Show TOC Anfang des Inhaltsbereichs

Vorgehensweisen Configuring the AS Java to Use Certificate Enrollment  Dokument im Navigationsbaum lokalisieren

Use

When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service. When using this feature, users will receive their SAP Passport (X.509 client certificate) per Internet access directly from the SAP Trust Center Service.

Prerequisites

·        The AS Java is configured for using the Secure Sockets Layer (SSL) protocol and the use of X.509 client certificates for authentication.

      You are famliar with the RA certificate policy. In particular, you must know the format to use for the server's Distinguished Name.

More information: See the document at http://service.sap.com/TCS   SAP Trust Center Services in Detail SAP Passports in Your SAP Solution  CP - RA Certificate for SAP Passport via Customer’s Solution, Section 8.2.

Procedure

...

       1.      Make sure the application properties are set correctly. You can find and modify these properties using the Config Tool under cluster_data <template name> instance <instance_number> (<host name>) applications  sap.com tc~sec~ra~app.

Hinweis

You must change these properties using the Config Tool. You can only view them in the SAP NetWeaver Administrator.

The most important properties are shown in the table below.

Certificate Enrollment Application Properties

Property

Description

Default Value

tcsra.RAKeystoreView

Keystore view where the key pair is stored for signing the certificate requests.

DEFAULT

tcsra.RASigningKey

Name of the entry in the keystore view that contains the key used to sign the certificate request.

j2ee-ra

tcsra.myRAName

Pattern to use to create the user's Distinguished Name.

put_your_RA_name_here

If you use the default value, the user's Distinguished Name uses the format as provided in the AS Java's RA certificate.

Beispiel

CN=<user ID>, OU=<Organiation Unit>, O=SAP Trust Community, C=DE

Additional properties contain error messages.

       2.      Using the Key Storage service, create the key pair to use for signing. Note the following:

¡        Create the key pair in the view specified by the property tcsra.RAKeystoreView as indicated in the table above.

       The entry to use for the key pair must have the name as specified by the property tcsra.RASigningKey.

       Specify DSA as the algorithm to use and 512 as the key length.

       The elements in the Distinguished Name elements must follow the syntax as specified in the SAP TCS certificate policy.

More information: Managing Key Storage Views and Managing Entries

       3.      Create a certificate request for this key pair by choosing Generate CSR Request.

Save the corresponding file as a PEM file.

       4.      Register the system with the SAP Trust Center Service according to the procedure specified in the SAP TCS certificate policy.

       5.      Send the request to the SAP Trust Center Services in a customer message under the component BC-SEC.

The SAP TCS will verify the request and send a response.

       6.      Save this response to a local file and import it into the keystore entry used for the RA key pair. Choose Import CSR Response and follow the directions.

       7.      Set the UME property ume.logon.client_certificate_enroll to the appropriate value:

       enforced

       opt-in

       opt-out

       disabled

More information: Editing UME Properties   

Result

The AS Java is able to sign certificate requests and send them to the SAP Trust Center Service. Users can therefore receive a client certificate to use for authentication direct at logon. If you set either opt-in or opt-out as the activation mode, the user will see a checkbox on the logon screen so that he or she can initiate the certificate request him or herself.

 

 

Ende des Inhaltsbereichs