Skip to end of metadata
Go to start of metadata

Purpose

Describe the different ways in which the AS Java can be configured to use certificate rules to retrieve a user account from a received x.509 client certificate

Overview

When an x.509 certificate is used for authentication on the AS Java there are two different ways that the certificate can be used to authenticate the user using the received x.509 certificate:

  • Certificate matching
  • Rules

Here the options for using rules to retrieve the user account details from the certificate are described. Refer to Client certificate authentication options - certificate matching for details on the alternative approach where the AS Java matches the received certificate to one stored in a user account in the UME in order to authenticate the user

Rules

In this scenario the logon ID is extracted from the received client certificate using rules defined in the options of the ClientCertLoginModule. Unlike in the wholeCert scenario described above, in this case a certificate is never mapped to a user in the UME. With each authentication attempt the ClientCertLoginModule uses rules to retrieve the userID from the certificate fields.

There are two approaches here, a rule can be defined to read the username from the subjectName certificate field or you can define rules to read the username from a certificate extension
called SubjectAlternativeName
There are two types of fields in an x.509 certificate; There are basic certificate fields like Subject, Issuer, SerialNumber, Validity etc but there are also certificate extensions information fields used to expand the original X.509 certificate information standards, they provide additonal information about the certificate such as alternative subject names and the certificates key usage.

SubjectName

With this approach one configures a rule to get the logon ID from the SubjectName of the certificate
One of the basic fields of a client certificate is called Subject and its value is referred to as Name. For example a certificate may have subjectName: CN = JohnDoe, O = SAP-AG, C = DE, the following rule will result in the logon ID being determined as JohnDoe

Rule1.getUserFrom=subjectName
Rule1.AttributeName=CN

Here is an example login module stack showing the rule defined for the ClientCertLoginModule

Login Module

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

ClientCertLoginModule

OPTIONAL

Rule1.getUserFrom=subjectName, Rule1.AttributeName=CN

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true


SubjectAlternativeName

In this case a rule is configured to get the logon ID from the SubjectAlternativeName extension of the certificate. Certificate extensions are information fields used to expand the original X.509 certificate information standards, they provide additonal information about the certificate such as alternative subject names and the certificates key usage. The certificates extensions can be viewed in details tab of internet explorers certificate viewer.

To get the userID from SubjectAlternativeName one must configure Rule<n>.getUserFrom, Rule<n>.OID and Rule<n>.AttributeName

Rule<n>.getUserFrom
In order for the ClientCertLoginModule to use Certificate extensions to authenticate the user, the rule must have value expertMode

Rule<n>.OID
Each extension has an object identifier (OID), for example   

Extension

OID

CRLDistributionPoints

2.5.29.31

keyUsage

2.5.29.15

SubjectAlternativeName

2.5.29.17

The ClientCertLoginModule uses the value for the Rule<n>.OID option to find the extension that identifies the user ID
Only SubjectAlternativeName can be used by the AS Java for this purpose so Rule<n>.OID should have value 2.5.29.17

Rule<n>.AttributeName
The SubjectAlternativeName extension allows additional identities to be bound to the subject of the certificate. It consists of an 0 or 1 attributes rfc822Name and 0 or more OtherName attributes.

The Rule<n>.AttributeName of ClientCertLoginModule is used determine which attribute of the SubjectAlternativeName to use to identify the user. The values of rfc822Name or OID=<ASN.1 OID> can be set for Rule<n>.AttributeName 

  • If the value for Rule1.AttributeName is rfc822Name the ClientCertLoginModule chooses for a user ID the first attribute field of type rfc822Name in the extension SubjectAlternativeName.
  • If the value for Rule1.AttributeName is OID=<ASN.1 OID> the ClientCertLoginModule searches the OtherName attribute fields in the certificate extension SubjectAlternativeName for an attribute with the specified ASN.1 OID. If an OtherName attribute with a matching the ASN.1 OID you enter is found, the ClientCertLoginModule uses its value for the logon ID.

Consider a certificate with the following details:

RFC822 Name=john.doe@sap.com
Other Name: Principal Name=johnnydoe@sapags.com
Other Name: 2.16.756.5.4.2.1.2.5.2 = <some_value>

Using this login module stack where the attribute rfc822Name of the extension SubjectAlternativeName (OID 2.5.29.17) is used to determine the user ID the userID will be determined to be john.doe@sap.com:

Login Module

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

ClientCertLoginModule

OPTIONAL

ume.configuration.active=true, Rule1.getUserFrom=expertMode, Rule1.OID=2.5.29.17, Rule1.AttributeName=rfc822Name

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true


Using this login module stack where the attribute OtherName with OID 1.3.6.1.4.1.311.20.2.3 (Principal Name) of the extension SubjectAlternativeName is used to determine the logon ID the logon ID will be hnnydoe@sapags.com

Login Module

Flag

Options

EvaluateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

ClientCertLoginModule

OPTIONAL

ume.configuration.active=true, Rule1.getUserFrom=expertMode, Rule1.OID=2.5.29.17, Rule1.AttributeName=1.3.6.1.4.1.311.20.2.3

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

BasicPasswordLoginModule

OPTIONAL

 

CreateTicketLoginModule

SUFFICIENT

ume.configuration.active=true

It is possible to configure multiple rules using the notation Rule<1,2,3......n> and the rules are evaluated in numerical order

Related Content

Related Documents

Modifying Client Certificate Authentication Options

Related SAP Notes/KBAs

1799620 - Logs required for analysis of SSL related issues

  • No labels