7.2 Use of Digital Certificates

The expression Single Sign-On (SSO) is often used to express different aspects. Of importance is first the aspect of digital certificates that can be used for an initial authentication against a server. In this case, digital certificates are an alternative authentication, instead of the more typical basic authentication or form-based authentication. The use of digital certificates for authentication has a high set of prerequisites; the most important prerequisites are as follows:

• Configuration and usage of HTTPS

• Installation of the digital certificates in the secure store on each client

The problem of initial authentication is the only one that single sign-on solves.

The second aspect after an initial authentication is that authentication is required for each application that is started.

How can the user-supplied authentication from the initial authentication cycle be reused when starting each application anew? In this case, the user also expects a single sign-on working mode, where applications can be started with a new authentication cycle. This aspect is handled with logon tickets ( MYSAPSSO2 cookies) or assertion tickets ( SAP_SESSIONID cookies). After the initial authentication, the server issues such a cookie that is effectively the user's name digitally signed so that whenever the cookie is presented again at the server, it is accepted as a form of authentication. For all subsequent requests, even when new applications are started, this ticket is part of the request to the server, therefore carrying the authenticated user name.

Within the Web context, digital certificates always refer to X.509 certificates. A digital certificate binds a public key to a distinguished name that is issued by a certificate authority. The important aspect here is that a certificate is constructed (digitally signed by a certificate authority) so that the receiving party can validate the distinguished name again. The distinguished name usually takes the form C=<country> O=<company> CN=<certificate_name> and can include other attributes that uniquely name a person. There are standard procedures whereby a company can obtain and issue such certificates to each employee. The first step is to import the certificate into the browser. By doing so, the browser now has the identity in a digital format that can be verified again by the server. The next step is to update the ABAP server to be able to map the distinguished name onto a user name. This mapping can be configured with transaction Call View Maintenance ( SM30), in the table VUSREXTID. The external ID is the distinguished name from the digital certificate and must be entered exactly the same into the table, including the preservation of case and spaces.

The browser must now send the certificate to the server. The moment the protocol is switched from HTTP to HTTPS, the certificate is automatically sent as part of the encryption layer that is used to secure the HTTPS connection. No further actions are required.

The switch from HTTP to HTTPS is triggered by the logon application that is configured within the ICF tree for the NWBC node. This logon application (in its default configuration and only if HTTPS is available on the server) performs a protocol switch as a first step in the authentication process. If then a digital certificate is provided that can be mapped onto a user, the authentication process is completed automatically.

The configuration of HTTPS, the use of digital certificates, and logon tickets are closely related. For more information, see 7.5 Configuring Authentication on the Server .

For more information about configuring SAP's servers to use digital certificates, see the referenced documentation. However, a few small topics that are relevant for NWBC when using digital certificates are explained here. These are the options of using SAP's Passport service to obtain digital certificates, the prerequisite to the Microsoft hotfix 919477 when using digital certificates and a description of how certificate mapping needs to be configured on the server.

Customers can use SAP Trust Center Services for issuing SAP Passports. Here the ABAP system functions as Registration Authority (RA) and SAP acts as Certification Authority (CA).

In this case, SAP Trust Center is used to obtain certificates for both the server and all clients. This is one way to set up a system landscape where digital certificates can be used for single sign-on. For more information, see Using SAP Passports Provided by the SAP Trust Center Service . For more information about SAP Trust Center Services and the certificate policy of the SAP Passport, see SAP Service Marketplace at http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000437021&SCENARIO=01100035870000000202& .

During the setup of an HTTPS connection, the server and the client optionally exchange digital certificates to identify the client to the server. The server has the option to request such a certificate and the client has the option to either send one or not to send one.

Specifically, the client needs to either select a certificate to send to the server or must inform the server that it has no acceptable certificate available that the server can validate. In these cases, the client signals its decision with an API call to the underlying Microsoft Windows HTTP stack. For using these API calls under Microsoft Windows Server 2003, service pack SP01 and SP02, an additional hotfix is required. Without this hotfix, it is not possible to use digital certificates.

When using Microsoft Windows Server 2003, request and install the Microsoft hotfix KB919479. When using other operating systems , the API calls already have the correct functions and no hotfix is required.

Another aspect that is resolved with this hotfix is that the NWBC Certificate Selection dialog is not displayed if not needed. If there is only one matching certificate, it is automatically used.

The following figure provides an example of the NWBC Certificate Selection dialog:

As an alternative solution you can disable the use of digital certificates with HTTPS traffic. This still results in the secure encrypted communication with HTTP, but requires the user to perform a manual authentication (logon) step. To configure this authentication step on AS Java, AS ABAP, or SAP Web Dispatcher, set the profile parameter icm/HTTPS/verify_client=0. With this setting, the server does not request any digital certificate from the client, enabling the client to use an HTTPS connection without using the certificate APIs.

For more information, see http://support.microsoft.com/kb/919479 and icm/HTTPS/verify_client .

There are standard procedures whereby a company can obtain and issue such certificates to each employee. It is outside the scope of this documentation to describe different companies that provide digital certificates. One idea is to use the SAP Passport service as described previously.

1. On the client, import the certificate into the browser, typically by choosing  Internet options  Certificates... .

   The browser now has the user's identity in a digital format that can be verified by the server.

2. For each user on the ABAP server, map the distinguished name onto a user name in transaction SM30.

   1. Start transaction SM30.

   2. In the Table/View field, enter VUSREXTID and choose Maintain .

   3. Select DN as Work Area and choose Enter .

      Ensure there is an entry for assignment of external IDs to user names. The external ID is the distinguished name from the X.509 certificate and must be entered into the table exactly as it is, including the preservation of case and spaces. The user name is the AS ABAP user name.

   4. Ensure that the Active checkbox is selected.

   5. Save your settings.

For more information, see Configuring the AS ABAP to Use X.509 Client Certificates .

To test single sign-on, check that there is no authentication step. In a browser, start any URL on the server and check that the application is started directly without authentication. Likewise, in NWBC, check that no authentication step is required.

Usually, you log on to NWBC using the client certificates, but for special cases you want to use a different user and an explicit logon screen. In the browser, open the security settings of the respective internet zone.

1. In Microsoft Internet Explorer, choose  Tools  Internet Options .

2. On the Security tab, choose Trusted sites and the Custom Level pushbutton.

3. Under Don't prompt for client certificate selection when no certificates or only one certificate exists , select the Disable option.

For more information, see SAP Note 1638715 .