Using X.509 Client Certificates on the AS ABAP
Users who access SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP from a Web browser and present a valid client certificate can be authenticated on the server using the SSL protocol.
For this scenario, the information contained in the certificate is passed to the server and the user is logged on to the server based on this information. User authentication takes place in the underlying SSL security protocols and no user ID and password entries are necessary.
-
Users possess valid X.509 client certificates issued by a trusted CA.
-
The user's client certificates are imported in their client system's Web browsers.
-
The AS ABAP is configured to support HTTPS connections and SSL.
-
The identification of the user, the Distinguished Name, that is specified in his or her certificate must map to a valid user ID on the AS ABAP.
To authenticate with client certificates, users must receive their X.509 client certificates from a trusted Certification Authority. The AS ABAP uses the established Public Key Infrastructure (PKI) to verify the identity of certificate owners and to issue, validate, renew, and revoke certificates. If you use X.509 client certificates for authentication, then you need access to a PKI.
When using X.509 client certificates, users are authenticated on the AS ABAP using the SSL protocol. Therefore, HTTPS connections are necessary for the communication between the Web browser and the AS ABAP.
The integrity and confidentiality of the authentication credentials is provided using the SSL protocol and PKI technology. In addition, users can produce digital signatures using the client certificates to establish higher levels of trust and non-repudiation for business transactions.
Once users receive their client certificates from the CA, they can use them to access the AS Java and passwords are no longer used for authentication purposes. In addition, users can use their certificates for secure access to other Intranet or Internet services.