Configuring SAP Mobile Platform Server Certificate-based Authentication with a Reverse Proxy

Configure SAP Mobile Platform to allow certificate-based authentication when there is a reverse proxy handling client requests at the network edge, and the SSL is terminated before reaching SAP Mobile Platform Server.

The user's certificate arrives at SAP Mobile Platform Server in a SSL_CLIENT_CERT HTTP header, and you must configure SAP Mobile Platform to trust the header during authentication. Trust is established by requiring a mutual certificate authentication between the reverse proxy and SAP Mobile Platform, where the reverse proxy has a technical user certificate signed by a CA in the SAP Mobile Platform truststore.

You must then ensure that the technical user is in the Impersonator role. Once these requirements are met, SAP Mobile Platform processes the SSL_CLIENT_CERT header and trust that certificate.

  1. Add X.509 User Certificate security provider to validate the user certificate presented over the HTTPS connection.
    1. In the Management Cockpit, select Settings.
    2. In Security Profiles, select the security profile to be used by the application to authenticate the user.
    3. Under Authentication Providers, click New.
    4. Select X.509 User Certificate security provider from the list, then click Create.
    5. Configure the values, and click Save.
    6. Click OK, then click Save.
  2. Update the corresponding role mapping file following the process and map the Impersonator logical role to the subjectDN from the certificate the reverse proxy at the network edge is configured with. This is a required step so that the reverse proxy can be trusted to have validated the end-user certificate presented to it over the mutual authentication connection that the client establishes to the network edge. 
    <DefaultMapping>
  <LogicalName>Impersonator</LogicalName>
  <MappedName>Impersonator</MappedName>
  <MappedName>user:EMAILADDRESS=john.doe@sap.com, CN=reverse_proxy_user,OU=SMP, O=SAPAG, ST=CA, C=US</MappedName>
</DefaultMapping>
  3. Obtain a valid signed server certificate for your SAP Mobile Platform Server.
  4. Import the certificate into the keystore using the "smp_crt" alias.
    1. Import the CA signing certificate used to sign client certificates into the smp_keystore.jks as a trusted CA certificate so that SAP Mobile Platform is able to validate client certificates later.
  5. Restart SAP Mobile Platform Server.
    Note: The <MappedName> value in the role mapping file must exactly match what SAP Mobile Platform extracts from the reverse proxy technical user certificate, including upper and lowercase letters and any spacing. The easiest way to ensure an exact match is to set the security logging level to DEBUG from the Management Cockpit, then attempt a client connection through the reverse proxy. Go into the server log where you can find the DN from the reverse proxy certificate printed out exactly as SAP Mobile Platform sees it. Cut and paste from the log file into the role-mapping file and restart the server. If the role mapping is not an exact match, the Impersonator role is not granted and SAP Mobile Platform does not trust the SSL_CLIENT_CERT header and refuses to execute the request in the context of the mobile user.
Parent topic: X.509 Authentication at the Network Edge with a Reverse Proxy
Related concepts
X.509 Certificate Authentication
Single Sign-on for SAP
Single Sign-on Authentication
Preparing Your SAP Environment for Single Sign-on
Related reference
X.509 User Certificate Configuration Properties