Show TOC

Defining Rules for Filtering Client CertificatesLocate this document in the navigation structure

Use

You can use configuration options for the ClientCertLoginModule to filter client certificates based on the certificate issuer and/or the certificate subject name. You can use client certificate filters as building blocks to define rules for user ID authentication with client certificates.

You configure the use of filters in addition to configuring a mode to determine the user ID from the certificate information during logon.

Procedure

Using the SAP NetWeaver Administrator, go to the configuration options for the ClientCertLoginModule . For more information, see Managing Login Modules .

Filter Client Certificates by Certificate Subject Names

  1. Enter the attributes of the certificate subject as a value of the option Rule <n> . FilterSubject of the ClientCertLoginModule . The order of the values in the list does not matter. The comparison check for this rule is case-sensitive.

    Note

    You can use this option to specify comma-separated X.501 standard compliant values of type AttributeTypeAndValue . The ClientCertLoginModule uses the configured values to filter provided certificates based on the certificate SubjectName field.

    1. If the filtering rule specified with this configuration option finds a matching attribute in a provided certificate, then:

      1. The filter succeeds.

      2. The corresponding rule number is always used to determine the user ID.

      3. Subsequent rules are not checked.

        For example, if you configured a sequence of several rules to use for authentication, then the ClientCertLoginModule will use the first rule in the sequence for which the filter succeeds.

    2. If one of the specified values is missing from the certificate SubjectName field, then the authentication check for the corresponding rule is skipped. If you configured other rules, then the check continues with the next ClientCertLoginModule rule number in the rule sequence you configured.

    3. If the value of the rule field Rule <n> . FilterSubject is empty, the authentication check for this filter succeeds and the authentication check continues with the configured options for the corresponding rule to determine the user ID.

  2. Substitute <n> in the Rule <n> prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of configured rules for client certificate authentication. If you use a single rule, then substitute the option prefix Rule <n> with the prefix Rule1 .

    Example

    For the configuration in the table below, the ClientCertLoginModule applies the configured filter for the certificate subject name and uses for authentication only those certificates that contain attributes O= mycompany and OU= CA in their SubjectName field. If there are such certificates, then the ClientCertLoginModule determines the user ID from the first attribute name of type rfc822Name in the filtered certificate V3 extension SubjectAlternativeName .

    Option

    Value

    Rule1.filterSubject

    O=mycompany, OU=CA

    Rule1.getUserFrom

    expertMode

    Rule1.oid

    2.5.29.17

    Rule1.AttributeName

    rfc822Name

Filter Client Certificates by Certificate Issuer

  1. Enter the attributes of the certificate issuer as a value of the option FilterIssuer of the ClientCertLoginModule .

    Note

    The values entered must be of type X.501 Name and in comma-separated format. In addition, the value entered for this option must be an exact match to the Issuer fields in the client certificates for the check in this filtering rule option to succeed.

    1. If the filtering rule specified with this configuration option finds a matching attributes in a provided certificate, then:

      1. The filter succeeds

      2. The corresponding rule number is always used to determine the user ID.

      3. Subsequent rules are not checked.

        For example, if you configured a sequence of several rules to use for authentication, then the ClientCertLoginModule will use the first rule in the sequence for which the filter succeeds.

    2. If the configured values are different from the values in the certificate Issuer field, the check for the corresponding rule is skipped. If you configured other rules, then the check continues with the next ClientCertLoginModule rule number in the rule sequence you configured.

    3. If the value of the rule field FilterIssuer is empty, the authentication check for the corresponding rule is skipped and continues with the next ClientCertLoginModule rule you configured.

  2. Substitute <n> in the Rule <n> prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of configured rules for client certificate authentication. If you use a single rule, then substitute the option prefix Rule <n> with the prefix Rule1 .

    Example

    For the configuration in the table below, the ClientCertLoginModule the applies the configured filter for certificate Issuer and uses for authentication only certificates with an Issuer field that exactly matches CN= myCA, OU= mydept, OU= CA, O= mycompany, C= DE . If there are such certificates, the ClientCertLoginModule determines the user ID from the attribute CN in the SubjectName field of the filtered certificate.

    Option

    Value

    Rule1.filterIssuer

    CN=myCA, OU= mydept, OU= CA, O= mycompany, C= DE

    Rule1.getUserFrom

    SubjectName

    Rule1.AttributeName

    CN
Result

The AS Java can determine the user ID and filter client certificates based on the filtering rules that you configured.