Show TOC Start of Content Area

Procedure documentation Configuring the System to Use the SAP Trust Center Service  Locate the document in its SAP Library structure

Use

When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service. When using this feature, users will receive their SAP Passport (X.509 client certificate) per Internet access directly from the SAP Trust Center Service.

Prerequisites

·        The system is configured for using the Secure Sockets Layer (SSL) protocol.

·        With the exception of the user mapping table USREXTID, the system is configured for using X.509 client certificates for authentication.

Note

When the user receives his or her certificate, the system also automatically maps the certificate to the user’s account, eliminating the need to maintain the mapping table USREXTID manually.

      The following profile parameters are set in the application server’s default profile:

Profile Parameter

Default

Comment

login/certificate_
request_subject

CN=&UNAME, OU=&WPOU, O=mySAP.com User, C=DE

The SAP system that is the Registration Authority (RA) When the certificate is issued, the SAP Trust Center Service replaces &UNAME with the user’s ID and &WPOU with the application server’s Organizational Unit (OU) as specified in the corresponding Personal Security Environment (PSE) that is used for signing the certificate request.

login/certificate_
request_ca_url

https://tcs.mysap.com/
invoke/tc/usercert

URL for the SAP Trust Center Service

      Users must have Internet access to the SAP Trust Center Service. See the URL in the table above.

Procedure

To configure the system for using the SAP Trust Center, you must:

...

       1.      Decide which PSE to use. You can either use the system PSE or create a separate one that is used explicitly for signing certificate requests. Note the following:

¡        If you want to create a separate PSE to use for signing requests, then you must first set up the trust manager. See the description below.

¡        Otherwise the system uses the system PSE. In this case, you must create a new PSE and use a Distinguished Name that complies to the naming convention specified by the SAP Trust Center Service.

Caution

If you replace an existing system PSE, then note the following:

    Export any certificates contained in the old system PSE’s certificate list and re-import them into the new system PSE’s certificate list.

    If the system has been set up as a ticket-issuing system for logon tickets, then also reconfigure any accepting systems. (Import the new certificate into each system’s corresponding certificate list and maintain the access control lists.)

       2.      Create the PSE to use for signing the requests.

       3.      Register the system with the SAP Trust Center Service. For details, see service.sap.com/TCS.

See SAP Trust Center Services in Detail   SAP Passports in Your SAP Solution.

       4.      Assign users the authorization to use the certificate request service.

These steps are described in detail below.

Setting up the Trust Manager

Perform the following steps if you want to use a separate PSE for signing certificate requests.

...

       1.      Use a table maintenance transaction (SE16) to create an entry in table SSFAPPLIC for the certificate request application. Use the following information:

Field

Value

APPLIC

CERTRQ

B_TOOLKIT

X

B_FORMAT

X

B_PAB

X

B_PROFID

X

B_PROFILE

X

B_DISTRIB

X

Leave all other fields blank.

       2.      Use transaction SSFA to create a Secure Store and Forward (SSF) application for the trust manager. Use the following information for the entry:

Field

Value

SSF Application

CERTRQ

Security Product

SAPSECULIB

SSF Format

International standard PKCS#7

Private Address Book

<filename>.pse

Example: SAPCERTRQ000.pse

SSF Profile Name

<filename>.pse

Example: SAPCERTRQ000.pse

The file name should be the same for both the Private Address Book and the SSF Profile Name.

SSF Profile ID (Opt)

<blank>

Distribute PSE (Only SAPSECULIB)

Activate

Creating the PSE to Use for Signing the Requests

Use the trust manager (transaction STRUST) to create a PSE. Depending on the option you want to use, either select the node for the entry you created above or select the system PSE. Note the following:

      Use the DSA algorithm with a 1024-bit key.

      For the requirements on the Distinguished Name as well as additional information, see the documentation provided by the SAP TCS at service.sap.com/TCS.

The information is provided in the document under SAP Trust Center Services in Detail   SAP Passports in Your SAP Solution CP – RA Certificate for SAP Passport via Customer’s Solution.

Registering the System with the SAP Trust Center Service

...

       1.      Create a certificate request for the PSE that you created above:

                            a.      Select an application server node for the PSE with a double-click so that it appears in the Own Certificate section of the trust manager screen.

                            b.      Choose the symbol for Create Certificate Request.

The certificate request appears in the Certificate Request dialog. See the example below.

Example

-----BEGIN CERTIFICATE REQUEST-----

MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS

BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK

BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i

4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF

AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2

MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC

QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC

zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi

+6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=

-----END CERTIFICATE REQUEST-----

                            c.      Copy the content of the certificate request to a customer message under the component BC-SEC.

The SAP TCS will validate your information and send you a response, which contains the system’s signed public-key certificate.

       2.      Import the response into the PSE you created above:

                            a.      If the request is still displayed, then close the Certificate Request dialog.

                            b.      Make sure the PSE to use for signing certificate requests is displayed in the Own Certificate section.

                            c.      Choose the symbol for Import Cert. Response.

The Certificate Response dialog appears.

                            d.      Open the response you received from the SAP Trust Center Service in a text editor.

                            e.      Copy the content of the response to the Certificate Response dialog and choose Enter.

The response is imported into the PSE.

       3.      Save the data.

Assigning Users the Authorization to Use the Certificate Request Service

Use role maintenance (transaction PFCG) to assign users the authorization S_USERCERT, Activity 49.

There is no standard role available that contains this authorization, so you either have to create a new role or add this authorization to an existing role.

Result

When users access the certificate request service, they receive a client certificate from the SAP Trust Center Service that they can use for future access to the system.

See also:

      Overview of how requesting SAP Passports works in SAP systems: Using SAP Passports Provided by the SAP Trust Center Service 

      Configuring SSL: Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP 

      Configuring the Use of Client Certificates for Authentication: Configuring the System for Using X.509 Client Certificates 

      Using transaction SSFA: Maintaining Application-Specific Information  

      Using the trust manager: Trust Manager 

      Role maintenance: Role Maintenance  

 

 

End of Content Area