Obtaining SAP Passport (Client Cert.) from SAP Trust Center (SAP Library

Obtaining SAP Passport (Client Cert.) from SAP Trust Center

Purpose

The Enterprise Portal provides an iView that allows users to request and receive an SAP Passport from the SAP Trust Center.

In this case, the Portal Server acts as a registration authority (RA), in other words, it verifies the users’ requests for a client certificate and confirms to the certification authority (CA) (in this case the SAP Trust Center) that the user is who he or she claims to be.

Prerequisites

You must register your Portal Server as a trusted RA with the SAP Trust Center. This is required so that, when the Trust Center receives a request for a client certificate from the Portal Server, it can verify the digital signature of the Portal Server in the request. To register your Portal Server with the SAP Trust Center, you must request a server certificate from the SAP Trust Center. This is described in Obtaining a Server Certificate from SAP Trust Center.

In addition, see the prerequisites for Authentication Using Client Certificates.

In particular: The Web servers must be configured to trust the Certification authority (CA) that issued the user certificates. In other words, you must import the root certificate of the SAP Trust Center into the keystore of the portal Web server (IIS). This is required so that the IIS can verify the user’s client certificate.

You must integrate the iView for requesting client certificates in a portal role, for example portal_user, so that all users can request a client certificate. This is the iView ClientSecurity.ClientCertInstall.

Process Flow

The following diagram describes what happens in the portal when a user requests a client certificate.

The user logs on to the Enterprise Portal using his or her portal user ID and password for authentication.
The Portal Server informs the user’s Web browser of the naming convention to use for the certificate and triggers the generation of the user’s public-key pair by the Web browser.
The Web browser generates the user’s public-key pair and the request for the SAP Passport.
The Portal Server approves the request by signing it, and sends it to the browser which redirects it to the SAP Trust Center Service.
The SAP Trust Center Service verifies that the naming convention is correct, generates the SAP Passport and issues it to the user. The SAP Passport is then stored in the user’s Web browser.
The user can then use his or her SAP Passport for subsequent logons to the Enterprise Portal or other Internet services that accept it as the authentication mechanism.

Note that the Portal Server acts as a registration authority (RA) in the above process. In other words, it confirms that the user requesting the certificate is who he or she claims to be.

Result

A SAP Passport is stored in the user's Web browser and can be used by the user for subsequent logons to the Enterprise Portal. Note that the user should subsequently log on using https otherwise the client certificate will be of no use.