Using Rules Based on Client Certificate V3 Extensions (SAP-Bibliothek - Configuring Authentication and Single Sign-On)

Using Rules Based on Client Certificate V3 Extensions

Use

You can use the ClientCertLoginModuleconfiguration options to determine the user ID based on rules for the certificate V3 extension SubjectAlternativeName. You can configure that the AS Java authenticates users either based on extension attribute fields rfc822name or on extension attribute fields OtherName.

For more information about X.509 certificate extensions and the structure X.509 certificates, see Internet standard RFC 3280.

Procedure

...

1. Using the SAP NetWeaver Administrator (NWA), go to the configuration options for the ClientCertLoginModule. For more information, see Managing Login Modules.

2. Enter expertMode as a value for the option Rule<n>.getUserFrom of ClientCertLoginModule.

3. Enter 2.5.29.17 for a value of the option Rule<n>.OID of ClientCertLoginModule.

Hinweis

The ClientCertLoginModule uses the value for the Rule<n>.OID option to find the AttributeName that identifies the user ID. You provide values using the Abstract Syntax Notation Object Identifier (ASN.1 OID) for the attribute. Entering the ASN.1 OID 2.5.29.17 enables you to retrieve the user ID from an attribute field in the certificate V3 extension SubjectAlternativeName.

4. Enter a value for the option Rule<n>.AttributeName of ClientCertLoginModuleto determine the attribute of the SubjectAlternativeName certificate extension that identifies the user ID. You can use one of the following values:

○ rfc822Name

For this value, the ClientCertLoginModule chooses for a user ID the first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName.

○ OID=<ASN.1 OID>

The ClientCertLoginModulesearches the OtherName attribute fields in the certificate V3 extension SubjectAlternativeNamefor an attribute with the specified ASN.1 OID. If an OtherName attribute with a matching the ASN.1 OID you enter is found, the ClientCertLoginModule uses its value for the user ID.

Hinweis

This is a mandatory configuration step. Not providing a value for the rule option Rule<n>.AttributeName results in the certificates used for authentication being rejected.

Beispiel

For example, you can choose values for the configuration options of ClientCertLoginModule as shown in the table below:

Name	Value
Rule1.getUserFrom	expertMode
Rule1.OID	2.5.29.17
Rule1.AttributeName	OID=1.3.6.1.4.1.311.20.2.3

For this configuration, the ClientCertLoginModule determines the user ID from an OtherName attribute in the certificate V3 extension SubjectAlternativeName. The OID of this attribute is 1.3.6.1.4.1.311.20.2.3

5. To use rules for filtering the provided client certificates, see Defining Rules For Filtering Client Certificates.

6. Substitute <n> in the Rule<n> prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of all configured rules for client certificate authentication. If you use a single rule, then substitute Rule<n> with Rule1.

7. Add the ClientCertLoginModuleto the login module stacks of the applications to authenticate users based on client certificate V3 extension.

Result

Users who authenticate to the AS Java with client certificates can log on with user IDs that correspond to the rule for the certificate V3 extension that you configured.

Example

Assumptions

The examples below assume that a user provides a X.509 certificate with the following fields:

● SubjectName

CN= myuser, OU= people, OU= CA, O= mycompany, C= DE

● Issuer

CN= DE User CA 1, OU= DE 010, OU= CA, O= mycompany, C= DE

● Extension SubjectAlternativeName with the following attributes:

○ otherName attribute with fields OID= 1.3.6.1.4.1.311.20.2.3 and value = t006472@mycompany.com

○ rfc822Name = myuser@mycompany.com

Determine user ID from first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName

Option	Value
Rule1.getUserFrom	expertMode
Rule1.OID	2.5.29.17
Rule1.AttributeName	rfc822Name

Result: the authenticated user ID is myuser@mycompany.com.

Determine user ID from a field of type OtherName with ASN.1 OID= 1.3.6.1.4.1.311.20.2.3 in the certificate V3 extension SubjectAlternativeName

Option	Value
Rule1.getUserFrom	expertMode
Rule1.OID	2.5.29.17
Rule1.AttributeName	oid= 1.3.6.1.4.1.311.20.2.3

Result: the authenticated user ID is t006472@mycompany.com.