Problem: When registering application connections, you notice that user names differ
when using HttpChannel by mutual SSL authentication and providing the
client certificate, and using messaging server (sometimes called iMO) and providing the same
certificate.
- When registering an application connection through the HTTP Channel by
mutual SSL authentication (providing the client certificate), the registered
username is the entire domain name (DN) of the certificate, such as
CN=SMPUSER,OU=SSL Server,O=SAP-AG,C=DE@admin.
- When registering an application connection through the messaging server
(iMO) by providing the same client certificate, the registered username is
the certificate name (CN) of the certificate, such as "SMPUSER".
Explanation: The reasons for these differences:
- Different ways of providing the client certificate:
- HttpChannel mutual SSL authentication – the client
certificate is provided to establish two-way SSL connection between
client and server.
- Messaging service (sometimes called iMO) – the signed cert
blob is used as the password, and the CN is extracted from the
certificate and is used as the username.
- Different CSI authentication login modules used on the server:
- HttpChannel mutual SSL authentication – the
CertificateValidationLoginModule is used to
authenticate the certificate retrieved from the transport level. The
entire DN is used as the username to identify the user.
- Messaging service (iMO) – the
CertificateAuthenticationLoginModule is used
to authenticate the username and password (the signed cert
blob).
Solution: None - works as designed.