The X.509 User Certificate provider enables mutual authentication. Use this provider when certificates are authenticated by the container.
You can use X.509 User Certificate with other providers that support certificate authentication, for example, Directory Service (LDAP/AD). If you use multiple providers, set X.509 User Certificate so it is called first.
You can use this provider to validate client certificates only when HTTPS listeners are configured to use mutual authentication.
Add and configure X.509 User Certificate properties, or accept the default settings.
Indicates how the security provider is used in the login sequence.
Differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
|Validated Certificate Is Identity||False||(Optional) Whether the certificate should set the authenticated subject as the user ID. If X.509 User Certificate is used with other providers that establish user identity based on the validated certificate, set this value to false.|
|Validate Certificate Path||True||If true, performs certificate chain validation, starting with the certificate being validated. Verifies that the issuer of that certificate is valid, and that the certificate has been issued by a trusted certificate authority (CA). If not, the provider looks up the issuer of the certificate to verify it is valid and is issued by a trusted CA (going up the chain to find a CA that is in the trusted certificate store). If the trusted store does not contain any of the issuers in the certificate chain, validation fails.|
|Enable Revocation Checking||False||(Optional) Enables online certificate status
protocol (OCSP) certificate checking for user authentication. If
you enable this option, you must also enable OCSP in
SAP Mobile Platform Server. This provider uses the
OCSP configuration properties that are defined in
Authentication fails if a certificate has been revoked and both of the following are true:
|Certificate Attribute as Principal||None||(Optional) The attribute to use as the
For example, if set to cn, and a client certificate subject DN is cn=johnsmith, OU=marketing, DC=acme, DC=com, the generated subject principal name is johnsmith; if undefined, the entire DN value is used.
|Credential Name||SSL_CLIENT_CERT||Name to be associated with the credential added by this provider to store the validated certificate.|
|Key / Value||None||
The content from the URL is passed to java.security.cert.CertificateFactory.generateCRLs.
Note SAP Mobile Platform also supports ldap://URL.
See the definition of the CertificateFactory class.
To validate your settings, click Test Settings. A message reports either success or failure; if validation fails, invalid settings are highlighted.