X.509 User Certificate Configuration Properties

The X.509 User Certificate provider enables mutual authentication. This provider should be used when certificates are authenticated by the container.

Description

X.509 User Certificate can be used with other providers that support certificate authentication (for example, Directory Service (LDAP/AD)) by configuring X.509 User Certificate before the providers that support certificate authentication. Use this provider to validate client certificates only when HTTPS listeners are configured to use mutual authentication. Add and configure provider properties for X.509 User Certificate, or accept the default settings.

Properties

X.509 User Certificate Properties
Property Default Value Description
Control Flag Optional
Indicates how the security provider is used in the login sequence.
  • Optional – the authentication provider is not required, and authentication proceeds down the authentication provider list, regardless of success or failure.
  • Sufficient – the authentication provider is not required, and subsequent behavior depends on whether authentication succeeds or fails.
  • Required – the authentication provider is required, and authentication proceeds down the authentication provider list.
  • Requisite – the authentication provider is required, and subsequent behavior depends on whether authentication succeeds or fails.
Description None

(Optional) A meaningful string that describes the providers usage.

A description makes it easier to differentiate between multiple instances of the same provider type; for example, when you have multiple authentication providers of the same type stacked in a security profile, and each targets a different repository.
Validated Certificate Is Identity False (Optional) Whether the certificate should set the authenticated subject as the user ID. If the X.509 User Certificate is used with other providers that establish user identity based on the validated certificate, set this value to false.
Validate Cert Path True (see description)

If true, performs certificate chain validation, starting with the certificate being validated. Verifies that the issuer of that certificate is valid, and that the certificate has been issued by a trusted certificate authority (CA). If it is not, this property instructs the provider to look up the issuer of that certificate in turn, and verify it is valid and is issued by a trusted CA (building up the path to a CA that is in the trusted certificate store). If the trusted store does not contain any of the issuers in the certificate chain, path validation fails.

Enable Revocation Checking False
(Optional) Enables online certificate status protocol (OCSP) certificate checking for user authentication. If you enable this option, you must also enable OCSP in SAP Mobile Platform Server. This provider uses the OCSP configuration properties that are defined in SMP_HOME\sapjvm_7\jre\lib\security\java.security. Revoked certificates result in authentication failure when:
  • Revocation checking is enabled, and
  • OCSP properties are configured correctly.
key:value Pair None Attributes identified using an arbitrary name, where the key is the name, and the value is the content.

Custom properties can be used to specify CRL URLs. The custom properties have names such as crl.1, crl.2, crl.3, and so on. The values of each property have a URL which returns expected content to java.security.cert.CertificateFactory.generateCRLs.

Note: SAP Mobile Platform also supports ldap://URL.

For more information, see http://docs.oracle.com/javase/7/docs/api/java/security/cert/CertificateFactory.html.
Parent topic: X.509 User Certificate Provider
Related concepts
X.509 User Certificate Provider
X.509 Certificate Authentication
Single Sign-on for SAP
Single Sign-on Authentication
Preparing Your SAP Environment for Single Sign-on
Related tasks
Creating and Configuring Security Profiles
Mapping a Logical Role to a Physical Role
Enabling OCSP
Configuring SAP Mobile Platform Server Certificate-based Authentication with a Reverse Proxy