Show TOC

7.2 Use of Digital Certificates Locate this document in the navigation structure

 

Under the expression “Single Sign-On” (SSO), there are often different aspects that are used interwoven. Of importance is first the aspect of digital certificates that can be used for an initial authentication against a server. In this case digital certificates are just an alternative authentication, instead of the more typical basic authentication or form-based authentication. The use of digital certificates for authentication has a very high set of prerequisites, the most important being (a) the configuration and usage of HTTPS and (b) installing the digital certificates into the secure store on each client. The single sign-on problem that digital certificates solve is only that of the initial authentication.

The second aspect after an initial authentication, is that authentication is required for each application that is started. How can the user-supplied authentication from the initial authentication cycle be reused when starting each new application? In this case, the user also expects a single sign-on working mode, where applications can be started with a new authentication cycle. This aspect is handled with logon tickets (MYSAPSSO2 cookies). After the initial authentication, the server will issue such a cookie, which is effectively just the user’s name digitally signed in such a way that whenever the cookie is presented again at the server, it will be accepted as a form of authentication. For all subsequent requests, also when new applications are started, this logon ticket is part of the request to the server, thus carrying the authenticated user name.

Within the web context, digital certificates always refer to X.509 certificates. A digital certificate binds a public key to a distinguished name that is issued by a certificate authority. The important aspect here is that a certificate is so constructed (digitally signed by a certificate authority) that the receiving party can again validate the distinguished name. The distinguished name itself is usually of the form C=<country> O=<company> CN=<certificate_name> and can include other attributes that uniquely name a person. There are standard procedures whereby a company can obtain and issue such certificates to each employee. The first step is to import the certificate into the browser. With this, the browser now has our identity in a digital format that can be verified again by the server. The next step is to update the ABAP server be able to map the distinguished name onto a user name. This mapping can be configured with transaction SM30, in the table VUSREXTID. The external ID is the distinguished name from the digital certificate and must be entered exactly the same into the table, including the preservation of case and spaces.

The browser must now send the certificate to the server: The moment the protocol is switched from HTTP to HTTPS, the certificate is automatically sent as part of the encryption layer used to secure the HTTPS connection. No further work is required.

The switching from HTTP to HTTPS is triggered by the logon application that is configured within the ICF tree for the NWBC node. This logon application will (in its default configuration) as a first step in the authentication process do a protocol switch (only if HTTPS is available on the server). If then a digital certificate is provided that can be mapped onto a user, the authentication process is completed automatically.

As the configuration of HTTPS, the use of digital certificates and logon tickets are very closely related, all relevant documentation links to the security documentation will be provided in Configuring Authentication on the Server.

For detailed information in configuring SAP’s servers to use digital certificates, refer to referenced documentation. However, a few small topics that are very relevant for NWBC when using digital certificates we wish to highlight here. These are the option of using SAP’s Passport service to obtain digital certificates, the prerequisite to Microsoft hotfix 919477 when using digital certificates and a highlight of how certificate mapping needs to be configured on the server.

Using SAP as Supplier of Digital Certificates

Customers can use SAP Trust Center Services for issuing SAP Passports. Here the ABAP system functions as Registration Authority (RA) and SAP acts as Certification Authority (CA).

In this case, the SAP Trust Center is used to obtain certificates for both the server and all the clients. This is one way to set up a system landscape where digital certificates can be used to achieve single sign-on. For more information, see Using SAP Passports Provided by the SAP Trust Center Service. You can find more information on SAP Trust Center Services and the certificate policy of the SAP Passport under http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000437021&SCENARIO=01100035870000000202& .

Prerequisite Microsoft Hotfix 919477

During the setup of an HTTPS connection, the server and the client will optionally exchange digital certificates to identify the client to the server. The server has the option to request such a certificate and the client has the option to either send one or not to send one.

Specifically, the client needs to either select a certificate to send to the server or must inform the server that it has no acceptable certificate available which the server can validate. In these cases, the client will signal its decision with an API call to the underlying Microsoft Window’s HTTP stack. For using these API calls under Windows XP, service pack SP01 and SP02, an additional hotfix is required and mandatory. Without this hotfix, it is not possible to use digital certificates.

When using Microsoft Windows XP, request and install Microsoft hotfix KB919477. When using Microsoft Vista, the API calls already have the correct functionality and no hotfix is required.

Another aspect that is resolved with this hotfix, is that the certificate selection dialog is not displayed if not needed. If there is only one matching certificate, it will automatically be used.

Example of certificate selection dialog without hotfix (Example of certificate selection dialog without hotfix)

An alternative solution would be to disable the usage of digital certificates with HTTPS traffic. This will still result in the secure encrypted communication with HTTP, but will require the user to do a manual authentication (logon) step. This can be configured on AS Java, AS ABAP, or SAP Web Dispatcher by setting the profile parameter icm/HTTPS/verify_client=0. With this setting, the server will not request any digital certificate from the client, enabling the client to use a HTTPS connection without using the certificate APIs.

For more information, see http://support.microsoft.com/kb/919477 and icm/HTTPS/verify_client.

Certificate Mapping

There are standard procedures whereby a company can obtain and issue such certificates to each employee. It is outside the scope of this documentation to describe different companies that provide digital certificates. One idea could be to use SAP’s Passport service as described previously.

  1. On the client, Import the certificate into the browser, typically via   Internet options   Certificates...  .

    With this, the browser now has the user's identity in a digital format that can be verified by the server.

  2. For each user on the ABAP server, map the distinguished name onto a user name via transaction SM30.

    1. Start transaction SM30.

    2. In Table/View enter VUSREXTID and choose Maintain.

    3. Select DN as Work Area and choose Enter.

      Ensure there is an entry for assignment of external IDs to user names. The external ID is the distinguished name from the X.509 certificate and must be entered exactly the same into the table, including the preservation of case and spaces. The user name is the AS ABAP user name.

    4. Ensure that the checkbox Active is checked.

    5. Save your settings.

For more information, see Configuring the System for Using X.509 Client Certificates.

Testing Single Sign-On

Testing single sign-on is relatively easy, in that you must test just that there is no authentication step. In a browser, just start any URL against the server and validate that the application is started directly without authentication. Similarly in NWBC, verify that no authentication step is required.