In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates to authenticate client or user access requests for SAP NetWeaver AS for Java applications.
Users possess valid X.509 client certificates issued by a trusted CA.
The user's client certificates are imported into their client system's Web browsers.
SAP NetWeaver AS for Java is configured to support HTTPS connections and SSL.
For more information, see Configuring the Use of SSL on the AS Java.
When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate SAP NetWeaver AS for Java into a Single Sign-On environment.
Integration
Public-Key Infrastructure / Trust Center Services
Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI, you can use a Trust Center Service to obtain certificates.
For more information about PKI, see Public-Key Technology .
SSL
When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Therefore, you need to configure the use of SSL for the connections where user authentication takes place. SAP NetWeaver AS for Java enables you to use SSL, or user authentication with certificates, when users access the AS Java applications with or without an intermediary gateway proxy server.
For more information, see Using SSL With an Intermediary Server .
Features
SAP NetWeaver AS for Java enables you to authenticate users with client certificates using the following configuration scenarios:
You can store client certificates for users from the Identity Management functions of SAP NetWeaver AS for Java and authenticate access based on the user-certificate mapping in the UME data source of SAP NetWeaver AS for Java.
Alternatively, you can configure rules for login with client certificates and authenticate user access directly from the certificate information. For this scenario, you do not need to store the certificate information for users.
The integrity and confidentiality of the authentication credentials is provided using the SSL protocol and PKI technology. In addition, users can produce digital signatures using the client certificates to establish higher levels of trust and non-repudiation for business transactions.
Once users receive their client certificates from the CA, they can use them to access applications and passwords are no longer used for authentication purposes. Users can also use their certificates for secure access to other Intranet or Internet services.
For more information about the configuration activities for using X.509 client certificates for SAP NetWeaver AS for Java authentication, see the following sections:
Configuring the Use of Client Certificates for Authentication
Information about configuring client certificate authentication in scenarios where users access SAP NetWeaver AS for Java directly or through an intermediary proxy server that tunnels the connection without terminating it.
Information about scenarios where users access SAP NetWeaver AS for Java through an intermediary server that terminates the connection.
Information about how to use certificate revocation lists (CRLs) on SAP NetWeaver AS for Java to make sure that a given certificate has not been revoked by the issuing Certification Authority (CA).
If you are using authentication with client certificates in the portal, you can configure what happens when users log off from the portal. By default, they are redirected to the default logon screen after they log off. If the portal is set up to use client certificates, they are automatically logged on again, so it is impossible for them to log off the portal. To prevent this, you can redirect them to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294 .