Skip to end of metadata
Go to start of metadata

Purpose

Describe the ways in which the AS Java can be configured to use certificate matching to retrieve a user account from a received x.509 client certificate

Overview

When an x.509 certificate is used for authentication on the AS Java there are two different ways that the certificate can be used to authenticate the user using the received x.509 certificate:

  • Certificate matching
  • Rules

Here the options for configuring certificate matching to match a received x.509 certificate to a user account are described. For details on using rules to extract the logon ID from the certificate refer to Client certificate authentication options - rules

Certificate Matching

In this scenario when the AS Java receives the end-users x.509 client certificate it simply uses the cert itself as a search term when searching through the user accounts it its UME datasources. If a user has a matching certificate then this is the account that is authenticated. In order for this to occur certificates must stored in the user accounts in the UME. This can be done manually or automatically

Certificate matching - manual storage of certificates
The mapping can be done manually by importing the certificate in the Security Provider service in the Visual Administrator or in the User Administration UI, simply search for the user and import the certificate from the file system. For the certificate tab to appear in the User Administration UI the UME property ume.logon.allow_cert must be set to true

Here is an example login module stack configuration for this scenario.

Login Module

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

ClientCertLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

When an application that uses this login module configuration is requested via https, the client cert sent by the browser will be checked against the stored certificates. If a match is found the user is authenticated. If no match is found the user receives the logon page and can logon via userid and password. Note that unless there is a manual storage of the certificate in a user account in the UME in the meantime, the next time the same user tries to authenticate using a client certificate the same situation will occur, client certificate authentication fails and the user will be presented with the logon page

Certificate matching - automatic storage of certificates
The mapping can be done automatically by including the CertPersisterLoginModule in the login module stack. Here is an example login module stack for this scenario

Login Module

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

ClientCertLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

CertPersisterLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

Now consider the situation where a user accesses the application over https and there is no account in the UME which a matching certificate stored. The certificate will be sent by the client but client certificate authentication will fail and the user will be presented with the logon page. If the user enters a correct logon id/password combination, the certificate that was sent by the client will be automatically mapped to the user in the UME by the CertPersisterLoginModule. In future when the same user tries to access this application over https, the client certificate sent by the client will be matched to the stored certificate in the UME to authenticate the user

Note that for this case, users will have to enter their userID and password for the very first time they access the application over https in order for the certificate sent by the client to be mapped to the user in the UME.

This automatic mapping is useful for administrators when there are huge numbers of application users since it makes the time consuming manual storage of certificates unneccesary

Related Content

Related Documents

Modifying Client Certificate Authentication Options

Related SAP Notes/KBAs

1799620 - Logs required for analysis of SSL related issues

  • No labels