The AS Java enables you to use client certificates for authentication with the JAAS login module ClientCertLoginModule . You can use the configuration options of the ClientCertLoginModule to determine the user ID from the client certificate and to filter provided certificates based on rules for certificate authentication.
The options for the ClientCertLoginModule enable you to configure the use of a sequence of several rules for client certificate authentication. To configure a single rule, you use combinations of several login module options and a prefix that marks the rule number. The prefix that marks the rule number also determines the sequence for the rule execution.
To enable the use of rule-based certificate authentication, you add the ClientCertLoginModule to the login module stacks of the policy configurations of the applications to use authentication with certificates. You can configure the options to enable rule-based certificate authentication for individual applications or for all applications that contain the ClientCertLoginModule in their login module stacks.
For more information, see Managing Login Modules and Managing Policy Configurations .
The login module configuration options enable you to determine the user ID from the client certificate information during logon. You configure several login module options to specify a single rule for performing authentication with the client certificates. You can use certificate filters and configuration options to determine the user ID from the certificate information as building blocks to form a single rule. You can combine several rules in a rule sequence, using a prefix for the rule options to mark the rule number in the sequence of all rules configured for authentication.
The figure below illustrates this concept:
Entity relationship for rules and login module configuration options
Filter client certificates to use for authenticating a user
The configuration options enable you to filter client certificates either by certificate issuer or by certificate subject names.
When you configure the use of filters based on the certificate issuer, you enter the issuer attributes as specified in the client certificate. When you configure filters based on the certificate subject name, you can enter only several of the certificate subject attributes to define the filtering rule.
The use of filters for a rule is an optional configuration step that you can use to specify criteria about whether to use a rule in a sequence of rules to determine the user ID from the certificate information. You can configure rules to only determine the user ID without applying filters to restrict the use of only certain certificates for the authentication. In this case, if the AS Java can not determine a user ID from a certificate, the authentication fails and following rules in a rule sequence are not checked.
Authenticate a user ID from certificate information
The configuration options support the following modes to determine the user ID from the certificate information:
When you use an AS ABAP for UME data source, the determined user ID must be in a valid format for the authentication to succeed. For more information, see the AS ABAP documentation.
For more information, see Managing Login Modules .
We recommend that you use this configuration for standard client certificate authentication needs.
Authorized users can log on to the AS Java using SSL and X.509 client certificates for authentication. Based on the rule you configure, the ClientCertLoginModule of the AS Java can determine the user ID from the client certificate and apply filters to the certificates provided for authentication.
See also:
Managing Policy Configurations