Show TOC

Migrating to Rule-Based Certificate MappingLocate this document in the navigation structure


Use this procedure to migrate your certificate mappings in the USREXTID table to rule-based mapping. Rule-based certificate mapping reduces the cost of operating an X.509 certificate infrastructure by enabling you to convert most mappings to rules. You can carry over any remaining mappings as exceptions.


You have the required authorizations.

For more information, see Rule-Based Certificate Mapping.


This procedure assumes you have a large number of entries without issuers. If you have already maintained issuers in table USREXTID, you must change this procedure slightly as noted in the procedure below.

  1. Start Rule-based Certificate Mapping Migration (transaction CERTRULE_MIG).

  2. Select users or user groups.

    Select by user groups if you only have authorizations for specific user groups.

    For more information, see Rule-Based Certificate Mapping.

  3. Choose Display/Change (F6) to switch to edit mode.

  4. Ensure that you are only displaying users with no mappings and not displaying users with mappings either explicitly or by rule. Use the buttons with the red nunmapped entries, yellow nentries mapped explicitly, and green nentries mapped with rule indicators at the top of the list.

  5. Choose Select rows wo USREXTID issuer to select all subjects in the table without issuers.

  6. Choose Assign issuer to select rows and enter a likely issuer manually or import it from a certificate in the file system or the server PSE.

    Do not worry about whether the issuer is correct for all entries. You just want to cover as many entries as possible.


    AS ABAP saves all issuers in a migration table. Entries in table USREXTID do not change. If the issuer already exists in the USREXTID table, it appears in the Issuer column and the Classic checkbox is selected. You cannot change the issuer value from the USREXTID table.

    If you already maintained issuers in table USREXTID, select entries by issuer and create rules to match the entries.

  7. Create rules that match the users.

    To create a rule, choose the Rule pushbutton.

    For more information, see Creating Rules for Certificate Mapping from step 5 on.

    As you save the rule, entries covered by the rule disappear from the list and appear under the green indicator nentries mapped with rule.

  8. Repeat steps 5-7 until you have reduced the list to a manageable number.

    As you work through the list, your goal is to change the status of the entries from No mapping to Mapping with rule. As rules apply to the mappings, they disappear from the list.

    What a manageable number is depends on how many entries you are willing to create explicit mappings for. For the remaining entries, create explicit mappings.

  9. Create any exceptions.

    To create an exception, select an entry and choose the Explicit mapping pushbutton.

    This creates an explicit mapping of certificate subject and issuer to the specific user. The entry receives the status Explicit mapping.

  10. Save your entries.

  11. Enable the use of rule-based certificate mapping.

    Set the profile parameter login/ certificate_ mapping_ rulebased to 1.

    For more information, see Changing and Switching Profile Parameters.