Certificates in UME

Similar Messages

• User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

  I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
  I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
  Situation:
  We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
  and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
  Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
  1.) It is possible to assign manually the user public key to every user --> But to much effort
  2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
  3.) In the distinguished name of the user certificate there is no information about the SAP username itself
      --> you are not able to use any information of the DN to bind a user in the Login Module configuration.
  Now my question:
  Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
  As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
  At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• Using X509 certificates to create a client in a JCo destination / pool

  Hi,
  Our administrators have set up JCo destinations for us developers to use in connecting to the SAP R/3 back-end.  We need to use X509 certificates instead of username/password to create a connection.  How is this done?  The JCo API doesn't seem to list any class/method combination that is suitable. 
  JCO.createClient allows me to pass an X509 certificate, but it doesn't allow me to specify what JCO.Pool (i.e., JCo destination) to use. 
  JCO.addClientPool seems to allow both, but I don't think I want to really "add" a pool-- don't I just want to "use" a  pre-existing pool, i.e., one of the JCo destinations our administrator has set up? 
  Do I need to create a Client using the X509 certificate and somehow add this Client to the JCO.Pool?  I thought JCo destinations were meant to be pre-established Client pools waiting for a Client to be plucked out of it and used.  Is that wrong?  What am I missing? 
  Thanks in advance for your responses.

  Hi,
  I'm note sure whether you can use prepared JCo destinations in this case. However, if it's possible to use single JCo clients you instantiate when you need them, you have different options depending on whether you have an Enterprise Portal installed on top of your J2EE Engine or not.
  --> Without Portal
  Retrieve the user's current certificate from UME using:
  [code]com.sap.security.api.IUser currentUser = ...;
  java.security.cert.X509Certificate[] certificates = currentUser.getUserAccounts()[0].getCertificates();
  byte[] certBytes = certs[0].getEncoded();
  String encodedCert = someBase64Method(certBytes);
  Properties jcoProperties = new Properties();
  // Add your backend properties like hostname and so on...
  jcoProperties.setProperty("jco.client.user", "$X509CERT$");
  jcoProperties.setProperty("jco.client.passwd", x509Cert);
  JCO.Client jcoClient = JCO.createClient(jcoProperties);[/code]
  --> With Portal installed
  In general: Define your backend system in the Portal's system landscape instead of as JCo destination. Configure it's logonmethod for X.509 certificates. Either use UME's user mapping feature directly via com.sap.security.api.UMFactory.getUserMapping()... to add the certificate properties to the JCO properties, or use some intermediate API, some of which are available in the portal, some of which reside in the J2EE Engine (details if you request them).
  Best regards
  Heiko

• SU01 or ABAP SYSTEM - User Language on Portal

  Dear All,
  I am working on Portal Framework - Masthead and Footer PCD files in JSP enivronment. Now, I have a requirement where I have to fetch the Language of User present in ABAP SYSTEM- SU01 transaction. Can anyone help me how to fetch this._ With some code or some way to tackle the condition?_
  Thanks,
  Roshan

  Hi Roshan,
  Check this thread - User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)
  Best Regards,
  Sen

• UME with ABAP AS and LDAP Datasource

  Hello SDN´s
  We have tried very hard for the last days configuring the ume-xml for the following scenario:
  -     LDAP is used to authenticate the user
  -     AS ABAP is used to store the roles of the user (because they automatically becomes groups in the portal)
  - the portal and the ABAP-system are  on different servers
  Given facts:
  1)     we canu2019t synchronize the roles of the ABAP system to the LDAP
  2)     we have to use the open-LDAP for the authentication
  3)     DataSources are readonly
  4)     User can have similar or different userid´s on the DataSources (Mapping required)
  Therefore, we read the user and account information from the LDAP and groups/roles form the ABAP AS.
  Result:
  a)     user with similar userid on LDAP and ABAP AS: These user were no longer able to log on to the portal
  b)     user with different id´s (mapped) on LDAP and ABAP: Can log on
  Questions:
  -     Is it true that similar userid´s leads to inherent problems of the UME Persistence Manager?
  -     Did we set up a wrong config-xml?
  -     Is there any other way how we could authenticate to the LDAP and having the Roles of a user read from the ABAP system dynamically?
  Thank you very much for your help
  Sincerely, A. Hunziker

