Client Certificates
As an alternative to using user ID and passwords when using web applications with SAP NetWeaver Application Server for ABAP, users can also present X.509 client certificates for user authentication. In this case, user authentication takes place on the web server using the Secure Sockets Layer (SSL) protocol and no transfer of passwords is necessary. User authorizations apply according to the authorization concept in SAP NetWeaver Application Server for ABAP.
Security Measures When Using Client Certificates
When using X.509 client certificates and SSL for user authentication, you should note the following:
-
Choose a trusted CA.
Your users must possess valid certificates signed by a trusted CA. You can either establish your own CA and distribute certificates to your users yourself, or you can rely on a Trust Center service. The CA you choose to use must be designated as a trusted CA on the web server.
-
Inform your users about how to protect their private key.
In this scenario, user authentication takes place using the SSL protocol, which uses public-key technology. Each user must possess a public-key pair. The public-key is contained in the X.509 client certificate and can be made public. However, the user's private key must be kept safe. The possibilities available for securing the private key depend on the web browser you use. (For example, you may be able to protect it with a password or you may be able to use smart cards.) If the private key is stored on the front end client, your users should use screen savers protected with a password.
-
If users share front ends, then note the following:
As long as the operating system separates and protects user data at the operating system level (for example, Windows NT), then the private key stored on the front end is protected by the operating system.
However, when using an operating system that does not separate user data (for example, Windows 95), then you should not store the private key on the front end.