Client Certificate Logon for SAP GUI
The SAP GUI enables you to use X.509 client certificates for user logon to AS ABAP systems. You can use X.509 client certificates to enable secure authentication instead of using the traditional user ID and password-based authentication.
X.509 client certificate authentication enables you to protect access to the AS ABAP with a standards-based authentication mechanism that facilitates bulk administration of access protection. When using client certificates for authentication, SAP GUI users are logged on to the AS ABAP transparently, without the need to interactively enter a user ID and a password for system access. In addition, the authentication credentials are protected during their transport over the network due to the use of public-key technology in X.509 client certificates.
-
To use client certificates for authentication, the AS ABAP system must be enabled to use Secure Network Communications (SNC). SNC provides a Generic Security Services API (GSS API) to use SAP NetWeaver Single Sign-On or an external security product to perform the authentication between the communication partners, for example between the SAP GUI for Windows and the AS ABAP.
To use SNC for authentication, you must use SAP NetWeaver Single Sign-On or an external security product certified by the SAP Partner Program.
For more information, see Secure Network Communications (SNC).
-
Users need to receive their client certificates from a Certification Authority (CA), using a Public Key Infrastructure (PKI). If you do not have an established PKI then you can use a Trust Center Service to obtain certificates.
For more information about client certificates and PKI, see Public-Key Technology.
Security Considerations
The security measures you need to take depend on the security product that you use and the type of infrastructure that it supports. For example, if the security product uses public-key technology, then you need a public-key infrastructure (PKI).
You need to define procedures for generating and distributing the key pairs for the users and system components and you need to make sure their private keys are stored in a secure location.
Protecting Private Keys
To prevent misuse of the private keys, you must ensure that they are stored in a secure place. There are two methods of storing private keys. They are:
-
Hardware solutions (for example, smart cards or crypto boxes)
-
Software solutions (for example, Personal Security Environments or PKCS#12 format)
Hardware Solutions
A solution that offers a high degree of protection for the private keys of AS ABAP users is to use smart cards that you issue to each individual user. The keys are saved on the card, and the card is designed to never reveal the private key. Users have to authenticate themselves to their cards, either using biometrics (for example, a fingerprint) or knowledge (for example, a PIN, password or pass phrase entry) and can then use the card to create digital signatures or to encrypt documents. In this case, each user needs to protect his or her smart card from theft or loss.
We recommend that you do not allow your users to share smart cards or give them to others to use.
On the server, you can use a cryptographic secure storage instead of a smart card for higher performance.
Software Solutions
As an alternative, you can also use a software solution to store the private keys of users. The software solution is not as safe as the use of hardware solutions, however, it is less expensive to implement. If you use files to store the users' information and private keys, then you need to take extra care in protecting the files from unauthorized access. For example, you can require that the user enters a password for each access request to the private key.
For more information about configuring the use of client certificates for SAP GUI authentication, see Single Sign-On with Client Certificates.