Using X.509 Client Certificates
Use
SAP NetWeaver systems enable you to authenticate user access in an SSO environment with X.509 certificates. For this SSO scenario, SAP NetWeaver application server uses X.509 client certificates to authenticate Web users transparently with the underlying SSL security protocol. In addition, you can perform the issuing and administration activities for the user’s client certificates centrally, using a trust center service and a public-key infrastructure.
Integration
Public-Key Infrastructure / Trust Center Services
Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can use a trust center service to obtain certificates.
For more information about PKI, see
Public-Key
Technology.
SSL
When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Enabling the use of SSL is necessary for the connections where user authentication takes place.
Prerequisites
● Client certificate authentication uses cryptography to secure user access to SAP NetWeaver systems. Therefore, to use authentication with client certificates your SAP NetWeaver systems have to be enabled to use strong cryptography.
● Users accessing SAP NetWeaver have to possess valid X.509 client certificates, issued by a trusted CA..
● The use of SSL is configured for your SAP NetWeaver systems. For more information, see:
○
AS ABAP:
Configuring the AS
ABAP for Supporting SSL
○
AS Java:
Configuring the Use of
SSL on the AS Java
Features
When using X.509 client certificates, the integrity and the confidentiality of the authentication credentials is provided using cryptographic functions and the SSL protocol. In addition, to establish higher levels of trust and non-repudiation for business transactions, users can use produce digital signatures with the client certificates.
When users authenticate with their client certificates, SSO is enabled by the underlying PKI technology and established trust between certificate issuing and certificate accepting systems. Thereby, users can use their certificates for secure access to a large number of Intranet and Internet services. PKI technology can also reduce reliance on other authentication mechanisms. After users receive their certificates from the CA, they no longer need to authenticate with a user name and password.
Activities
The activities involved to enable user authentication with X.509 client certificates are specific to the underlying technology of your SAP NetWeaver system. The configuration activities can differ depending on whether you use an intermediary proxy server that terminates the SSL connection.
For more information about configuring the use of client certificates for SAP NetWeaver systems see:
● Using X.509 Client Certificates on the AS ABAP
● Using X.509 Client Certificates on the AS Java
See also: