Start of Content Area

Background documentation Authentication with Certificates and Microsoft Hotfix 909425  Locate the document in its SAP Library structure

X.509 certificates are optional in HTTPS mode, but it is standard practice to use them. The client can have one or more certificates, or no certificate at all. If the server requests a certificate, the following points are relevant:

      The client reads the relevant certificate from the set of certificates (either one certificate exists or none at all).

      If no certificate is found, the server must be informed that no certificate is available.

If you use Windows XP, refer to the hotfix described under http://support.microsoft.com/kb/909425. Without this hotfix you cannot repeat the search for available certificates in the system. An error will occur if the server is to be informed that there is not a relevant certificate.

Even though we generally recommend using HTTPS, in a few special cases with specific networks, HTTP is sufficiently secure, for example, with switched ethernet connections. When HTTPS is used and is configured correctly on the server, the client finds precisely one certificate, and it all works correctly. A problem occurs only if the server has a type of signed certificate or the wrong certificate (for instance in cloned internal systems), which results in the server requesting a certificate and no relevant one is available.

Temporary Solution

Use HTTP instead of HTTPS if the network infrastructure allows this.

Alternatively, you can use the Microsoft hotfix, which must be installed on all clients.

The most frequent case is that the client finds precisely one certificate. You can make the relevant settings on the server using parameter icm/HTTPS/verify_client in transaction RZ11. The available certificate is simply dispatched without further checks for icm/HTTPS/verify_client = 1 . If the system landscape is configured correctly, particularly with respect to server and client certificates, this certificate will function without errors.

As an ultimate temporary solution you can configure the server so that it does not need any certificates from the client (icm/HTTPS/verify_client = 0). The disadvantage with this configuration is that logon with certificates is not possible, which means users have to enter user names and passwords. SSL can still be used (for encrypted data transfer).

More information:

Configuring the SAP Web AS for Supporting SSL

 

 

End of Content Area