Using Rules Based on Client Certificate Subject Names (SAP Library

Using Rules Based on Client Certificate Subject Names

Use

You can use this configuration mode to determine the user ID from the SubjectName field of the certificate. You use the configuration options for the ClientCertLoginModule to configure the rules to determine the user ID based on the SubjectName field in the client certificate.

To enable the use of certificate authentication, you add the ClientCertLoginModule to the login module stack for the J2EE applications to use certificate authentication.

Procedure

...

1. Using the J2EE Engine Visual Administrator, go to the configuration options for the ClientCertLoginModule. For more information, see Managing Login Modules.

...

2. Enter subjectName as a value for the option Rule<n>.getUserFrom of the ClientCertLoginModule.

3. Enter a value for the option Rule<n>.AttributeName of ClientCertLoginModule to specify the attribute of the certificate SubjectName field, which identifies the J2EE Engine user ID.

○ If an attribute name for the value that you enter does not exist in the SubjectName field of the certificate, then the ClientCertLoginModule determines the user ID from the first existing attribute name in the certificate SubjectName field.

○ If the SubjectName field contains more than one matching attribute name, then the ClientCertLoginModule determines the user ID from the first matching attribute name in the certificate SubjectName field.

Note

This is a mandatory configuration step. Not providing a value for this option results in the certificates used for authentication being rejected.

4. To use rules for filtering the provided client certificates, see Defining Rules For Filtering Client Certificates.

5. Substitute <n> in the Rule<n>prefix of the ClientCertLoginModule configuration options to match the place of this rule in the sequence of configured rules for client certificate authentication. If you use a single rule, then substitute Rule<n> with Rule1.

6. Add the ClientCertLoginModule to the login module stacks of the J2EE applications to authenticate users based on client certificate subject names.

Result

Users that authenticate to the J2EE Engine with client certificates can log on with user IDs that correspond to the rule for the SubjectName field attribute that you configured.

Example

The example ClientCertLoginModule configuration below assumes that a user provides a X.509 certificate with the following attributes for the certificate SubjectName field:

● CN= myuser, OU= people, OU= CA, O= mycompany, C= DE

Determining user ID from attribute CN of certificate SubjectName

Option	Value
Rule1.getUserFrom	subjectName
Rule1.AttributeName	CN

Result: The authenticated J2EE Engine user ID is myuser.

Determining the user ID from multiple attribute names in the certificate SubjectName

Option	Value
Rule1.getUserFrom	subjectName
Rule1.AttributeName	OU

Result: The authenticated J2EE Engine user ID is people, matching the first leftmost occurrence of the SubjectName attribute OU.