Show TOC

Configuring the Use of Client Certificates for AuthenticationLocate this document in the navigation structure


  • The AS Java is configured to support SSL with the given certificates. For more information, see Transport Layer Security on the AS Java .

  • The root certificates of the client certificates' Certification Authorities (CAs) either exists in a keystore view of the AS Java Key Storage or are available in the file system as a DER-encoded or Base-64-encoded certificate.


Use this procedure to configure the use of client certificates for authentication when users access the AS Java using an end-to-end connection.

For cases where they access the server via an intermediary proxy server that terminates the connection, see Configuring the Use of Client Certificates via an Intermediary Server .


Client certificates enable you to authenticate users without the need for a user name and a password provided from a logon screen. Therefore, you can also use client certificates for integrating the AS Java in Single Sign-On environments.

When using client certificates for user authentication, the AS Java uses the certificate information to determine the user's identity.

The algorithm for determining the user ID can be configured by specifying rules. Each of these rules can include several configuration options and, using filters, be restricted to apply only to certain certificates. In addition, each rule specifies the mechanism to use to determine the mapping between the certificate matching this restriction and the user ID for the authenticating user.

You can configure the use of the following mechanisms to establish the user ID associated with a client certificate during the logon process:

  • The AS Java can match the provided certificate to a client certificate stored for the user ID in the AS Java user data store.

  • The AS Java can determine the user ID directly from the fields in the client certificate.


  1. Using the Key Storage management functions of the SAP NetWeaver Administrator, place the root certificates for each of the client certificates CAs as a CERTIFICATE entry in the ICM_SSL_ < instance_ID > view.

    If the certificate already exists in another Key Storage view on the AS Java, you can copy the existing certificate entry to the corresponding view. Alternatively, if the certificate exists as a file in your file system, you can import it to the AS Java Key Storage. For more information, see Using the AS Java Key Storage .

  2. Using the VCLIENT profile parameter of ICM for the AS Java, select whether the AS Java should:

    • Request (but not require) that the user presents a client certificate for authentication.

    • Require that client certificates are to be used for authentication.

    For more information, see icm/server_port_<xx> and Maintaining ICM parameters for Using SSL .

  3. Configure the ClientCertLoginModule for establishing the AS Java user ID from the client certificate and filtering provided certificates.

    For more information, see Modifying Client Certificate Authentication Options .

  4. Adjust the login module stacks and configure the login modules for those applications that accept client certificates as the authentication mechanism.


The selected applications accept client certificates for user authentication.