X509 based logon – 4.2 – User logon with rule based mapping – user name
This configuration is about enabling the user to log on via X.509 and get a valid SAP user assigned by mapping a property from the certificate to an SAP user property. Mapping the user via a wizard is the recommended approach. For this to work, you need to enable certificate mapping and then configure a mapping rule. Compared to the old and deprecated alternative of using a mapping table, you can create one rule that is valid for all users. This is minimizing the administrative effort and makes the X.509 based logon approach feasible for a large number of users.
Configure server
Certificate mapping needs to be enabled by setting a profile parameter.
login/certificate_mapping_rulebased
Check the current value of the parameter.
Tx: RZ11
Default value is 0, meaning disabled. 1 means enabled (like false/true).
To change the profile parameter value, click on “Change Value”. (Or set the value in the instance profile via RZ10).
Set new value to 1
Save to make the change persistent and to activate it. Now NW ABAP is using wizard-based certificate mapping to map X.509 certificates to users.
Configure automatic certificate mapping
Optional pre-requisite
To make it easier for creating the rule, use a user certificate as a template. Let the CA issue a certificate for your user. Transform the PEM certificate to CRT format:
openssl x509 -outform der -in tobias.crt.pem -out tobias.crt
Start the user mapping configuration.
Tx: CERTRULE
Enter edit mode and import your template user certificate.
Click on rule to start defining the mapping rule.
Click on the dropdown in the fields Certificate Attr.
Certificate Attr.: CN=tobias
The subject filter is filled out automatically. The filter is a great source for errors, as the order of the subject must match exactly how NW ABAP is reading the subject from the certificate.
Result
Note that the mapping status is still red. This will only be validated after clicking on Save. Mapping status is validated and changes to green.
3 Comments
Eli · March 17, 2022 at 17:05
Hello, if I have to do this configuration in a SAP EHP1 FOR SAP NETWEAVER 7.0, what transaction should I use for the CERTRULE?
Blog Author · March 18, 2022 at 09:15
First, you might consider upgrading your NW server.
CERTRULE is not available in your release (https://launchpad.support.sap.com/#/notes/3082423) “Transaction CERTRULE does not exist before 7.03”
The note contains the information what you can do: “mapping needs to be done manually through the EXTID_DN transaction”
Best 10 Login/certificate_mapping_rulebased – https://anthienphat.com/en · July 21, 2022 at 23:35
[…] Quote from the source: … […]