X.509 logon to AS Java/Portal using ABAP as UME source

Hello,

I have set up X.509 to ABAP systems using the secure login client, X.509 for access to Web Dynpros (EXTID_DN) and X.509 certifiation to AS Java several times and it worked so far.

We have decided to change the BI Portal to use the ABAP datasource, so that users can log on with the ABAP Passwort to the portal. The logon works but I the certificate authentication does not work anymore. When I start the portal in the browser using http, the logon page comes up with username and password and a link to certificate logon below that. When I click on the certificate link, the browser switches to https but only displays username and password and not the usual "...the user ID needs to be mapped to certificate...".

When I log at the trace it shows this:

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
        #1 trusteddn1 = CN=XXX

        ....

        #6 trustediss1 = CN=XXX

        ....
        #11 trustedsys1 = XXX,000
        #16 ume.configuration.active = true
2. com.sap.engine.services.security.server.jaas.ClientCertLoginModule      OPTIONAL    ok          false      false                
        #1 Rule1.getUserFrom = wholeCert
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false      false                
        #1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          true       true                 
5. com.sap.security.core.server.jaas.CertPersisterLoginModule              OPTIONAL    ok          true       true                 
6. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
        #1 ume.configuration.active = true
Central Checks                                                                                                true                 
Logon policies are disabled

But it is informational, no warning or errors appear in the trace.

I tried to set the ume.usermapping.x509_mapping.attribute to uniquename in the configuration (expert mode) of the Identity Management but to no avail.

I tried to find more information on the web and SMP but did not succeed.

Could anyone give me some ideas what needs to be changed? Obviously the main cause is that the users do not exist in the portal anymore and hence no certificates can be mapped to them. The certificates are maintained in SAP transaction EXTID_DN but the AS Java does not make use of them.

Regards

Andreas