SSL Scenario 2: Establishing Trust for Mutual Authentication

To establish trust for mutual authentication, first establish server-side authentication as described in SSL scenario 1. In addition, establish trust for the client side.

To do this:

• Make sure the server trusts the client's public-key certificate. As with the server, the client can use either a self-signed certificate or one that has been issued by a CA. If the client's certificate is self-signed, then the server must have access to the client's certificate to verify its identity. If the client's certificate has been issued by a CA, then the server must have access to the CA's root certificate. By trusting the CA, the server can verify the identity of many clients without having access to each client certificate. This reduces administrative overhead.

• The server must be able to determine the user ID that is to be used for the connection, for example, by using a user mapping table.

See the figure below for an example for establishing mutual authentication between a Web browser client and SAP NetWeaver Application Server for ABAP, when using certificates that are signed by a CA. The CA root certificate that issued SAP NetWeaver Application Server for ABAP its certificate is imported into the trusted root CA certificate store in the Web browser. The CA root certificate that issued the Web browser client (or user) its certificate is also imported into the certificate list in the SSL server PSE of SAP NetWeaver Application Server for ABAP.

Figure 1: Establishing Trust Between a Web Browser Client and SAP NetWeaver Application Server for ABAP (Mutual Authentication)

In addition, when a user accesses SAP NetWeaver Application Server, the server must be able to determine the user ID based on the user's Distinguished Name as contained in the certificate. For this mapping:

• SAP NetWeaver Application Server for ABAP uses the mapping table USREXTID.

• SAP NetWeaver AS for Java uses options set in the ClientCertLoginModule.