Example: Attribute Mapping for Client Certificates

Denise DeLassandros wants to set up an application that authenticates with X.509 client certificates. She can store the certificate of each user on the directory service as an attribute of the user account. When business users start the application and present their client certificate, the application grants access to the corresponding business user.

To enable the User Management Engine (UME) to search for and store these certificates, Denise must ensure that the corresponding attributes are mapped correctly in the data source configuration file.

Note

If the LDAP is an IBM Tivoli LDAP, see SAP Note 1334567.

The table below lists the relevant logical attributes of a user account:

Relevant Logical Attributes of a User Account

Attribute	Description
`certificatehash`	Hash value of the client certificate
`javax.servlet.request.X509Certificate`	Used to search for the directory service certificate
`certificate`	Used to store the directory service certificate

To set up attribute mapping for client certificates, Denise must edit the following subsections of the directory service section of the data source configuration file:

<responsibleFor>
<attributeMapping>

<responsibleFor> Subsection

Denise must add the attributes listed above to the <responsibleFor> subsection of the data source configuration file. Adding these attributes defines that these attributes are stored on the directory server.

Example: <responsibleFor> Subsection

  <dataSource id="CORP_LDAP"         className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"         isReadonly="false"         isPrimary="true">     …     <responsibleFor>       <principal type="account">         <nameSpace name="com.sap.security.core.usermanagement">           <attributes>             …             <attribute name="certificatehash"/>             <attribute name="javax.servlet.request.X509Certificate"/>             <attribute name="certificate"/>            </attributes>         </nameSpace>       </principal>             …     </responsibleFor>     …   </dataSource>

<attributeMapping> Subsection

Denise must map the logical attributes to the corresponding physical attributes in your directory service. These attributes are vendor-specific.

Caution

Denise must enter the name of the physical attribute in lower case letters! Otherwise the mapping does not work.

Example: <attributeMapping> Subsection

  <dataSource id="CORP_LDAP"       className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"       isReadonly="false"       isPrimary="true">     …     <attributeMapping>       <principals>         <principal type="account">           <nameSpace name="com.sap.security.core.usermanagement">             <attributes>               …               <attribute name="certificatehash">                 <physicalAttribute name="*null*"/>               </attribute>               <attribute name="javax.servlet.request.X509Certificate">                 <physicalAttribute name="usercertificate"/>               </attribute>               <attribute name="certificate">                 <physicalAttribute name="usercertificate"/>               </attribute>             </attributes>           </nameSpace>         </principal>         …       </principals>       …     </attributeMapping>     …   </dataSource>

Note

The certificatehash attribute must be mapped to *null* , as directory servers cannot handle hashed certificates. This prevents the hash value from being stored.

You must map the logical attributes javax.servlet.request.X509Certificate and certificate to the same physical attribute on your directory server.