cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate based client authentication with SSL mutual authentication

Former Member

on ‎05-24-2011 8:30 AM

0 Kudos

Hello

I have to setup Business Object in a way user can authenticate themself with a digital certificate.

Environment: Business Objects XI3.1 sp3 on a Windows server and Tomcat 5.5 as application server.

The user will access Business Objects InfoView. Instead of entering username and password they should be authenticated by their cerificate. I was able to setup Tomcat in a way it requests a client certificate for SSL mutual authentication. How does Tomcat propagates the userinformation to Business Object? Do I have to write a new Security Plug-In?

Thank you very much for any help.

Kind Regards

Michael

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

martin_eberle
Explorer
‎10-07-2011 2:34 PM
0 Kudos

Hi

I've to investigate on the same....

Did you know already a solution? If so, I'd like to know

Do you have a Portal? Then you could route primary to Portal with your client cert and redirect afterwards with the SAPSSO2 Ticket to BO. This works for sure.

Martin

Show replies
Show replies
Former Member
‎05-26-2011 1:31 PM
0 Kudos

Let me just add the results of my last progress.

I configured Tomcat to enforce SSL client authentication. I wrote a short servlet to verify how Tomcat propagates the identity to a servlet. I was able to read the subject of the client certificate in the variables REMOTE_USER and USER_PRINCIPAL.

So I've changed the web.xml of the InfoView application in the way sso is enabled and the user should be propagated in the variable REMOTE_USER


    <context-param>
        <param-name>authentication.default</param-name>
        <param-value>secEnterprise</param-value>
    </context-param>

    <context-param>
        <param-name>sso.enabled</param-name>
        <param-value>true</param-value>
    </context-param>

    <context-param>
        <param-name>trusted.auth.user.retrieval</param-name>
        <param-value>REMOTE_USER</param-value>
    </context-param>

I also added an enterprise user who has the same userid as the subject within the client certificate.

Unfortunately all login attemps fails with the error the user credentials could not be validated and the user is locked. Even though the created user is not locked.

Does anybody have any experiences in propagating the user information in the variable REMOTE_USER?

Show replies
Show replies
Ask a Question