Show TOC Start of Content Area

Function documentation Using X.509 Client Certificates  Locate the document in its SAP Library structure


An X.509 client certificate is a digital "identification card" for use in the Internet, also known as a public-key certificate.

A user who accesses the SAP Web Application Server and presents a valid certificate is authenticated on the server using the SSL protocol. The information contained in the certificate is passed to the server and the user is logged on to the server based on this information. User authentication takes place in the underlying protocols and no user ID and password entries are necessary.


Public-Key Infrastructure / Trust Center Services

Users need to receive their X.509 client certificates as part of a public-key infrastructure (PKI). The role of the PKI is to verify the identity of certificate owners and to issue, validate, renew, and revoke certificates. If you use X.509 client certificates for authentication, then you need access to a PKI. You can either establish your own PKI or you can rely on a Trust Center for these tasks.

Using SSL for Client Authentication

When using X.509 client certificates, users are authenticated on the SAP Web Application Server using the SSL protocol. Therefore, HTTPS connections are necessary for the communication between the users' Web browsers and the SAP Web Application Server.


      Users possess valid X.509 client certificates and have imported them into their Web browsers.

      The SAP Web Application Server is configured to support HTTPS connections and SSL. (For more information, see Configuring the AS ABAP for Supporting SSL.)

      The user's identification, the Distinguished Name, that is specified in his or her certificate must map to a valid user ID on the SAP Web Application Server


      Strong authentication is provided using the SSL protocol and PKI technology.

      Users can also produce digital signatures using the client certificates. There, higher levels of trust and non-repudiation for business transactions are also possible.

      Passwords are no longer used for authentication purposes.

      Users can also use their certificates for access to other intranet or Internet services.



       1.      The user accesses a service on the SAP Web Application Server.


The corresponding URL must use HTTPS.

       2.      The SAP Web Application Server uses the SSL protocol to authenticate the user based on the information contained in the certificate.

       3.      If the authentication was successful, the server searches for a valid SAP System ID that corresponds to the user's Distinguished Name in the certificate.


If the SSL authentication was successful and the user can be mapped to a SAP System user ID, then the user is logged on to the system. No user ID or password entries are necessary.

If however, the system cannot correctly map the user ID, or the SSL authentication failed, then the system checks for a logon ticket. If no ticket exists, then the system prompts the user for user ID and password using the HTTP basic authentication prompt.



End of Content Area