Entering content frame

Procedure documentation Mapping Client Certificates to Users Locate the document in its SAP Library structure

Use

When you set up the portal for authentication with X.509 client certificates, each portal user must be associated with a certificate, so that when the user starts the portal and presents his or her client certificate, the portal grants access to the corresponding user.

Optionally, users’ client certificates can be stored as an attribute of the user on the LDAP directory. To configure this, you must map the relevant attributes. For more information, see Attribute Mapping for Client Certificates.

If users do not have a client certificate in their user data, their certificates must be mapped to their user IDs. There are two options for this. Either the administrator maps users’ certificates to portal user IDs, or users map their certificate the first time they log on to a portal that has been set up for certificates. This procedure describes how an administrator maps client certificates to users.

Prerequisites

·       To accept client certificates, the portal must be configured accordingly. For details, see the Portal Platform Security Guide ® Authentication ® Authentication Using Client Certificates.

·       You have administrator rights in the portal.

·       In user management properties, the property ume.logon.allow_cert must be set to TRUE.

Example

ume.logon.allow_cert=TRUE

Procedure

...

      1.      Start the user management administration console.

      2.      In the user profile of the user for which you wish to map a certificate, choose This graphic is explained in the accompanying text (Modify).

      3.      In the section on Certificates, choose This graphic is explained in the accompanying text (Add).

The Certificate dialog box appears.

      4.      Paste the content of the certificate that you wish to map to the user in the text area.

The content must be in base-64 encoded X.509 (.CER) format.

Recommendation

To get the content of the certificate, open the certificate (usually a .CER file) in a simple text editor such as notepad and copy the contents of the file. The certificate must be in base-64 encoded X.509 (.CER) format

Example

The following is an example of a certificate in base-64 encoded format:

-----BEGIN CERTIFICATE-----

MIIEHTCCAYagAwIBAgIDAkH/MA0GCSqGSIb3DQEBBAUAMC8xCzAJBgNVBAYTAkRF

MQ8wDQYDVQQKEwZTQVAtQUcxDzANBgNVBAMUBlNTT19DQTAeFw0wMjAxMDEwMzIw

MDBaFw0wNDA1MDUxMjAwMDBaDIAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQKEwZTQVAt

QUcxEDAOBgNVBAMTB0QwMjk4MjgwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA/LWI

A0/sLU9W3spjFYibqNg3qzY1+rMWWrXM2NyuFfxynvveV16Cuy7XunyhLGXN7xRD

hqPk17i7nxuvna064wIDAQABo4GJMIGGMCYGA1UdEQQfMB2BG25vX21haWxfa2V5

QG5vX21haWxfa2V5LmNvbTAMBgAVHRMBAf8EAFAKEB8GA1UdIwQYMBaAFBOXd9tY

GfBxgC83vDDPNrxIONKgMB0GA1UdDgQWBBQBwLQX8tvXpxuClHMfOdiGFo7PNDAO

BgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNALEEBQADgYEAE6eonnU6f83FCmSPXi+Q

HoFazStGuXZaev6CUwyGt5/wHuV7BUAeIWClrW1/UdzpywEEGtmUuRNg3TaOnvq6

E7q5Am1//VzFDM/xn7u9k2ellf2rjdSwC/ERYQJOzrIFD42iSibs5DzI4MYoJslC

ZGI4h9IsNLG7Cb8mOnAGZV4=

-----END CERTIFICATE-----

      5.      Choose Import Users.

The certificate that you have imported is displayed.

      6.      Choose Goto confirm.

      7.      Choose Save Changes.

Result

You have mapped a certificate to a user. The next time the user starts the portal, if the browser presents the user’s certificate to the portal, he or she is logged on to the portal.

Recommendation

If your client certificate has been mapped to a user, but you do not want to be logged on with your certificate, you can set up your browser to prompt you to confirm your certificate. If you do not confirm, your certificate is not sent and you can log on with user ID and password. This may be useful if you need to log on as two different users (administrator and enduser, for example) from the same client machine.

For example, to set this up in Microsoft Internet Explorer, proceed as follows:

                                         i.      Choose Tools  ®  Internet Options  ®  Security  ® Custom Level.

                                        ii.      Set the setting Don't prompt for client certificate selection when no certificate or only one certificate exists to Disable.

The next time you try to access an SSL-enabled portal or other Web site, a dialog box listing the certificates in your browser will appear, and the browser will ask you to confirm that you wish one of the certificates to be sent. If you choose Cancel, no certificate is sent and you can log on with user ID and password.

 

Leaving content frame