Using the Web Administration Interface with X.509 Certificate
You can set up the administration for the ICM and the SAP Web dispatcher from the browser. SAP recommends you use the Web administration with X.509 client certificates (with SSL). This is much more secure and the logon popup is omitted when the Web administration is first called up.
The configuration of the ICM and Web dispatcher must fulfill the following conditions.
SSL
-
ICM or Web Dispatcher have configured SSL and have openend an HTTPS port.
-
For the HTTPS port the value of icm/HTTPS/verify_client must be 1 or 2 (server must ask for the client certificate).
-
The user has a client certificate that the server accepts; the CA which has issued the client certificate must be trusted.
Web Administration Interface
You have set up the Web administration interface as described in Setting Up the Web Administration Interface.
Enter the client certificate belonging to the user in the authentication file (standard name icmauth.txt). In the file there is an optional column at the end for this.
More information: icm/HTTP/auth_<xx>.
binadm:$apr1$/iTOQ...$s9FZ5iYn7KA4f6HhCjHJu/:user
icmadm:$apr1$zO.S6/..$D6cx7JNx102MDmYeFKSSL1:admin:CN=Muster , *
In this column enter the distinguished name (DN) as it stands in the client certificate. In the browser this is often entered as the “subject” of the client certificate. As you can see in the example, the wildcards ? and * are used to specify the certificate.
For instance, the distinguished name of the client certificate could have the following value in full: CN=Muster, O=SAP AG, C=DE
When you set icmon -a or wdispmon -a in the authentication file, you can change the DN of the client certificate as well as the password and group of an existing user.
If you want a user to be able to log on only with the X.509 client certificate, you can enter an x as the password (for queries), which makes the following entry (in the example) in file:
icmadm:x:admin:CN=muster,*