Show TOC

 Using Rules Based on Client Certificate V3 ExtensionsLocate this document in the navigation structure

Use

You can use the ClientCertLoginModule configuration options to determine the user ID based on rules for the certificate V3 extension SubjectAlternativeName . You can configure that the AS Java authenticates users either based on extension attribute fields rfc822name or on extension attribute fields OtherName .

For more information about X.509 certificate extensions and the structure X.509 certificates, see Internet standard RFC 3280.

Procedure
  1. Using the SAP NetWeaver Administrator (NWA), go to the configuration options for the ClientCertLoginModule . For more information, see Managing Login Modules .
  2. Enter expertMode as a value for the option Rule <n> . getUserFrom of ClientCertLoginModule .
  3. Enter 2.5.29.17 for a value of the option Rule <n> . OID of ClientCertLoginModule .
    Note

    The ClientCertLoginModule uses the value for the Rule <n> . OID option to find the AttributeName that identifies the user ID. You provide values using the Abstract Syntax Notation Object Identifier (ASN.1 OID) for the attribute. Entering the ASN.1 OID 2.5.29.17 enables you to retrieve the user ID from an attribute field in the certificate V3 extension SubjectAlternativeName .

  4. Enter a value for the option Rule <n> .AttributeName of ClientCertLoginModule to determine the attribute of the SubjectAlternativeName certificate extension that identifies the user ID. You can use one of the following values:
    • rfc822Name

      For this value,the ClientCertLoginModule chooses for a user ID the first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName .

    • OID=< ASN.1 OID >

      The ClientCertLoginModule searches the OtherName attribute fields in the certificate V3 extension SubjectAlternativeName for an attribute with the specified ASN.1 OID . If an OtherName attribute with a matching the ASN.1 OID you enter is found, the ClientCertLoginModule uses its value for the user ID.

      Note

      This is a mandatory configuration step. Not providing a value for the rule option Rule <n> .AttributeName results in the certificates used for authentication being rejected.

      Tip

       For example, you can choose values for the configuration options of ClientCertLoginModule as shown in the table below:

      Name Value

      Rule1.getUserFrom

      expertMode

      Rule1.OID

      2.5.29.17

      Rule1.AttributeName

      OID=1.3.6.1.4.1.311.20.2.3

      For this configuration, the ClientCertLoginModule determines the user ID from an OtherName attribute in the certificate V3 extension SubjectAlternativeName . The OID of this attribute is 1.3.6.1.4.1.311.20.2.3

  5. To use rules for filtering the provided client certificates, see Defining Rules For Filtering Client Certificates .
  6. Substitute <n> in the Rule<n> prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of all configured rules for client certificate authentication. If you use a single rule, then substitute Rule <n> with Rule1 .
  7. Add the ClientCertLoginModule to the login module stacks of the applications to authenticate users based on client certificate V3 extension.
Result

Users who authenticate to the AS Java with client certificates can log on with user IDs that correspond to the rule for the certificate V3 extension that you configured.

Example

Assumptions

The examples below assume that a user provides a X.509 certificate with the following fields:

  • SubjectName

    CN= myuser, OU= people, OU= CA, O= mycompany, C= DE

  • Issuer

    CN= DE User CA 1, OU= DE 010, OU= CA, O= mycompany, C= DE

  • Extension SubjectAlternativeName with the following attributes:
    • otherName attribute with fields OID= 1.3.6.1.4.1.311.20.2.3 andvalue = t006472@mycompany.com
    • rfc822Name = myuser@mycompany.com

Determine user ID from first attribute field of type rfc822Name within the certificate V3 extension SubjectAlternativeName

Option Value

Rule1.getUserFrom

expertMode

Rule1.OID

2.5.29.17

Rule1.AttributeName

rfc822Name

Result: the authenticated user ID is myuser@mycompany.com .

 

Determine user ID from a field of type OtherName with ASN.1 OID= 1.3.6.1.4.1.311.20.2.3 in the certificate V3 extension SubjectAlternativeName

Option Value

Rule1.getUserFrom

expertMode

Rule1.OID

2.5.29.17

Rule1.AttributeName

oid= 1.3.6.1.4.1.311.20.2.3

Result: the authenticated user ID is t006472@mycompany.com .