Creating Rules for Certificate Mapping

Prerequisites

You have an X.509 certificate saved as a file.
If you plan to match certificates to aliases of user master records, you have ensured that the aliases include the relevant content.
You have the required authorizations.

For more information, see Rule-Based Certificate Mapping.

Context

This procedure enables you to create a rule for mapping X.509 certificates from a given issuer to user records of SAP NetWeaver Application Server (AS) ABAP. Each certificate contains attributes in the subject, and sometimes, in the subject alternative name fields. You select one of these attributes for the AS ABAP to match to either the user name or alias of the user master record.

Procedure

Start Rule-based Certificate Mapping (transaction CERTRULE).
Choose .
Choose to switch to edit mode.
Choose the Rule pushbutton.
Choose whether you want the AS ABAP to read the logon name (user name or alias) from an attribute of the subject or the subject alternative name.
From the subject or subject alternative name, choose the certificate attribute to read as the logon name. The AS ABAP uses the value of this attribute, ignoring case, to identify the user master record to which this certificate maps.
Select User Name or Alias as the logon attribute.

This is the attribute of the user master record that the AS ABAP matches with the value in the certificate attribute.
Configure the subject filter.

AS ABAP uses the subject filter together with the issuer filter to check whether a rule can be used for a certificate. To do this, the system evaluates the attributes and the associated values of the subject filter and their position in reverse order.

Example
Assume a certificate with a the following attributes:

CN=MarcoRicci,C=IT,O=SAP

A rule with the subject filter C,O can, for example, expect that the attribute C is in the penultimate position and the attribute O is in the last position for the certificate subject. The AS ABAP applies a rule only if the order of the attributes matches exactly.

You can also remove attributes from the subject filter to make the attribute a wildcard. If you remove C=IT from the subject filter, the AS ABAP still expects the attribute in the same position, but the attribute can include any value. The rule includes the attribute as C=*.

Note
The system always expects the common name (CN), user ID (UID), and e-mail (E) attributes to be wildcards, even if you do not choose one of them as the mapping attribute nor do they appear in the subject filter. The rule includes the attributes as CN=*, UID=*, E=*.

To regenerate the default list of attributes after you make changes to the subject filter or change the subject certificate attribute for mapping, choose .
Move the rule up or down in the list of rules as required.

Note
The AS ABAP checks the rules in order and applies the first rule that matches. If the AS ABAP finds a rule that applies, but does not find a user to match the certificate, the logon fails even if a later rule would apply and result in a successful logon.
Save your entries.

Results

When a user agent presents an X.509 certificate to the AS ABAP for authentication, the AS ABAP checks the rules in order. The AS ABAP applies the first rule that matches. For each rule, the AS ABAP applies the issuer filter and subject filter to determine if the rule applies. The issuer filter and the issuer must be identical. The table below shows examples of the application of a subject filter.

Subject Filter	Certificate Subject	Result
`CN=*, C=IT, O=SAP`	`CN=MarcoRicci, C=IT, O=SAP`	Match. Attempt to log on user MARCORICCI. If the AS ABAP can find a single user with this name as user ID or alias according to the configuration, logon is successful.
`CN=*, C=IT, O=SAP`	`CN=MarcoRicci, O=SAP, C=IT`	Fail. Attributes O and C are in not in identical order.
`CN=*, C=IT, O=SAP`	`CN=MarcoRicci, C=IT, O=SAB`	Fail. The values of the O attributes are not identical.
`CN=*, C=IT, O=SAP`	`CN=MarcoRicci, C=IT, O=SAP, OU=DEV`	Fail. The filter requires that the first attribute from the end must be `O=SAP`. In this case, the first attribute is `OU=DEV`.