Show TOC

 Configuring SMP Server to Trust SAP Web Dispatcher

 

Trust is established by requiring a mutual certificate authentication between the reverse proxy and SAP Mobile Platform, where the reverse proxy has a client certificate signed by a CA in the SAP Mobile Platform truststore. You must then ensure that the technical user is in the Impersonator role. Once these requirements are met, SAP Mobile Platform processes the SSL_CLIENT_CERT header and trusts that certificate.

The Impersonator role establishes the trust relationship between the reverse proxy and SAP Mobile Platform Server, allowing the server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy. It also enables SAP Mobile Platform to trust SSL_CLIENT_CERT headers from network edge certificate authentication.

Procedure

The security profiles are persisted in files that are located in SMP_HOME\Server\configuration\com.sap.mobile.platform.server.security\CSI. To map a logical role to the appropriate physical role in the underlying security provider in a given security profile, you must manually edit the corresponding role-mapping.xml file.

  1. Navigate to the impersonator-role-mapping.xml file.

  2. Map the Impersonator logical role to the subjectDN from the Web Dispatcher client certificate. This is a required step so that the reverse proxy can be trusted to have validated the end-user certificate presented to it over the mutual authentication connection that the client establishes to the network edge. The following is an example mapping:

    <DefaultMapping>

       <LogicalName>Impersonator</LogicalName>

       <MappedName>Impersonator</MappedName>

       <MappedName>CN=reverse_proxy_user,OU=SMP, O=SAPAG, ST=CA, C=US</MappedName>

    </DefaultMapping>

    Recommendation Recommendation

    The MappedName value in the role mapping file must exactly match the subjectDN that SAP Mobile Platform extracts from the reverse proxy client certificate, including upper and lowercase letters and any spacing. If the role mapping is not an exact match, the Impersonator role is not granted and SAP Mobile Platform does not trust the SSL_CLIENT_CERT header and refuses to execute the request in the context of the mobile user.

    The easiest way to ensure an exact match is to set the security logging level to DEBUG from the Management Cockpit, then attempt a client connection through the reverse proxy. Then go to the server log, where you can find the DN from the reverse proxy certificate printed out exactly as SAP Mobile Platform sees it. Cut and paste from the log file into the role-mapping file and restart the server.

    End of the recommendation.

  3. Import the CA signing certificate used to sign client certificates into the smp_keystore.jks as a trusted CA certificate so that SAP Mobile Platform is able to validate client certificates later.

More Information

Setting Up Communication Channels

SAP Mobile Platform Server: Setup of Communication