In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates to authenticate client or user access requests for AS Java applications.
When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate the AS Java into a Single Sign-On environment.
Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI).
For more information about PKI, see Public-Key Technology .
When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Therefore, you need to configure the use of SSL for the connections where user authentication takes place. The AS Java enables you to use SSL, or user authentication with certificates, when users access the AS Java applications with or without an intermediary gateway proxy server.
For more information, see Using SSL With an Intermediary Server .
The AS Java enables you to authenticate users with client certificates using the following configuration scenarios:
The integrity and confidentiality of the authentication credentials is provided using the SSL protocol and PKI technology. In addition, users can produce digital signatures using the client certificates to establish higher levels of trust and non-repudiation for business transactions.
Once users receive their client certificates from the CA, they can use them to access applications and passwords are no longer used for authentication purposes. Users can also use their certificates for secure access to other Intranet or Internet services.
To use X.509 client certificates on the AS Java, you need to make the following configuration settings:
To allow use of the certificate for proper authentication, you have to configure a property ume.logon.allow_cert. This property is used when an HTTP logon page contains a link to an HTTPS page that permits certificate authentication. To modify this property, choose SAP NetWeaver Administrator → Authentication and Single Sign-On → Properties.When this property is selected, the logon URL link of the certificate is displayed on the logon page. On the certificate logon page, users can map their certificates to their user IDs. As a result, the authentication is performed using the user certificate instead of user name and password.
To perform this configuration, choose SAP NetWeaver Administrator → Configuration Management → SSL. You can make these settings in the Client Authentication Mode column of the SSL Access Points table.
That means the user certificates must be signed by one or more CAs.
For more information about configuring user mappings, see Modifying Client Certificate Authentication Options .
To add the login module, follow these steps:
The selection of a flag depends on the specific scenario. For example, if you set ClientCertLoginModulewith the flag SUFFICIENT, and BasicPasswordLoginModulewith flag REQUIRED, the system will try to authenticate the user with the ClientCertLoginModule. If the authentication with this module is not successful, the system will use the next module BasicPasswordLoginModule. For more information about the use of the flags, see Policy Configurations and Authentication Stacks .
For more information about the configuration activities for using X.509 client certificates for AS Java authentication, see the following sections:
Information about configuring client certificate authentication in scenarios where users access the AS Java directly or through an intermediary proxy server that tunnels the connection without terminating it.
Information about scenarios where users access the AS Java through an intermediary server that terminates the connection.
Information about how to use certificate revocation lists (CRLs) on the AS Java to make sure that a given certificate has not been revoked by the issuing Certification Authority (CA).
If you are using authentication with client certificates in the portal, you can configure what happens when users log off from the portal. By default, they are redirected to the default logon screen after they log off. If the portal is set up to use client certificates, they are automatically logged on again, so it is impossible for them to log off the portal. To prevent this, you can redirect them to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294 .