Downtime Announcement: Please note the SAP Community Wiki will be unavailable due to a system upgrade on Thursday, September 24th between 6 and 7 AM CEST
Skip to end of metadata
Go to start of metadata

 

Overview

  • The SAP Application Server JAVA can use X.509 client certificates to authenticate Web users transparently with the underlying SSL security protocol.
     
  • The integrity and confidentiality of the authentication credentials is provided using cryptographic functions and the SSL protocol. SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check whether the client's certificate and public ID are valid and whether it has been issued by a certificate authority (CA) listed in the server's list of trusted CAs.  
     
  • In addition, the issuing and administration activities for the user’s client certificates can be performed centrally, using a trust center service and a public-key infrastructure. 
     
  • The SAP login modules (which are the implementation of Java Authentication and Authorization Service in SAP NetWeaver AS Java. They are the concrete implementation of the flow logic

    of the authentication and several login modules can be combined to make a login module authentication stack) in this regard are the ClientCertLoginModule and the CertPersisterLoginModule.
     

  • Authentication can also be done to non-SAP Systems that support SSL. No user intervention is needed and this authentication mechanism can be used for both the Internet and the Intranet.




Configuration Steps:

1) Configure SSL on the SAP Application Server JAVA

This is needed cause when using the client certificate, authentication takes places transparently for the user with the underlying SSL security protocol. There are two ways by which SSL configuration can be achieved:

Manually, by configuring the ICM and the AS Java keystore separately.
or
By using the SSL configuration tool in the SAP NetWeaver Administrator.

Short summary of the steps involved:

  • Check / update the SAP Cryptographic Library files sapcrypto.dll and sapgenpse.exe.
  • Maintain the required ICM (Internet Communications manager) parameters in the instance profile including the HTTPS port.

  • Generate a key pair for SSL using the ICM and have it signed by the Certification Authority.

  • Import the signed Certificate response to /nwa service_ssl and to the instance-specific views ICM_SSL_<ID>.

  • Generate / Update PSE

    More info:
     http://help.sap.com/saphelp_nw73/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm


2) Set the UME parameter: ume.logon.allow_cert to true.
 

The default value of the parameter is FALSE.
When set to TRUE, users will have the option of mapping their client certificates to their user ID in the logon screen and administrators can map client certificates to users in the UME administration console. This change can be done using the User management expert console:



For more info, check: https://help.sap.com/saphelp_nw73/helpdata/en/4a/864d94a016203be10000000a42189b/frameset.htm
Restart the SAP Application Server JAVA for the changes to take effect. 

 

3) Place the root certificates for each of the client certificates CAs as a CERTIFICATE entry in the ICM_SSL_<instance_ID> view.

If the certificate exists as a file in your file system, you can import it to the AS Java Key Storage. If needed, export the certificate from the Internet Explorer certificate tab and then import it to the ICM view:

If the certificate already exists in another Key Storage view on the AS Java, you can copy the existing certificate entry to the corresponding view. The final configuration:

 

On older servers (release 6.40 and 7.00), navigate to the Visual Admin → server →services → ssl Provider and in the tab "Client Authentication", choose the option "Request client certificate" and apply the Trusted Root Certificate using the button Add:


 

4) Set the VCLIENT profile parameter of ICM  

Configure the VCLIENT profile parameter of ICM as below:

• Request (but not require) that the user presents a client certificate for authentication.
• Require that client certificates are to be used for authentication.

For more info, check :

https://help.sap.com/saphelp_nwpi711/helpdata/en/48/3ae05299c172d0e10000000a42189c/frameset.htm 

An ICM restart is needed for the changes to take effect.

4) Configure the ClientCertLoginModule and Adjust the login module stack

This is needed for establishing the AS Java user ID from the client certificate and filtering the provided certificates. Also the applications that accept client certificates are configured with this step.

Navigate to /nwa → configuration → security → Authentication and Single Sign-On: Authentication and configure the "ticket" authentication stack:

 

On SAP Application Server JAVA release 6.40 and 7.00, add the ClientCertLoginModule using the Visual admin → server → services → security provider → ticket as shown below:

 

Once the logon module is added, click on "modify" to add the rules:

 

5) Authentication Options:

Using Stored Certificate Mappings 

For more help, check: 

Client certificate authentication options - certificate matching

and

https://help.sap.com/saphelp_nw73/helpdata/en/8a/8bc061dcf64638aa695f250ce7ca78/content.htm

Using Rules Based on Client Certificate Subject Names

For more help, check: 

Client certificate authentication options - rules

and

https://help.sap.com/saphelp_nw73/helpdata/en/4a/48baeaba4b044ee10000000a421937/content.htm  

 

6) OPTIONAL: Adjust the login module stacks and configure the login modules for those applications that accept Client Certificates as the authentication mechanism.

For example in the below picture, the application sap.com/portletbrowser*portletbrowser authentication has been changed from Basic (using user name and password) to Ticket (which now has the client certificate logon module details configured).

Testing the Authentication mechanism:

If all the configurations are done correctly, the next time the SAP Application Server JAVA URL, say : http://<hostname>: port/useradmin is called, the logon screen should not appear and the user should get logged in using the client certificate.If the authentication is traced using the Troubleshooting Wizard (for SAP AS Java 7.20, see SAP Note No. 1332726 and for releases prior to 7.1, check SAP Note No. 1045019) the whole logon sequence can be seen.

Below are some excerpts from the logs when the login using client certificates was successful:

From the traces, the matched user details can be seen:

 

FURTHER READING

Using X.509 Client Certificates on SAP NetWeaver AS for Java

https://help.sap.com/saphelp_nw73/helpdata/en/4a/41f432343f2ab1e10000000a42189c/frameset.htm

REQUESTING S USER ID:

https://portal.wdf.sap.corp/wcm/ROLES://portal_content/cp/roles/employee/employee_services/ITServices/AdditionalOfferings/Infocenters/SAP%20IT%20for%20SAP/Additional%20Offerings/~/Business%20Applications%20Requests/SAP%20Service%20Marketplace/S%20User%20ID%20Request

SAP Trust Center Service's root certificates
https://support.sap.com/support-programs-services/services/trust-center/download/root-certificates.html

SAP AS JAVA WIKI

Client Certificate Authentication

  • No labels