X.509 Certificates

If you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 certificates by configuring the required back-end systems (ABAP or SAP HANA) to accept X.509 certificates.

Authentication with X.509 certificates provides the following advantages:

It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.
It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

X.509 certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can be performed centrally by a mobile device management software, for example SAP Afaria.

Recommendation

As X.509 certificates remain valid for a relatively long time, we recommend that you minimize the security risk by implementing a method to revoke the certificates, for example if a mobile device is lost.

End of the recommendation.

Configuration

For information about the configuration that is required for X.509 certificates, see:

For SAP NetWeaver 7.31: http://help.sap.com/nw731 Application Help Function-Oriented View Security User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 Client Certificates Using X.509 Client Certificates on the AS ABAP Configuring the AS ABAP to use X.509 Client Certificates .
For SAP NetWeaver 7.4: http://help.sap.com/nw74 Application Help Function-Oriented View Security User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using X.509 Client Certificates Using X.509 Client Certificates on the AS ABAP Configuring the AS ABAP to use X.509 Client Certificates .