  Hi Andre,
  Not sure if my remarks below can help you but I do hope that it can shine you some light.
  We have LDAP as our main UME, which is configured in our Portal7.0. This means that security groups created in LDAP are "replicated" into the Portal. We created Portal Roles which are assigned to the security groups created in LDAP. We also use SSO and it was setup via the SPNego Wizard (http://help.sap.com/saphelp_nw70/helpdata/EN/45/40a0de773a7527e10000000a114a6b/frameset.htm). This way, the user only needs to login via Windows and access the Portal without having to login (when users have the same Windows userID as that of their SAP ID). If the users have a different userID between Windows and SAP, then they do a user map under personalization of the Portal.
  To connect our Portal to our backend systems, we created a reference system (http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm) and we have our Portal certificates in all backend systems (http://help.sap.com/saphelp_nw70/helpdata/EN/d3/41c8efb31d11d5993800508b6b8b11/frameset.htm).
  With the above, users have SSO from Windows to Portal and via the reference system, they can enjoy SSO as well into our backend systems.
  Basically we have control what the users can see from the Portal (directly from LDAP security groups with users assigned to that) and what the user can do on backend is still maintain in the backend authorisation setup.
  Hope that can help you.
  Ray

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• Portal Certificate Login / Basic Authentication

  Hi .
  We've setup our Portal to login by either client certs of basic authentication. The client cert is stored on a smart card device. On each access to the smartcard a user dialog prompts the user to enter the password of the smartcard.
  Some users have several user IDs. Client certificate can IMHO only mapped to one user ID. First question: Is it possible to map a client cert to more than one user ID in UME?
  2)
  If the smartcard is in cardreader and the user opens the portal login page, portal always requests the client certificate (since it is present). If the user clicks cancel, then an error page is shown. The user should have the ability to login using basic authentication user/password, even the certificate is present. At the moment we need to advice the users to remove the smartcard before trying to login. What I am looking for is something like
  https://portal.com/irj/login&j_authscheme=basicauthentication <- do not request client cert, prompt for userid password
  https://portal.com/ijr/login/certlogonportlet <- requests client cert
  Thanks for your help
  Philipp

  For the ABAP stack you can force the logon screen.
  For Java stacks you would need to make it application specific.
  I agree with Olivier  - the use case for 1) is suspect.
  If your problem is tht system admins are also ESS endusers (for example) then you can give them a different network zone to work from as admin with a different SSO ID. From a risk perspective it is the same... you should only give admin access to people whom you trust and accept being monitored.
  Cheers,
  Julius

• Editing LDAP User attributes from UME interface

  Hi Gurus,
  We want to develop a solution with user management screens in WD. These screens will provide password reset and unlock functionality for users. Our users are stored in LDAP. Current connection to LDAP is in Read Only manner.
  I want to know
  1. How to enable the connection from UME to LDAP in read/write manner?
  2. What certificates need to be exchanged for write access? if any?
  3. What changes needs to be done in config file of UME?
  4. Which permissions should be granted for communication user to edit LDAP user attributes?
  Even after performing the change to read LDAP in read/write manner, will it be sure: If we lock user from UME, it will lock LDAP user? please comment.
  regards
  Kedar Kulkarni

  Hi,
  We are half way into our application between UME and LDAP. We have developed screens and tested in our internal server. In internal landscape, UME is connected to LDAP in read only fashion. So when we try to create User, it gets created in UME.
  But when we deploy same application into client landscape, we receive error as below:
  No data source feels responsible for principal. Please check the data source configuration
  Now we are not sure why this error is getting displayed.
  In client landscape there are 2 LDAPs connected to UME, with only one LDAP in read/ write access.
  Is there any way we can check which LDAP is being accessed by our code? Is there any concept of Default LDAP?
  Any code to access LDAP details will help us lot.
  regards
  Kedar Kulkarni

• UME configuration

  Hi,
  I have requirement that add certificate for new created user in UME. I know it can be done in J2EE <b>Visual Administrator tool</b> by configuing “Security Provider” service. This is started by running go.bat.
  Can anybody tell me how to do it by SAP NetWeaver Administrator directly? I can not find the place where it can be configued from the below link. <b>http://localhost:57000/nwa</b>.Kindly please provide the detailed path to configue it. Thanks a lot.
  Regards
  Oscar

  Hi Oscar,
  This is what you are trying to do:
  http://help.sap.com/saphelp_nw04s/helpdata/en/8a/8bc061dcf64638aa695f250ce7ca78/frameset.htm
  The UME UI is part the NWA.
  -Michael

