X509 based logon – 4.2 – User logon with rule based mapping – user name
This configuration is about enabling the user to log on via X.509 and get a valid SAP user assigned by mapping a property from the certificate to an SAP user property. Mapping the user via a wizard is the recommended approach. For this to work, you need to enable certificate mapping and then configure a mapping rule. Compared to the old and deprecated alternative of using a mapping table, you can create one rule that is valid for all users. This is minimizing the administrative effort and makes the X.509 based logon approach feasible for a large number of users.
Certificate mapping needs to be enabled by setting a profile parameter.
Check the current value of the parameter.
Default value is 0, meaning disabled. 1 means enabled (like false/true).
To change the profile parameter value, click on “Change Value”. (Or set the value in the instance profile via RZ10).
Set new value to 1
Save to make the change persistent and to activate it. Now NW ABAP is using wizard-based certificate mapping to map X.509 certificates to users.
Configure automatic certificate mapping
To make it easier for creating the rule, use a user certificate as a template. Let the CA issue a certificate for your user. Transform the PEM certificate to CRT format:
openssl x509 -outform der -in tobias.crt.pem -out tobias.crt
Start the user mapping configuration.
Enter edit mode and import your template user certificate.
Click on rule to start defining the mapping rule.
Click on the dropdown in the fields Certificate Attr.
Certificate Attr.: CN=tobias
The subject filter is filled out automatically. The filter is a great source for errors, as the order of the subject must match exactly how NW ABAP is reading the subject from the certificate.
Note that the mapping status is still red. This will only be validated after clicking on Save. Mapping status is validated and changes to green.