Show TOC Start of Content Area

Function documentation Modifying Client Certificate Authentication Options  Locate the document in its SAP Library structure

Use

The J2EE Engine enables you to use client certificates for authentication with the JAAS login module ClientCertLoginModule. You can use the configuration options of the ClientCertLoginModule to determine the J2EE Engine user ID from the client certificate and to filter provided certificates based on rules for certificate authentication.

Integration

The options for the ClientCertLoginModule enable you to configure the use of a sequence of several rules for client certificate authentication. To configure a single rule, you use combinations of several login module options and a prefix that marks the rule number. The prefix that marks the rule number also determines the sequence for the rule execution.

To enable the use of rule-based certificate authentication, you add the ClientCertLoginModule to the login module stacks of the policy configurations of the J2EE applications to use authentication with certificates. You can configure the options to enable rule-based certificate authentication for individual applications or for all applications that contain the ClientCertLoginModule in their login module stacks. For more information, see Managing Login Modules and Managing Policy Configurations.

Features

The login module configuration options enable you to determine the J2EE Engine user ID from the client certificate information during logon. You configure several login module options to specify a single rule for performing authentication with the client certificates. You can use certificate filters and configuration options to determine the user ID from the certificate information as building blocks to form a single rule. You can combine several rules in a rule sequence, using a prefix for the rule options to mark the rule number in the sequence of all rules configured for authentication.

The figure below illustrates this concept:

This graphic is explained in the accompanying text

Entity relationship for rules and login module configuration options

Filter client certificates to use for authenticating a user

The configuration options enable you to filter client certificates either by certificate issuer or by certificate subject names.

When you configure the use of filters based on the certificate issuer, you enter the issuer attributes as specified in the client certificate. When you configure filters based on the certificate subject name, you can enter only several of the certificate subject attributes to define the filtering rule.

Note

The use of filters for a rule is an optional configuration step that you can use to specify criteria about whether to use a rule in a sequence of rules to determine the user ID from the certificate information. You can configure rules to only determine the user ID without applying filters to restrict the use of only certain certificates for the authentication. In this case, if the J2EE Engine cannot determine a user ID from a certificate, the authentication fails and following rules in a rule sequence are not checked.

Authenticate a user ID from certificate information

The configuration options support the following modes to determine the user ID from the certificate information:

     Search the J2EE Engine user store for a user who is already mapped to the client certificate. This is the default behavior for determining the user ID when you are using client certificate authentication.

     Determine the J2EE Engine user ID from the SubjectName field of the X.509 client certificate. You can use this configuration mode for the majority of your certificate authentication needs to determine the user ID from the certificate information.

     Determine the J2EE Engine user ID from the V3 extension SubjectAlternativeName of the X.509 client certificate. This is an advanced configuration mode for which you configure the use of a certificate V3 extension to determine the user ID.

Note

When using an SAP ABAP system for UME data source, the determined J2EE Engine user ID must be in a valid format for the authentication to succeed. For more information, see Users and Roles (BC-SEC-USR).

Activities

...

       1.      Using the Visual Administrator, go to the configuration options for the ClientCertLoginModule. For more information, see Managing Login Modules.

       2.      Configure the ClientCertLoginModule options to determine the user ID based on the client certificate.

     Configure the use of stored certificate mappings.

     Configure the use of rules based on certificate subject names.

Recommendation

We recommend that you use this configuration for standard client certificate authentication needs.

     Configure the use of rules based on certificate V3 extensions.

       3.      In addition, when using rules based on certificate subject names or V3 extensions, you can also define rules for filtering client certificates.

Result

Authorized users can log on to the J2EE Engine using SSL and X.509 client certificates for authentication. Based on the rule you configure, the ClientCertLoginModule of the J2EE Engine can determine the user ID from the client certificate and apply filters to the certificates provided for authentication.

 

See also:

Managing Login Modules

Managing Policy Configurations

 

 

End of Content Area