Show TOC

Using X.509 Client Certificates on SAP NetWeaver AS for JavaLocate this document in the navigation structure

In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates to authenticate client or user access requests for SAP NetWeaver AS for Java applications.

Prerequisites

  • Users possess valid X.509 client certificates issued by a trusted CA.

  • The user's client certificates are imported into their client system's Web browsers.

  • SAP NetWeaver AS for Java is configured to support HTTPS connections and SSL.

    For more information, see Configuring the Use of SSL on the AS Java.

Context

When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate SAP NetWeaver AS for Java into a Single Sign-On environment.

Integration

Public-Key Infrastructure / Trust Center Services

Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI, you can use a Trust Center Service to obtain certificates.

For more information about PKI, see Public-Key Technology .

SSL

When using client certificates, users are authenticated at the communication protocol level using the SSL protocol. Therefore, you need to configure the use of SSL for the connections where user authentication takes place. SAP NetWeaver AS for Java enables you to use SSL, or user authentication with certificates, when users access the AS Java applications with or without an intermediary gateway proxy server.

For more information, see Using SSL With an Intermediary Server .

Features

SAP NetWeaver AS for Java enables you to authenticate users with client certificates using the following configuration scenarios:

  • You can store client certificates for users from the Identity Management functions of SAP NetWeaver AS for Java and authenticate access based on the user-certificate mapping in the UME data source of SAP NetWeaver AS for Java.

  • Alternatively, you can configure rules for login with client certificates and authenticate user access directly from the certificate information. For this scenario, you do not need to store the certificate information for users.

The integrity and confidentiality of the authentication credentials is provided using the SSL protocol and PKI technology. In addition, users can produce digital signatures using the client certificates to establish higher levels of trust and non-repudiation for business transactions.

Once users receive their client certificates from the CA, they can use them to access applications and passwords are no longer used for authentication purposes. Users can also use their certificates for secure access to other Intranet or Internet services.

Procedure

  1. Allow use of the certificate

    To allow use of the certificate for proper authentication, you have to configure a property ume.logon.allow_cert. This property is used when an HTTP logon page contains a link to an HTTPS page that permits certificate authentication. To modify this property, choose Start of the navigation path SAP NetWeaver Administrator Next navigation step  Authentication and Single Sign-On Next navigation step Properties End of the navigation path.When this property is selected, the logon URL link of the certificate is displayed on the logon page. On the certificate logon page, users can map their certificates to their user IDs. As a result, the authentication is performed using the user certificate instead of user name and password.

  2. Configure SSL so that X.509 user certificates are in a trusted relationship with the SSL server certificates.

    • For the configuration of a port, you need to define whether the system asks for a certificate or uses it as required.

      To perform this configuration, choose Start of the navigation path SAP NetWeaver Administrator Next navigation step  Configuration Management Next navigation step SSL End of the navigation path. You can make these settings in the Client Authentication Mode column of the SSL Access Points table.

    • You have to configure the CA certificates for the respective port so that the system can accept user certificates issued by specific CAs.

      That means the user certificates must be signed by one or more CAs.

    • The root CA certificate must be present in the table on the Trusted CAs tab.

  3. Configure appropriate user mapping using the ClientCertLoginModule options.

    For more information about configuring user mappings, see Modifying Client Certificate Authentication Options .

  4. Add the ClientCertLoginModule to the authentication stack.

    To add the login module, follow these steps:

    1. Choose Start of the navigation path SAP NetWeaver Administrator Next navigation step Authentication and Single Sign-On Next navigation step Components End of the navigation path.
    2. Select the Policy Configuration Name.
    3. Choose the Edit button.
    4. On the Authentication Stack tab, add ClientCertLoginModule with a Necessary flag.
      Note

      The selection of a flag depends on the specific scenario. For example, if you set ClientCertLoginModule with the flag SUFFICIENT, and BasicPasswordLoginModule with flag REQUIRED, the system will try to authenticate the user with the ClientCertLoginModule. If the authentication with this module is not successful, the system will use the next module BasicPasswordLoginModule.

      For more information about the use of the flags, see Policy Configurations and Authentication Stacks .

Results

For more information about the configuration activities for using X.509 client certificates for SAP NetWeaver AS for Java authentication, see the following sections:

  • Configuring the Use of Client Certificates for Authentication

    Information about configuring client certificate authentication in scenarios where users access SAP NetWeaver AS for Java directly or through an intermediary proxy server that tunnels the connection without terminating it.

  • Using Client Certificates via an Intermediary Server

    Information about scenarios where users access SAP NetWeaver AS for Java through an intermediary server that terminates the connection.

  • Enabling Certificate Revocation 

    Information about how to use certificate revocation lists (CRLs) on SAP NetWeaver AS for Java to make sure that a given certificate has not been revoked by the issuing Certification Authority (CA).

    Note

    If you are using authentication with client certificates in the portal, you can configure what happens when users log off from the portal. By default, they are redirected to the default logon screen after they log off. If the portal is set up to use client certificates, they are automatically logged on again, so it is impossible for them to log off the portal. To prevent this, you can redirect them to a screen other than the default logon screen after they log off the portal. For more information, see SAP Note 696294 Information published on SAP site.