• Certificate Revocation on SAP Web Dispatcher

  We have recently set up X.509 Certificate based authentication. The SSL handshake is performed by the Web Dispatcher. Requests are forwarded to SAP Netwewaver 2004s Portal with the certificate in the header field. All of this works "as advertised". Certificates are created by an OpenSSL based CA with the proper extensions and are mapped to UME accounts.
  Now we want add the ability to revoke certificates. One reason is, that even if a certificate is no longer mapped to an account, the Portal will still allow the user to log in and use the certificate. The certificate is not stored in the UME, but for the time of the session it looks as if the user did authenticate with a certificate.
  We have added the CRL distribtion point extension ot a certificate. We can see that the CRL is downloaded from this site. It shows up in the certificate revocation service page. However, all revoked certificates still work.
  The same CRL works correctly on an Apache test server. Here a revoked client certificate will already cause the SSL handshake to fail.
  Does it help us to have the CRL installed to the Portal server? Or is it necessary to set up revocation on the Web Dispatcher? Does the Web Dispatcher support certificate revocation at all? If yes, where does it get the CRL from? Does the CRL have to meet certain requirements in addition to the ones defined in RFC 3280?

  >
  Niels Carstensen wrote:
  > OSS ticket is pending.
  >
  > But if the Web Dispatcher accepted the revoked certificate for the SSL handshake, the Portal will just not authenticate the user. It will, however, allow the user to map the certificate to his account. This even seems to happen, if the CertPersisterLoginModule has been removed from the login stack. So all of a sudden the user can login with username password, and at the same time present the (invalid!) certificate to the applications...
  That indeed sounds like a bug - so it was a good idea to submit a support message.
  Regards, Wolfgang
  PS: I still believe that certificate revocation should be customizable on a per-application level ("application" in this context refers to "usage type": the same certificate might be used for different purposes: SSO, digital signature, encryption, S/MIME, ...). Furthermore, some of the certificate revocation mechanisms have a negative performance impact so they might be used with care. Take the payment card validation as an example: depending on the purchase amount you might be prompted for an online validation (requires to enter your PIN) and sometimes you simply need to sign-off a piece of paper - the decision is up to the shop operator and depends on the related costs (for online validation) which is comparable to "performance impacts" in our case).

• Ume.login.mdc.hosts - SSO Multiple Domain

  Hi,
  My Portal domain is xxxx.net and my ECC domain is xxxx.com
  I exported  the portal certificate into ECC and created parameters in RZ10 to create & accept SSO tickets.
  When i do the ECC System Connection tests in Portal, everything is good and successful. But when i run a Transaction iView, i get the ECC login screen.
  Based on SAP Documentation, i modified UME Property as "ume.login.mdc.hosts = xxxx.com:8036", but still i get the ECC login screen in portal when i run a transaction iView. Please advice.
  Thanks
  Vijay

  Not working on this right now

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• When I login to my equipment it ask for a certificate. How do I delete these certificates?

  We just recently upgraded our equipment and now I don't get the whole screen parts are missing. So I figured if I delete certificates or renew them it might work. So I need to know How to delete them or renew them.

  Among other things iTunes uses your credit card to confirm that you are a resident of the same country as the store you are using. Occasionally it may ask for you to confirm the details and "prove" the card by putting on a holding charge which it later releases. If you have credit in the store that should be applied to any purchases first, even if iTunes asks you to confirm your details. Your listed credit in the window can become out of date if you use more than one computer or device to make purchases. Signing out of your account, then back in, should refresh the balance.
  tt2

• How to use one certificate for two directory servers?

  Hi,
  running Sun DSEE 6.3.1 on two servers, server 1 has name ds1.example.com, server 2 has name ds2.example.com. There is a round robin DNS record ds.example.com, which alternates between:
  ds1.example.com
  ds2.example.com
  and
  ds2.example.com
  ds1.example.com
  An LDAP client connects to one of the servers over SSL using the name ds.example.com. We want to generate a certificate using the name ds.example.com and use it on both directory servers.
  If we generate a CSR using DSCC on server 1 and get back a signed certificate, the certificate can be installed correctly on server 1. However, if we use the same signed certificate on server 2 it fails with error:
  Unable to find private key for this certificate.
  Failed to add the certificate.
  Error executing the operation. The error code is 11.
  What is the correct way to generate one CSR, have it signed by a CA and then implement this signed certificate on multiple servers?
  /rolf

  From one Directory Server (ds1) generate CSR with the name ds.example.com in the request. Once you get the signed cert import it into the same server you generated CSR with. Then from ds1.example.com :
  scp -p <slapd install/instance path>/alias/* <account>@ds2.example.com:<slapd install/instance path>/alias/
  to copy the contents of the alias path to the same location on the other Directory Server. Make sure file permissions are the same.

• Asking specific client certificate (not certificates trusted by authority)

  As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
  I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
  For example:
  Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
  But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
  And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

  I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
  It might not be elegantBut it is!
  See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
  Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
  This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
  if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
  So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.