Show TOC Entering content frame

This graphic is explained in the accompanying text Login Module Stack for Client Certificate Authentication  Locate the document in its SAP Library structure

Prerequisites

For the following login module stack, you require the login module CertPersisterLoginModule. Check that this login module exists in the UME user store. (To check if it exists, in the Security Provider service in the Visual Administrator, choose Runtime ® Policy Configurations, select any component in the component list, and choose the Add New button to add a new login module to the login module stack. A list of all available login module appears.) If the login module CertPersisterLoginModule does not exist, then make it available as follows:

...

       1.      In the Visual Administrator, choose Security Provider.

       2.      Choose the User Management tab and choose Manage Security Stores.

The currently active user store and the login modules for that user store are displayed. As the CertPersisterLoginModule requires the UME as user store, you can only perform the following steps if the UME user store is activated.

       3.      Choose Add Login Module.

A dialog box prompting you to choose an editor for the login module option appears.

       4.      Choose OK.

A dialog box prompting you to add a login module appears.

       5.      Fill in the fields as follows:

Class Name: com.sap.security.core.server.jaas.CertPersisterLoginModule

Display Name: CertPersisterLoginModule

       6.      Choose OK.

CertPersisterLoginModule now appears in the list of login modules for the active user store.

Example

The following is an example of a login module stack that allows for client certificate authentication where users map their client certificates at logon.

Example of a Login Module Stack for Client Certificate Authentication

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

ClientCertLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

 

CertPersisterLoginModule

OPTIONAL

 

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

This login module stack works as follows: It first checks if the user has a SAP logon ticket. If yes, the authentication succeeds and control returns to the application. If not, the next login module (ClientCertLoginModule) checks for a valid user certificate that is already mapped to a user. If there is a valid certificate, a logon ticket is issued for this user ID. If there is not a valid certificate, the BasicPasswordLoginModule authenticates the user with user ID and password. If this authentication is successful, the CertPersisterLoginModule maps the presented certificate to the user that just logged on and the system issues a logon ticket for the user. If the user ID and password authentication is not successful, authentication fails.

For more information on setting up login module stacks, see Managing Login Modules.

Leaving content frame