Entering content frameFunction documentation Using X.509 Client Certificates  Locate the document in its SAP Library structure

Use

An X.509 client certificate is a digital "identification card" for use in the Internet, also known as a public-key certificate.

A user who accesses the SAP Web Application Server and presents a valid certificate is authenticated on the server using the SSL protocol. The information contained in the certificate is passed to the server and the user is logged on to the server based on this information. User authentication takes place in the underlying protocols and no user ID and password entries are necessary.

Integration

Public-Key Infrastructure / Trust Center Services

Users need to receive their X.509 client certificates as part of a public-key infrastructure (PKI). The role of the PKI is to verify the identity of certificate owners and to issue, validate, renew, and revoke certificates. If you use X.509 client certificates for authentication, then you need access to a PKI. You can either establish your own PKI or you can rely on a Trust Center for these tasks.

Using SSL for Client Authentication

When using X.509 client certificates, users are authenticated on the SAP Web Application Server using the SSL protocol. Therefore, HTTPS connections are necessary for the communication between the users' Web browsers and the SAP Web Application Server.

Prerequisites

Features

Activities

  1. The user accesses a service on the SAP Web Application Server.
  2. Note

    The corresponding URL must use HTTPS.

  3. The SAP Web Application Server uses the SSL protocol to authenticate the user based on the information contained in the certificate.
  4. If the authentication was successful, the server searches for a valid SAP System ID that corresponds to the user's Distinguished Name in the certificate.

Result

If the SSL authentication was successful and the user can be mapped to a SAP System user ID, then the user is logged on to the system. No user ID or password entries are necessary.

If however, the system cannot correctly map the user ID, or the SSL authentication failed, then the system checks for a logon ticket. If no ticket exists, then the system prompts the user for user ID and password using the HTTP basic authentication prompt.

 

Leaving content frame