Show TOC Start of Content Area

Procedure documentation Using Client Certificates via an Intermediary Server  Locate the document in its SAP Library structure

Use

If users connect to the J2EE Engine via an intermediary server that terminates the connection, for example, a Web proxy, then the user’s SSL client certificate cannot be directly used for authentication on the J2EE Engine. In this case, the intermediary server passes the user’s certificate to the J2EE Engine in a header variable and the J2EE Engine accepts this certificate based on its trust relationship to the intermediary server.

Recommendation

Although you do have the option to use HTTP for the connection between the intermediary server and the J2EE Engine, we recommend using HTTPS for this connection also.

Note

Access via the ICM

If the J2EE Engine is accessed via the ICM, then the user’s certificate is passed using the protocol between the ICM and the J2EE Engine. If this connection also uses SSL, then the certificate is automatically passed to the J2EE Engine. Otherwise, set the parameter AcceptClientCertWithoutSSL to true. For more information, see Communication Between the ICM and J2EE Engine.

Caution

If you set the AcceptClientCertWithoutSSL property to true, then J2EE Engine will always accept the client certificate forwarded via HTTP, as it is not able to verify the certificate’s origin in this case.

Access via the SAP Web Dispatcher

The Web dispatcher supports certificate forwarding in HTTP header fields. Set the parameter icm/HTTPS/forward_ccert_as_header = true for the Web dispatcher before proceeding with the procedure below. For more information, see X.509-Based Logon to Web AS from SAP Web Dispatcher.

Prerequisites

      To use HTTPS for the connection between the intermediary server and the J2EE Engine, then the J2EE Engine must be configured to support SSL.

      To use SSL with mutual authentication between the intermediary server and the J2EE Engine, then the intermediary server possesses a public-key certificate to use for SSL.

      The intermediary server is configured to pass the user’s client certificate to the J2EE Engine.

      You know the name of the header variable that contains the user’s certificate.

Procedure

...

       1.      Using the HTTP Provider service, enter the corresponding information in the following property keys.

Property Keys and Their Values

Key

Value

Comment

AcceptClientCertWithoutSSL

<true, false>

Enter true if you want to accept HTTP without using SSL for the connection between the intermediary server and the J2EE Engine. Default=false.

ProxyServersCertificates

{{<Proxy_Cert_1>}, <Proxy_Cert_2>, ...)}

List containing the Distinguished Name for the trusted proxy server(s).

Syntax

Use the following syntax for the list of proxy Distinguished Names:

{{Distiguished_Name_1},{Distinguished_Name_2},..., {Distinguished_Name_n}}

Example

Example of a list with one element:

{{CN=proxy, O=MyCompany, C=US}}

Example of a list with several elements:

{{CN=proxy_1, O=MyCompany, C=US},{CN=proxy_2, O=MyCompany, C=US},{CN=proxy_3, O=MyCompany, C=US}}

       2.      Maintain the user’s certificate information in his or her user account on the J2EE Engine.

Result

The intermediary server passes the user’s client certificate to the J2EE Engine to use for authentication.

Additional Property Keys

Additional property keys are set per default to the names of the HTTP header variables that contain information about the user’s certificate. If your proxy server is configured otherwise, then adjust these parameters accordingly.

Additional Property Keys

Key

Comment

ClientCertificateChainHeaderPrefix

Name of the header variable that contains the prefix used for CA certificate chains. The chain is set up from 1 to n, whereby n+1 is the last CA root certificate in the chain, which is not sent to the server.

Default: SSL_CLIENT_CERT_CHAIN_

The server then finds the CA chained certificates in the variables SSL_CLIENT_CERT_CHAIN_1, SSL_CLIENT_CERT_CHAIN_2,

etc.

Note

The CA root certificate, which is the last certificate in the chain, is not sent to the server in a header variable. It must exist as a trusted CA in the SSL Provider server.

ClientCertificateHeaderName

Name of the header variable that contains the user’s certificate.

Default: SSL_CLIENT_CERT

ClientCipherSuiteHeaderName

Name of the header variable that contains the cipher suite used.

Default: SSL_CIPHER_SUITE

ClientKeySizeHeaderName

Name of the header variable that contains the key size used.

Default: SSL_CIPHER_USEKEYSIZE

 

 

 

End of Content Area