You can use the ClientCertLoginModuleconfiguration options to determine the user ID based on rules for the certificate V3 extension SubjectAlternativeName. You can configure that the AS Java authenticates users either based on extension attribute fields rfc822name or on extension attribute fields OtherName.
For more information about X.509 certificate extensions and the structure X.509 certificates, see Internet standard RFC 3280.
...
...
1. Using the SAP NetWeaver Administrator (NWA), go to the configuration options for the ClientCertLoginModule. For more information, see Managing Login Modules.
2. Enter expertMode as a value for the option Rule<n>.getUserFrom of ClientCertLoginModule.
3. Enter 2.5.29.17 for a value of the option Rule<n>.OID of ClientCertLoginModule.
The ClientCertLoginModule uses the value for the Rule<n>.OID option to find the AttributeName that identifies the user ID. You provide values using the Abstract Syntax Notation Object Identifier (ASN.1 OID) for the attribute. Entering the ASN.1 OID 2.5.29.17 enables you to retrieve the user ID from an attribute field in the certificate V3 extension SubjectAlternativeName.
4. Enter a value for the option Rule<n>.AttributeName of ClientCertLoginModuleto determine the attribute of the SubjectAlternativeName certificate extension that identifies the user ID. You can use one of the following values:
○ rfc822Name
For this value, the ClientCertLoginModule chooses for a user ID the first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName.
○ OID=<ASN.1 OID>
The ClientCertLoginModulesearches the OtherName attribute fields in the certificate V3 extension SubjectAlternativeNamefor an attribute with the specified ASN.1 OID. If an OtherName attribute with a matching the ASN.1 OID you enter is found, the ClientCertLoginModule uses its value for the user ID.
This is a mandatory configuration step. Not providing a value for the rule option Rule<n>.AttributeName results in the certificates used for authentication being rejected.
For example, you can choose values for the configuration options of ClientCertLoginModule as shown in the table below:
Name |
Value |
Rule1.getUserFrom |
expertMode |
Rule1.OID |
2.5.29.17 |
Rule1.AttributeName |
OID=1.3.6.1.4.1.311.20.2.3 |
For this configuration, the ClientCertLoginModule determines the user ID from an OtherName attribute in the certificate V3 extension SubjectAlternativeName. The OID of this attribute is 1.3.6.1.4.1.311.20.2.3
5. To use rules for filtering the provided client certificates, see Defining Rules For Filtering Client Certificates.
6. Substitute <n> in the Rule<n> prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of all configured rules for client certificate authentication. If you use a single rule, then substitute Rule<n> with Rule1.
7. Add the ClientCertLoginModuleto the login module stacks of the applications to authenticate users based on client certificate V3 extension.
Users who authenticate to the AS Java with client certificates can log on with user IDs that correspond to the rule for the certificate V3 extension that you configured.
The examples below assume that a user provides a X.509 certificate with the following fields:
● SubjectName
CN= myuser, OU= people, OU= CA, O= mycompany, C= DE
● Issuer
CN= DE User CA 1, OU= DE 010, OU= CA, O= mycompany, C= DE
● Extension SubjectAlternativeName with the following attributes:
○ otherName attribute with fields OID= 1.3.6.1.4.1.311.20.2.3 and value = t006472@mycompany.com
○ rfc822Name = myuser@mycompany.com
Option |
Value |
Rule1.getUserFrom |
expertMode |
Rule1.OID |
2.5.29.17 |
Rule1.AttributeName |
rfc822Name |
Result: the authenticated user ID is myuser@mycompany.com.
Option |
Value |
Rule1.getUserFrom |
expertMode |
Rule1.OID |
2.5.29.17 |
Rule1.AttributeName |
oid= 1.3.6.1.4.1.311.20.2.3 |
Result: the authenticated user ID is t006472@mycompany.com.