X509 based logon – 4.2 – User logon with rule based mapping – user name

Published by Tobias Hofmann on

4 min read

This configuration is about enabling the user to log on via X.509 and get a valid SAP user assigned by mapping a property from the certificate to an SAP user property. Mapping the user via a wizard is the recommended approach. For this to work, you need to enable certificate mapping and then configure a mapping rule. Compared to the old and deprecated alternative of using a mapping table, you can create one rule that is valid for all users. This is minimizing the administrative effort and makes the X.509 based logon approach feasible for a large number of users.

Configure server

Certificate mapping needs to be enabled by setting a profile parameter.


Check the current value of the parameter.

Tx: RZ11

Default value is 0, meaning disabled. 1 means enabled (like false/true).

To change the profile parameter value, click on “Change Value”. (Or set the value in the instance profile via RZ10).

Set new value to 1

Save to make the change persistent and to activate it. Now NW ABAP is using wizard-based certificate mapping to map X.509 certificates to users.

Configure automatic certificate mapping

Optional pre-requisite

To make it easier for creating the rule, use a user certificate as a template. Let the CA issue a certificate for your user. Transform the PEM certificate to CRT format:

openssl x509 -outform der -in tobias.crt.pem -out tobias.crt

Start the user mapping configuration.


Enter edit mode and import your template user certificate.

Click on rule to start defining the mapping rule.

Click on the dropdown in the fields Certificate Attr.

Certificate Attr.: CN=tobias

The subject filter is filled out automatically. The filter is a great source for errors, as the order of the subject must match exactly how NW ABAP is reading the subject from the certificate.


Note that the mapping status is still red. This will only be validated after clicking on Save. Mapping status is validated and changes to green.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Eli · March 17, 2022 at 17:05

Hello, if I have to do this configuration in a SAP EHP1 FOR SAP NETWEAVER 7.0, what transaction should I use for the CERTRULE?

    Blog Author · March 18, 2022 at 09:15

    First, you might consider upgrading your NW server.
    CERTRULE is not available in your release (https://launchpad.support.sap.com/#/notes/3082423) “Transaction CERTRULE does not exist before 7.03”

    The note contains the information what you can do: “mapping needs to be done manually through the EXTID_DN transaction”

Best 10 Login/certificate_mapping_rulebased – https://anthienphat.com/en · July 21, 2022 at 23:35

[…] Quote from the source: … […]

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.