When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service. When using this feature, users will receive their SAP Passport (X.509 client certificate) per Internet access directly from the SAP Trust Center Service.
· The system is configured for using the Secure Sockets Layer (SSL) protocol.
· With the exception of the user mapping table USREXTID, the system is configured for using X.509 client certificates for authentication.
When the user receives his or her certificate, the system also automatically maps the certificate to the user’s account, eliminating the need to maintain the mapping table USREXTID manually.
● The following profile parameters are set in the application server’s default profile:
Profile Parameter |
Default |
Comment |
login/certificate_ |
CN=&UNAME, OU=&WPOU, O=mySAP.com User, C=DE |
The SAP system that is the Registration Authority (RA) When the certificate is issued, the SAP Trust Center Service replaces &UNAME with the user’s ID and &WPOU with the application server’s Organizational Unit (OU) as specified in the corresponding Personal Security Environment (PSE) that is used for signing the certificate request. |
login/certificate_ |
https://tcs.mysap.com/ |
URL for the SAP Trust Center Service |
● Users must have Internet access to the SAP Trust Center Service. See the URL in the table above.
To configure the system for using the SAP Trust Center, you must:
...
1. Decide which PSE to use. You can either use the system PSE or create a separate one that is used explicitly for signing certificate requests. Note the following:
¡ If you want to create a separate PSE to use for signing requests, then you must first set up the trust manager. See the description below.
¡ Otherwise the system uses the system PSE. In this case, you must create a new PSE and use a Distinguished Name that complies to the naming convention specified by the SAP Trust Center Service.
If you replace an existing system PSE, then note the following:
● Export any certificates contained in the old system PSE’s certificate list and re-import them into the new system PSE’s certificate list.
● If the system has been set up as a ticket-issuing system for logon tickets, then also reconfigure any accepting systems. (Import the new certificate into each system’s corresponding certificate list and maintain the access control lists.)
2. Create the PSE to use for signing the requests.
3. Register the system with the SAP Trust Center Service. For details, see service.sap.com/TCS.
See SAP Trust Center Services in Detail → SAP Passports in Your SAP Solution.
4. Assign users the authorization to use the certificate request service.
These steps are described in detail below.
Perform the following steps if you want to use a separate PSE for signing certificate requests.
...
1. Use a table maintenance transaction (SE16) to create an entry in table SSFAPPLIC for the certificate request application. Use the following information:
Field |
Value |
APPLIC |
CERTRQ |
B_TOOLKIT |
X |
B_FORMAT |
X |
B_PAB |
X |
B_PROFID |
X |
B_PROFILE |
X |
B_DISTRIB |
X |
Leave all other fields blank.
2. Use transaction SSFA to create a Secure Store and Forward (SSF) application for the trust manager. Use the following information for the entry:
Field |
Value |
SSF Application |
CERTRQ |
Security Product |
SAPSECULIB |
SSF Format |
International standard PKCS#7 |
Private Address Book |
<filename>.pse Example: SAPCERTRQ000.pse |
SSF Profile Name |
<filename>.pse Example: SAPCERTRQ000.pse The file name should be the same for both the Private Address Book and the SSF Profile Name. |
SSF Profile ID (Opt) |
<blank> |
Distribute PSE (Only SAPSECULIB) |
Activate |
Use the trust manager (transaction STRUST) to create a PSE. Depending on the option you want to use, either select the node for the entry you created above or select the system PSE. Note the following:
● Use the DSA algorithm with a 1024-bit key.
● For the requirements on the Distinguished Name as well as additional information, see the documentation provided by the SAP TCS at service.sap.com/TCS.
The information is provided in the document under SAP Trust Center Services in Detail → SAP Passports in Your SAP Solution → CP – RA Certificate for SAP Passport via Customer’s Solution.
...
1. Create a certificate request for the PSE that you created above:
a. Select an application server node for the PSE with a double-click so that it appears in the Own Certificate section of the trust manager screen.
b. Choose the symbol for Create Certificate Request.
The certificate request appears in the Certificate Request dialog. See the example below.
-----BEGIN CERTIFICATE REQUEST----- MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i 4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2 MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi +6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE= -----END CERTIFICATE REQUEST----- |
c. Copy the content of the certificate request to a customer message under the component BC-SEC.
The SAP TCS will validate your information and send you a response, which contains the system’s signed public-key certificate.
2. Import the response into the PSE you created above:
a. If the request is still displayed, then close the Certificate Request dialog.
b. Make sure the PSE to use for signing certificate requests is displayed in the Own Certificate section.
c. Choose the symbol for Import Cert. Response.
The Certificate Response dialog appears.
d. Open the response you received from the SAP Trust Center Service in a text editor.
e. Copy the content of the response to the Certificate Response dialog and choose Enter.
The response is imported into the PSE.
3. Save the data.
Use role maintenance (transaction PFCG) to assign users the authorization S_USERCERT, Activity 49.
There is no standard role available that contains this authorization, so you either have to create a new role or add this authorization to an existing role.
When users access the certificate request service, they receive a client certificate from the SAP Trust Center Service that they can use for future access to the system.
See also:
● Overview of how requesting SAP Passports works in SAP systems: Using SAP Passports Provided by the SAP Trust Center Service
● Configuring SSL: Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP
● Configuring the Use of Client Certificates for Authentication: Configuring the System for Using X.509 Client Certificates
● Using transaction SSFA: Maintaining Application-Specific Information
● Using the trust manager: Trust Manager
● Role maintenance: Role Maintenance