Show TOC Anfang des Inhaltsbereichs

Vorgehensweisen Maintaining Certificate Mappings Automatically  Dokument im Navigationsbaum lokalisieren

Use

Use this section to configure automatic mapping of client certificates to user IDs during user logon.

SAP NetWeaver Application Server (AS) Java can use the CertPersisterLoginModule to automatically map client certificates to user IDs on first logon. To enable automatic mapping, add the CertPersisterLoginModule to the login module stacks for the application that use certificate authentication based on a stored certificate mapping.

Prerequisites

·        You have configured the ClientCertLoginModule to use a stored certificate mapping to determine the user ID for client certificate authentication.

For more information, see Using Stored Certificate Mappings.

      The UME property ume.logon.allow_cert is set to TRUE.

For more information about changing UMEproperties, see Editing UME Properties.

Procedure

...

       1.       Add the CertPersisterLoginModule to the login module stack for client certificate authentication after the login modules for the fallback mechanisms you are using.

For more information about adding login modules to login module stacks, see Managing Login Modules.

Hinweis

If the CertPersisterLoginModule is not available in the list of login modules, add it with the following procedure:

                                                  i.       Choose the Create pushbutton.

                                                ii.       Enter CertPersisterLoginModule in the Display Name field.

                                               iii.       Enter com.sap.security.core.server.jaas.CertPersisterLoginModule in the Class Name field.

       2.      Choose OPTIONAL for the processing flag of the CertPersisterLoginModule in the login module stack.

Example

The example in the table below is based on the ticket template for SSO with logon tickets, and uses user ID and password authentication for fallback mechanisms. The example shows a login module stack configuration for automatic certificate mapping on first user logon:

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

ClientCertLoginModule

OPTIONAL

{Rule1.getUserFrom=wholeCert}

CreateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

None

CertPersisterLoginModule

OPTIONAL

None

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

The login module stack from the example works as follows:

...

       1.      Checks if the user has a valid logon ticket. If yes, authentication succeeds, control returns to the application and the authentication check is concluded.

       2.      The ClientCertLoginModulechecks for a valid user certificate and determines the user ID based on its configuration.

       3.      If the ClientCertLoginModulecan retrieve the user ID based on an already established certificate mapped, the CreateTicketLoginModule issues a logon ticket for this user ID. Authentication succeeds and the accessed application resumes control.

       4.      If the ClientCertLoginModulecannot determine the user ID, the BasicPasswordLoginModule authenticates the user with the user ID and password.

                            a.      If basic authentication is successful, the CertPersisterLoginModule maps the certificate to the user ID and the CreateTicketLoginModule issues a logon ticket for the user.

                            b.      If the user ID and password authentication is not successful, authentication fails.

 

Ende des Inhaltsbereichs