Show TOC

 Using X.509 Client Certificates on the AS JavaLocate this document in the navigation structure


In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates to authenticate client or user access requests for AS Java applications.

When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate the AS Java into a Single Sign-On environment.


Public-Key Infrastructure

Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI).

For more information about PKI, see Public-Key Technology .


When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Therefore, you need to configure the use of SSL for the connections where user authentication takes place. The AS Java enables you to use SSL, or user authentication with certificates, when users access the AS Java applications with or without an intermediary gateway proxy server.

For more information, see Using SSL With an Intermediary Server .

  • Users possess valid X.509 client certificates issued by a trusted CA.
  • There must be an SAP Cryptographic Library installed. You can also use the SSL plug-in. For more information, see Installing the SAP Cryptographic Library for SSL .
  • The user's client certificates are imported into their client system's Web browsers.
  • The AS Java is configured to support HTTPS connections and SSL. For more information, see Configuring the Use of SSL on the AS Java .

The AS Java enables you to authenticate users with client certificates using the following configuration scenarios:

  • You can store client certificates for users from the Identity Management functions of the AS Java and authenticate access based on the user-certificate mapping in the UME data source of the AS Java.
  • Alternatively, you can configure rules for login with client certificates and authenticate user access directly from the certificate information. For this scenario, you do not need to store the certificate information for users.

The integrity and confidentiality of the authentication credentials is provided using the SSL protocol and PKI technology. In addition, users can produce digital signatures using the client certificates to establish higher levels of trust and non-repudiation for business transactions.

Once users receive their client certificates from the CA, they can use them to access applications and passwords are no longer used for authentication purposes. Users can also use their certificates for secure access to other Intranet or Internet services.


To use X.509 client certificates on the AS Java, you need to make the following configuration settings:

  1. Allow use of the certificate.

    To allow use of the certificate for proper authentication, you have to configure a property ume.logon.allow_cert. This property is used when an HTTP logon page contains a link to an HTTPS page that permits certificate authentication. To modify this property, choose SAP NetWeaver Administrator → Authentication and Single Sign-On → Properties.When this property is selected, the logon URL link of the certificate is displayed on the logon page. On the certificate logon page, users can map their certificates to their user IDs. As a result, the authentication is performed using the user certificate instead of user name and password.

  2. Configure SSL so that X.509 user certificates are in a trusted relationship with the SSL server certificates.
    • For the configuration of a port, you need to define whether the system asks for a certificate or uses it as required.

      To perform this configuration, choose SAP NetWeaver Administrator → Configuration Management → SSL. You can make these settings in the Client Authentication Mode column of the SSL Access Points table.

    • You have to configure the CA certificates for the respective port so that the system can accept user certificates issued by specific CAs.

      That means the user certificates must be signed by one or more CAs.

    • The root CA certificate must be present in the table on the Trusted CAs tab.
  3. Configure appropriate user mapping using the ClientCertLoginModule options.

    For more information about configuring user mappings, see Modifying Client Certificate Authentication Options .

  4. Add the ClientCertLoginModule to the authentication stack.

    To add the login module, follow these steps:

    1. Choose SAP NetWeaver Administrator → Authentication and Single Sign-On → Components.
    2. Select the Policy Configuration Name.
    3. Choose the Editbutton
    4. On the Authentication Stacktab, add ClientCertLoginModulewith a necessary flag.

      The selection of a flag depends on the specific scenario. For example, if you set ClientCertLoginModulewith the flag SUFFICIENT, and BasicPasswordLoginModulewith flag REQUIRED, the system will try to authenticate the user with the ClientCertLoginModule. If the authentication with this module is not successful, the system will use the next module BasicPasswordLoginModule. For more information about the use of the flags, see Policy Configurations and Authentication Stacks .

See Also

For more information about the configuration activities for using X.509 client certificates for AS Java authentication, see the following sections:

  • Configuring the Use of Client Certificates for Authentication

    Information about configuring client certificate authentication in scenarios where users access the AS Java directly or through an intermediary proxy server that tunnels the connection without terminating it.

  • Using Client Certificates via an Intermediary Server

    Information about scenarios where users access the AS Java through an intermediary server that terminates the connection.

  • Enabling Certificate Revocation 

    Information about how to use certificate revocation lists (CRLs) on the AS Java to make sure that a given certificate has not been revoked by the issuing Certification Authority (CA).


    If you are using authentication with client certificates in the portal, you can configure what happens when users log off from the portal. By default, they are redirected to the default logon screen after they log off. If the portal is set up to use client certificates, they are automatically logged on again, so it is impossible for them to log off the portal. To prevent this, you can redirect them to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294 Information published on SAP site.