Background documentationUsing SAP Passports Provided by the SAP Trust Center Service

 

When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service (TCS).

When using this feature, users can get their client certificates automatically from the SAP TCS by calling the certificate request service. The SAP system that hosts the certificate request service acts as a Registration Authority (RA) that approves the users' certificate requests and sends them to the SAP TCS.

Note Note

On the AS ABAP, the certificate request service is a Business Server Page (BSP) application. You can find it in the list of services (using transaction SICF) under default_   host  sap   bc   bsp   certreq  .

End of the note.

Prerequisites

  • To use this function, users must have the following authorizations:

    • S_USERCERT, Activity 49

      This authorization allows the user access to the certification request service.

    • S_TABU_DIS, Activity 02, Authorization Group SCUS

      This authorization allows the system to maintain the mapping between the user's certificate and his or her user ID in the table USREXTID.

  • Users must have Internet access to the SAP Trust Center Service (https://tcs.mysap.com/invoke/tc/usercert).

Activities

  1. The user accesses the certificate request service. (If the user is not logged on to the system, he or she must first be authenticated.) To use the certificate request service, he or she must enter his or her user ID and password when calling the service, even though he or she is already logged on to the system.

  2. The AS ABAP triggers the generation of the user's public and private key pair by the Web browser.

  3. The Web browser generates the user's public and private key pair and the request for the SAP Passport.

  4. The Web browser sends the certificate request to the SAP system.

  5. The AS ABAP checks and approves the request by digitally signing it

  6. The AS ABAP then redirects the certificate request over the Web browser to the SAP Trust Center Service using the Internet.

  7. The SAP Trust Center Service verifies the request, generates the SAP Passport and issues it to the user. The SAP Passport is stored in the user's Web browser.

  8. The AS ABAP maps the certificate to the user's account, eliminating the need to maintain the mapping entry in table USREXIT manually.

The user can then use his or her SAP Passport to subsequently log on to the AS ABAP (or other services that accept it as the authentication mechanism).

Was this page helpful to you?