Administration When Using X.509 Client Certificates 
For access to SAP systems that use a Web-based frontend (for example, Web Dynpro or SAP GUI for HTML) you can use the Secure Sockets Layer (SSL) protocol client certificates for client or user authentication. The authentication takes place using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment.
Tools
AS ABAP: Table maintenance (transaction SM30)
AS Java: Key Storage service
Prerequisites
The use of SSL and client certificates is configured on the systems. For more information, see:
Tasks on Demand
The tasks involved when using client certificates for user authentication are also primarily configuration tasks. The tasks that are occasionally necessary are shown in the table below.
Administrative Tasks when Using Client Certificates
Reason |
Task |
More Information |
Maintain the user's certificate information |
AS ABAP: Maintain the mapping in table USREXTID AS Java: There are several options:
|
AS ABAP: None AS Java: Maintaining the User's Certificate Information and Attribute Mapping for Client Certificates |
Renewing a user's certificate |
If the user's Distinguished Name changed, then you must adjust the mapping entry or re-import the user's certificate accordingly. |
See the policy provided by the Certification Authority (CA) that issued the user certificate. |
Renewing a server certificate |
AS ABAP: Generate a certificate request, send it to the CA, import the certificate request response. AS Java: Generate a certificate request, send it to the CA, and import the response. See step 4 in Creating the Server's Key Pair to Use for SSL. |
See the policy provided by the CA that issued the server certificate. |
See also: