Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure JAAS login module stack to support x.509 certificates without SSL

Go to solution
Former Member

‎12-20-2006 10:24 AM

0 Kudos

I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.

I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.

What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

1 ACCEPTED SOLUTION

Go to solution
yonko_yonchev
Active Participant

‎12-20-2006 11:04 AM

0 Kudos

Hi Claus,

you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.

There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.

Looking at this topic:

http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm

the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.

So with the above said your LM stack config should look like this:

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

If this doesn't work I'd suggest opening a support ticket.

Regards,

Yonko

2 REPLIES 2

Go to solution
Former Member

‎12-20-2006 10:40 AM

0 Kudos

Hi Claus,

you can just use the standard login module config, as you would use with real SSL based X.509 authentication.

Please also have a look at <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm">the docs</a> for more information, especially about the header variables and their content, as this all needs to be included by an intermediary. You can change the header names as described <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/f6/20e5ff18b7354eb7f700bc284552c5/frameset.htm">here</a> if necessary

Go to solution
yonko_yonchev
Active Participant

‎12-20-2006 11:04 AM

0 Kudos

Hi Claus,

you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.

There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.

Looking at this topic:

http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm

the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.

So with the above said your LM stack config should look like this:

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

BasicPasswordLoginModule REQUISITE {}

CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

If this doesn't work I'd suggest opening a support ticket.

Regards,

Yonko