Show TOC

Mapping the Impersonator Role to the Reverse Proxy Certificate in XMLLocate this document in the navigation structure

Enable the reverse proxy to impersonate an end user who authenticates using a mutual SSL connection, by mapping the Impersonator role to the certificate used by the reverse proxy.



SAP recommends that you use Management Cockpit, instead of this procedure, to map the Impersonator role to the certificate used by the reverse proxy—see Mapping Logical Roles to Physical Roles.

This topic describes how to map the Impersonator role to the reverse-proxy certificate by editing the role-mapping file.


  1. In Management Cockpit, set the security log level to Debug.
  2. Perform a client request through the reverse proxy using the HTTPS 8082 port. For example, execute a request to proxy a client’s SSL_CLIENT_CERT, or send a push notification. These fail and are recorded in the server log.
  3. Open the server log file <SMP_HOME>\Server\log\<hostName>-smp-server.log.

    In the server log, you see the same DN that SAP Mobile Platform CSI sees. For example, CN = JohnDoe O = Acme C = US, where CN is common name, O is the organization name, and C is the country name.

  4. Navigate to <SMP_HOME>\Server\configuration\\CSI, and open the role-mapping file.
  5. Copy the SubjectDN, exactly as it appears in the server log, and paste it into the role-mapping file, using this format:
    <MappedName>user:<SubjectDN copied from the server log></MappedName>
  6. Repeat the client request and verify that it succeeds.
  7. In Management Cockpit, reduce the security log level to a value more appropriate for normal security operations, for example, Info or Warn.