Administration When Using X.509 Client Certificates

Use

For access to SAP systems that use a Web-based frontend (for example, Web Dynpro or SAP GUI for HTML) you can use the Secure Sockets Layer (SSL) protocol client certificates for client or user authentication. The authentication takes place using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment.

Tools

AS ABAP: Table maintenance (transaction SM30)

AS Java: Key Storage service

Prerequisites

The systems have been configured for the use of SSL and client certificates.

For more information, see:

AS ABAP: Configuring the AS ABAP for Supporting SSL
AS ABAP: Configuring the AS ABAP to Use X.509 Client Certificates
AS Java: Configuring the Use of SSL on the AS Java
AS Java: Using X.509 Client Certificates on the AS Java

Tasks on Demand

The tasks involved when using client certificates for user authentication are primarily configuration tasks. The table below lists the tasks.

Reason	Task	More Information
Maintain the user's certificate information	AS ABAP: Maintain the mapping in the USREXTID table. AS Java: There are several options: The user maps his or her own certificate. You import the certificate of the user into the key storage service. The user's certificate is stored in an LDAP directory server and you use the corresponding attribute mapping.	AS ABAP: Configuring the AS ABAP for Supporting SSL AS Java: Maintaining the User's Certificate Information and Attribute Mapping for Client Certificates
Renewing a user's certificate	If the user's Distinguished Name changed, then you must adjust the mapping entry or re import the user's certificate accordingly.	See the policy provided by the Certification Authority (CA) that issued the user certificate.
Renewing a server certificate	AS ABAP: Generate a certificate request. For more information, see Generating Certificate Requests for the SSL Server PSEs . Send it to the CA. For more information, see Sending the Certificate Requests to a CA . Import the certificate request response. For more information, see Importing the Certificate Request Response . AS Java: Generate a certificate request. Send it to the CA. Import the response. See step 4 in Configuring the SSL Key Pair and Trusted X.509 Certificates .	See the policy provided by the CA that issued the server certificate.

Reason

Task

More Information

Maintain the user's certificate information

AS ABAP: Maintain the mapping in the USREXTID table.

AS Java: There are several options:

The user maps his or her own certificate.
You import the certificate of the user into the key storage service.
The user's certificate is stored in an LDAP directory server and you use the corresponding attribute mapping.

AS ABAP: Configuring the AS ABAP for Supporting SSL

AS Java: Maintaining the User's Certificate Information and Attribute Mapping for Client Certificates

Renewing a user's certificate

If the user's Distinguished Name changed, then you must adjust the mapping entry or re import the user's certificate accordingly.

See the policy provided by the Certification Authority (CA) that issued the user certificate.

Renewing a server certificate

AS ABAP:

Generate a certificate request.

For more information, see Generating Certificate Requests for the SSL Server PSEs .
Send it to the CA.

For more information, see Sending the Certificate Requests to a CA .
Import the certificate request response.

For more information, see Importing the Certificate Request Response .

AS Java:

Generate a certificate request.
Send it to the CA.
Import the response.

See step 4 in Configuring the SSL Key Pair and Trusted X.509 Certificates .

See the policy provided by the CA that issued the server certificate.

More Information

X.509 Client Certificates