Show TOC Start of Content Area

Procedure documentation Configuring the Use of Client Certificates for Authentication  Locate the document in its SAP Library structure

Use

Use this procedure to configure the use of client certificates for authentication when users access the J2EE Engine using an end-to-end connection.

For cases where they access the server via an intermediary proxy server that terminates the connection, see Configuring the Use of Client Certificates via an Intermediary Server.

Note

Client certificates enable you to authenticate J2EE Engine users without the need for a user name and a password provided from a logon screen. Therefore, you can also use client certificates for integrating the J2EE Engine in Single Sign-On environments.

When using client certificates for user authentication, the J2EE Engine uses the certificate information to determine the user’s identity.

The algorithm for determining the user ID can be configured by specifying rules. Each of these rules can include several configuration options and, using filters, be restricted to apply only to certain certificates. In addition, each rule specifies the mechanism to use to determine the mapping between the certificate matching this restriction and the user ID for the authenticating user.

You can configure the use of the following mechanisms to establish the user ID associated with a client certificate during the logon process:

·         The J2EE Engine can match the provided certificate to a client certificate stored for the J2EE Engine user ID in the user data store.

·         The J2EE Engine can determine the user ID directly from the fields in the client certificate.

Prerequisites

     The J2EE Engine is configured to support SSL with the given certificates. For more information, see Transport Layer Security on the J2EE Engine.

     The issuing CA’s root certificate either exists in the TrustedCAs view in the Key Storage service or it is available in the file system as a DER-encoded or Base-64-encoded certificate.

Procedure

...

       1.      Using the Key Storage service, make sure the CA’s root certificate exists as a CERTIFICATE entry in the TrustedCAs view. If it is not already there, then import it into this view.

For more information, see Managing Entries.

       2.      Using the SSL Provider service:

                            a.      Select whether the J2EE Engine should:

      Request (but not require) that the user presents a client certificate for authentication.

      Require that client certificates are to be used for authentication.

                            b.      Import the CA’s root certificate into the Trusted Certification Authorities list. (Choose Add.)

See also Managing the Credentials and Trusted Certificates to Use SSL.

       3.      Configure the ClientCertLoginModule for establishing the J2EE Engine user ID from the client certificate and filtering provided certificates.

For more information, see Modifying Client Certificate Authentication Options.

       4.      Adjust the login module stacks and configure the login modules for those applications that accept client certificates as the authentication mechanism.

Result

The selected applications accept client certificates for user authentication.

 

See also:

Managing Login Modules

Managing Policy Configurations

 

 

End of Content Area