Using SAP Passports Provided by the SAP Trust Center Service (SAP Library

Using SAP Passports Provided by the SAP Trust Center Service

When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service (TCS).

When using this feature, users can get their client certificates automatically from the SAP TCS by.calling the certificate request service. The SAP system that hosts the certificate request service acts as a Registration Authority (RA) that approves the users’ certificate requests and sends them to the SAP TCS.

Note

The certificate request service is a Business Server Page (BSP) application. You can find it in the list of services (using transaction SICF) under default_host ® sap ® bc ® bsp ® certreq.

...

1. The user accesses the certificate request service. (If the user is not logged on to the system, he or she must first be authenticated.) To use the certificate request service, he or she must enter his or her user ID and password when calling the service, even though he or she is already logged on to the system.

2. The SAP system triggers the generation of the user’s public and private key pair by the Web browser.

3. The Web browser generates the user’s public and private key pair and the request for the SAP Passport.

4. The Web browser sends the certificate request to the SAP system.

5. The SAP system checks and approves the request by digitally signing it

6. The SAP system then redirects the certificate request over the Web browser to the SAP Trust Center Service using the Internet.

7. The SAP Trust Center Service verifies the request, generates the SAP Passport and issues it to the user. The SAP Passport is stored in the user’s Web browser.

8. The SAP system maps the certificate to the user’s account, eliminating the need to maintain the mapping entry in table USREXIT manually.

The user can then use his or her SAP Passport for subsequent logons to the SAP system (or other services that accept it as the authentication mechanism).