Because DCN requests are handled by the WebContainer, you must configure your
HTTPS listener accordingly. Considerations to bear in mind include:
- If you choose a *_mutual version of a profile, you must provide
your own production-ready certificate. Then you must further create a security
configuration in addition to this profile, that handles authentication requests
with the CertificateValidationLoginModule. This login module inspects the client
certificate to ensure it is signed by a trusted CA, has not expired, and
optionally has not been revoked via OCSP or CRL checks. If the certificate is
valid, SAP Mobile Server extracts the certificate
subject, and that becomes the authenticated principal name for the user. The user
must also be in the corresponding DCN User logical role. See Enabling Authorization of DCNs and Certificate
Validation Properties.
- If you choose a non-mutual version of the profile, then know that
the client sends BASIC (username/password) credentials. Create a security
configuration that uses any module that can authenticate users with that sort of
credentials, as well as retrieve physical role membership from the backend
security store.
Note: If you are connecting with Online Data Proxy or
DOE-C, then each type of connection requires it's own
security profile, and the DCN listener profile should not be used in this
case.
For details about configuring a new security
profile for a custom HTTPS listener for DCN, see