Show TOC

Using Rules Based on Client Certificate Subject NamesLocate this document in the navigation structure

Context

You can use this configuration mode to determine the user ID from the SubjectName field of the certificate. You use the configuration options for the ClientCertLoginModule to configure the rules to determine the user ID based on the SubjectName field in the client certificate.

To enable the use of certificate authentication, you add the ClientCertLoginModule to the login module stack for the applications to use certificate authentication.

Procedure

  1. Using the SAP NetWeaver Administrator, go to the configuration options for the ClientCertLoginModule. For more information, see Managing Login Modules .
  2. Enter subjectName as a value for the option Rule <n> .getUserFrom of the ClientCertLoginModule .
  3. Enter a value for the option Rule <n> .AttributeName of ClientCertLoginModule to specify the attribute of the certificate SubjectName field, which identifies the user ID.

    • If an attribute name for the value that you enter does not exist in the SubjectName field of the certificate, then the ClientCertLoginModule determines the user ID from the first existing attribute name in the certificate SubjectName field.

    • If the SubjectName field contains more than one matching attribute name, then the ClientCertLoginModule determines the user ID from the first matching attribute name in the certificate SubjectName field.

    Note

    This is a mandatory configuration step. Not providing a value for this option results in the certificates used for authentication being rejected.

  4. To use rules for filtering the provided client certificates, see Defining Rules for Filtering Client Certificates .
  5. Substitute <n> in the Rule <n> prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of configured rules for client certificate authentication. If you use a single rule, then substitute Rule <n> with Rule1 .
  6. Add the ClientCertLoginModule to the login module stacks of the applications to authenticate users based on client certificate subject names.

Results

Users that access the AS Java with client certificates are logged on with user IDs that correspond to the rule for the SubjectName field attribute that you configured.

Example

The example ClientCertLoginModule configuration below assumes that a user provides a X.509 certificate with the following attributes for the certificate SubjectName field:

CN= myuser, OU= people, OU= CA, O= mycompany, C= DE

Determining user ID from attribute CN of certificate SubjectName

Option

Value

Rule1.getUserFrom

subjectName

Rule1.AttributeName

CN

Result: The authenticated user ID is myuser .

Determining the user ID from multiple attribute names in the certificate SubjectName

Option

Value

Rule1.getUserFrom

subjectName

Rule1.AttributeName

OU

Result: The authenticated user ID is people , matching the first leftmost occurrence of the SubjectName attribute OU .