The certificate used for mutual authentication includes a common name (CN) that is
extracted and compared to the physical role mapping you create using this CN.
CertificateValidationLoginModule validates the user certificate passed during mutual
certificate authentication. Unlike other methods, it confers no physical roles.
Therefore, the platform administrator must create a logical role mapping. A CN of
a certificate typically looks like:
CN=TechnicalUser, OU=sybase, O=sap
When using the certificate, ensure the Validated certificate is identity property of
CertificateValidationLoginModule is set to true. Also ensure the user maps the entire
subject name to the logical role, instead of the CN value.
If you
are supporting multiple domains, the mapped user name must also include the named
security configuration for either the package the DCN is targeted for or the Admin
security configuration for of a Push domain, and appended as a @DomainSecurityConfigName suffix.
For example,
uppose you have two packages (PKG_A, PKG_B) deployed to two domains (Domain_A, Domain_B)
respectively. PKG_A in Domain_A has been assigned to the DCN security configuration, and
PKG_B in Domain_B has been assigned to the "DCN2SecurityConfig" security configuration.
- A DCN event for PKG_A is authorized with TechnicalUser@DCNSecurity.
- A DCN event for PKG_B is authorized with TechnicalUser@DCN2SecurityConfig.
The SUP DCN User role now shows the mapping state changes to MAPPED.