Skip to Content
avatar image
Former Member

Configure JAAS login module stack to support x.509 certificates without SSL

I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.

I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.

What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:

EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 20, 2006 at 11:04 AM

    Hi Claus,

    you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.

    There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.

    Looking at this topic:

    http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm

    the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.

    So with the above said your LM stack config should look like this:

    EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

    ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}

    CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

    BasicPasswordLoginModule REQUISITE {}

    CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}

    If this doesn't work I'd suggest opening a support ticket.

    Regards,

    Yonko

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 20, 2006 at 10:40 AM

    Hi Claus,

    you can just use the standard login module config, as you would use with real SSL based X.509 authentication.

    Please also have a look at the" target="_blank">http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm">the docs for more information, especially about the header variables and their content, as this all needs to be included by an intermediary. You can change the header names as described herehttp://help.sap.com/saphelp_nw2004s/helpdata/en/f6/20e5ff18b7354eb7f700bc284552c5/frameset.htm">here> if necessary

    Add comment
    10|10000 characters needed characters exceeded