Show TOC

Maintaining Certificate Mappings AutomaticallyLocate this document in the navigation structure

Prerequisites

  • You have configured the ClientCertLoginModule to use a stored certificate mapping to determine the user ID for client certificate authentication.

    For more information, see Using Stored Certificate Mappings .

  • The UME property ume.logon.allow_cert is set to TRUE .

    For more information about changing UME properties, see Editing UME Properties .

Context

Use this section to configure automatic mapping of client certificates to user IDs during user logon.

The AS Java can use the CertPersisterLoginModule to automatically map client certificates to user IDs on first logon. To enable automatic mapping, you add the CertPersisterLoginModule to the login module stacks for the application that use certificate authentication based on a stored certificate mapping.

Procedure


  1. Add the CertPersisterLoginModule to the login module stack for client certificate authentication after the login modules for the fallback mechanisms you are using.

    For more information about adding login modules to login module stacks, see Managing Login Modules .

    Note

    If the CertPersisterLoginModule is not available in the list of login modules, add with the following procedure:

    1. Choose the Create pushbutton.

    2. Enter CertPersisterLoginModule in the Display Name field.

    3. Enter com.sap.security.core.server.jaas.CertPersisterLoginModule in the Class Name field.

  2. Choose OPTIONAL for the processing flag of the CertPersisterLoginModule in the login module stack.

Example

The example in the table below is based on the ticket template for SSO with logon tickets, and uses user ID and password authentication for fallback mechanisms. The example shows a login module stack configuration for automatic certificate mapping on first user logon:

Login Modules

Flag

Option

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

ClientCertLoginModule

OPTIONAL

{ Rule1. getUserFrom=wholeCert}

CreateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

None

CertPersisterLoginModule

OPTIONAL

None

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

The login module stack from the example works as follows:

  1. Checks if the user has a valid logon ticket. If yes, authentication succeeds, control returns to the application and the authentication check is concluded.

  2. The ClientCertLoginModule checks for a valid user certificate and determines the user ID based on its configuration.

  3. If the ClientCertLoginModule can retrieve the user ID based on an already established certificate mapped, the CreateTicketLoginModule issues a logon ticket for this user ID. Authentication succeeds and the accessed application resumes control.

  4. If the ClientCertLoginModule cannot determine the user ID, the BasicPasswordLoginModule authenticates the user with the user ID and password.

    1. If basic authentication is successful, the CertPersisterLoginModule maps the certificate to the user ID and the CreateTicketLoginModule issues a logon ticket for the user.

    2. If the user ID and password authentication is not successful, authentication fails.