisites

You have the required authorizations.

For more information, see Rule-Based Certificate Mapping.

Procedure

This procedure assumes you have a large number of entries without issuers. If you have already maintained issuers in table USREXTID, you must change this procedure slightly as noted in the procedure below.

Start Rule-based Certificate Mapping Migration (transaction CERTRULE_MIG).
Select users or user groups.

Select by user groups if you only have authorizations for specific user groups.

For more information, see Rule-Based Certificate Mapping.
Choose to switch to edit mode.
Ensure that you are only displaying users with no mappings and not displaying users with mappings either explicitly or by rule. Use the buttons with the red , yellow , and green indicators at the top of the list.
Choose to select all subjects in the table without issuers.
Choose and enter a likely issuer manually or import it from a certificate in the file system or the server PSE.

Do not worry about whether the issuer is correct for all entries. You just want to cover as many entries as possible.

Note

AS ABAP saves all issuers in a migration table. Entries in table USREXTID do not change. If the issuer already exists in the USREXTID table, it appears in the Issuer column and the Classic checkbox is selected. You cannot change the issuer value from the USREXTID table.

If you already maintained issuers in table USREXTID, select entries by issuer and create rules to match the entries.
Create rules that match the users.

To create a rule, choose the Rule pushbutton.

For more information, see Creating Rules for Certificate Mapping from step 5 on.

As you save the rule, entries covered by the rule disappear from the list and appear under the green indicator .
Repeat steps 5-7 until you have reduced the list to a manageable number.

As you work through the list, your goal is to change the status of the entries from to . As rules apply to the mappings, they disappear from the list.

What a manageable number is depends on how many entries you are willing to create explicit mappings for. For the remaining entries, create explicit mappings.
Create any exceptions.

To create an exception, select an entry and choose the Explicit mapping pushbutton.

This creates an explicit mapping of certificate subject and issuer to the specific user. The entry receives the status .
Save your entries.
Enable the use of rule-based certificate mapping.

Set the profile parameter login/ certificate_ mapping_ rulebased to 1.

For more information, see Changing and Switching Profile Parameters.