Show TOC Start of Content Area

Procedure documentation Maintaining Certificate Mappings Automatically  Locate the document in its SAP Library structure

Use

Use this section to configure automatic mapping of client certificates to user IDs during user logon.

The J2EE Engine can use the CertPersisterLoginModule to automatically map client certificates to user IDs on first logon. To enable automatic mapping, you add the CertPersisterLoginModule to the login module stacks for the application that use certificate authentication based on a stored certificate mapping.

Prerequisites

      You have configured the ClientCertLoginModuleto use a stored certificate mapping to determine the user ID for client certificate authentication.

      The UME property ume.logon.allow_cert is set to TRUE. For more information about changing UME properties, see Editing UME Properties.

Procedure

...

       1.       Add the CertPersisterLoginModule to the login module stack for client certificate authentication after the login modules for the fallback mechanisms you are using. For more information about adding login modules to login module stacks, see Managing Login Modules.

Note

If the CertPersisterLoginModule is not available in the list of login modules for the UME user store, you can add it from the Visual Administrator using the following parameters:

Class Name: com.sap.security.core.server.jaas.CertPersisterLoginModule

Display Name: CertPersisterLoginModule

       2.      Choose OPTIONAL for the processing flag of the CertPersisterLoginModule in the login module stack.

Example

The example in the table below is based on the ticket template for SSO with logon tickets, and uses user ID and password authentication for fallback mechanisms. The example shows a login module stack configuration for automatic certificate mapping on first user logon:

Login Modules

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

ClientCertLoginModule

OPTIONAL

{Rule1.getUserFrom=wholeCert}

CreateTicketLoginModule

SUFFICIENT

{ume.configuration.active=true}

BasicPasswordLoginModule

REQUISITE

 

CertPersisterLoginModule

OPTIONAL

 

CreateTicketLoginModule

OPTIONAL

{ume.configuration.active=true}

The login module stack from the example works as follows:

...

       1.      Checks if the user has a valid logon ticket. If yes, authentication succeeds, control returns to the application and the authentication check is concluded.

       2.      The ClientCertLoginModulechecks for a valid user certificate and determines the J2EE Engine user ID, based on its configuration.

       3.      If the ClientCertLoginModulecan retrieve the user ID based on an already established certificate mapped, the CreateTicketLoginModule issues a logon ticket for this user ID. Authentication succeeds and the J2EE Engine application resumes control.

       4.      If the ClientCertLoginModulecan not determine the user ID, the BasicPasswordLoginModule authenticates the user with user ID and password.

                            a.      If basic authentication is successful, the CertPersisterLoginModule maps the certificate to the user ID and the CreateTicketLoginModule issues a logon ticket for the user.

                            b.      If the user ID and password authentication is not successful, authentication fails.

 

 

 

End of Content Area