Show TOC Anfang des Inhaltsbereichs

Funktionsdokumentation Using SAP Passports Provided by the SAP Trust Center Service  Dokument im Navigationsbaum lokalisieren

Use

When using X.509 client certificates for authentication on the AS Java, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service (TCS).

When using this feature, users can get their client certificates automatically from the SAP TCS by.calling the certificate request service. The AS Java then acts as a Registration Authority (RA) that approves the users’ certificate requests and sends them to the SAP TCS.

Integration

The certificate request service is integrated into the logon application on the AS Java. Depending on the configuration, the user can either choose to use the service at logon to get a certificate, or it can be enforced for all users.

The activation modes are defined as follows:

·        opt-in

By default, the AS Java will not request a certificate for a user at logon, however, the user can activate certificate enrollment on the logon page.

·        opt-out

By default, the AS Java requests a certificate for a user at logon (if it is not already available), however, the user can deactivate certificate enrollment on the logon page.

·        enforced

Certificate enrollment is enforced for all users. The user cannot deactivate it manually.

·        disabled

The user cannot receive a certicate from the SAP Trust Center Service. This is the default setting.

Prerequisites

Users have access to the Internet, and in particular, to the SAP Trust Center Service. The corresponding URL is https://tcs.mysap.com/invoke/tc/usercert.

Activities

Once this feature is activated, the process to obtain a certificate works as follows:

...

       1.      When the user logs on to the AS Java, he or she is authenticated using the authentication mechansim that is set up on the AS Java, for example, user ID and password.

       2.      Upon successful authentication of the user, the AS Java triggers the generation of the user’s public and private key pair by the Web browser.

       3.      The Web browser generates the user’s public and private key pair and the request for the SAP Passport.

       4.      The Web browser sends the certificate request to the AS Java.

       5.      The AS Java checks and approves the request by digitally signing it.

       6.      The AS Java then redirects the certificate request over the Web browser to the SAP Trust Center Service using the Internet.

       7.      The SAP Trust Center Service verifies the request, generates the SAP Passport and issues it to the user. The SAP Passport is stored in the user’s Web browser.

       8.      The AS Java maps the certificate to the user’s account, based on the configuration for using X.509 client certificates for authentication.

The user can then use his or her SAP Passport for subsequent logons to the AS Java (or other systems that accept it as the authentication mechanism).

See also:

For the configuration steps necessary to activate this feature, see Configuring the AS Java to Use Certificate Enrollment. 

 

 

Ende des Inhaltsbereichs