Using Stored Certificate Mappings

You can use this procedure to configure the login module stacks of applications to enable the SAP NetWeaver Application Server (AS) Java to authenticate users based on established mapping of client certificates to user IDs in the UME data source of the AS Java.

To use this mode for client certificate authentication, you have to establish a mapping between the client certificate and the user ID. The AS Java enables you to map client certificates to user IDs manually with the Identity Management functions of the AS Java. Alternatively, you can add the CertPersisterLoginModule to the login module stack for client certificate authentication to map automatically client certificates to user IDs on first successful logon with another authentication mechanism.

• To store users' client certificates in your LDAP directory, or if your users' client certificates are already available in your LDAP directory, you must map the relevant attributes. For more information, see Attribute Mapping for Client Certificates .
• To enable the mapping of client certificates to user IDs, the UMEproperty ume.logon.allow_cert must be set to true . For more information, see Editing UME Properties .

To map certificates to user IDs during logon, add the login modules for client certificate authentication to the login module stacks for the applications that use authentication with client certificates.

For more information about setting up login module stacks, see Managing Authentication Policy for AS Java Components .

1. Add the ClientCertLoginModule to the login module stack and configure its processing flag.
   1. Enter wholeCert as a value for the option Rule1.getUserFrom .
      Note

      This is the default behavior when you do not configure any options for the ClientCertLoginModule .

2. Add the login modules necessary for the fallback mechanism you are using. For example, to use Basic authentication as a fallback authentication mechanism, add the BasicPasswordLoginModule to the login module stack and configure its processing flag.
3. Configure the mapping between the client certificates and the user ID. This is a required configuration step for this mode, as based on this mapping the AS Java can determine the identity information for the user that is logging on.

   You can map user IDs to client certificates either manually or by configuring the AS Java to map certificates to user IDs automatically during the first user logon. For more information, see the following sections:

   • Maintain the certificate mapping manually .
   • Maintain the certificate mapping automatically .

Users can access AS Java applications with client certificates. The AS Java determines the user ID based on the mapping between the client certificate and the user ID in the UME data source.