Show TOC

Procedure documentationConfiguring the System to Use the SAP Trust Center Service Locate this document in the navigation structure

 

When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service. When using this feature, users will receive their SAP Passport (X.509 client certificate) by Internet access directly from the SAP Trust Center Service. The following variants exist:

  • The user sends the certificate request from his or her browser (BSP application CERTREQ).

    This variant is backward-compatible and uses profile parameters as described under Prerequisittes (more information: SAP Note 1276176).

  • The user sends the certificate request from his or her AS ABAP application server (BSP application CERTREQ2).

    This variant uses an RFC destination as describred under prerequisites.

Prerequisites

  • The system is configured for using the Secure Sockets Layer (SSL) protocol.

  • With the exception of the user mapping table USREXTID, the system is configured for using X.509 client certificates for authentication.

    Note Note

    When the user receives his or her certificate, the AS ABAP also automatically maps the certificate to the user's account, eliminating the need to maintain the mapping table USREXTID manually.

    End of the note.

  • Only for CERTREQ

    • The following profile parameters are set in the AS ABAP's default profile:

      Profile Parameters

      Default value

      Comment

      login/certificate_request_subject

      CN=&UNAME, OU=&WPOU, O=mySAP.com User, C=DE

      The SAP system that is the Registraiton Authority (RA). When the certificate is issued, the SAP Trust Center Service replaces &UNAME with the user's ID and &WPOU with the application server's Organizational Unit (OU) as specified in the corresponding Personal Security Environment (PSE) that is used for signing the certificate request.

      login/certificate_request_ca_url

      https://tcs.mysap.com/ invoke/tc/usercert

      URL for the SAP Trust Center Service

    • Users must have Internet access to the SAP Trust Center Service. Refer to the URL in the table above.

  • Only for CERTREQ2

    • In transaction SM59, create an RFC destination HTTP Connections to Ext. Server called SAP_TRUSTCENTER_SERVICE with the following values:

      Values on the Technical Settings tab:

      Field

      Value

      Target Host

      tcs.mysap.com

      Service No.

      443

      Path Prefix

      /invoke/tc/usercert
      Values on the Logon & Security tab

      Field

      Value

      SSL

      Choose the Active checkbox

      SSL Certificate

      Anonymous

      The system automatically creates the cross-client RFC destination.

    • The SAP system must have Internet access to the SAP Trust Center Service.

Procedure

To configure the system for using the SAP Trust Center, you must:

  1. In the Trust Manager, create the PSE to use for signing the requests.

  2. Register the system with the SAP Trust Center Service.

    More inbformation: http://service.sap.com/TCS under   SAP Trust Center Services in Detail   SAP Passports in Your SAP Solution  .

  3. Assign users the authorization to use the certificate request service.

These steps are described in detail below.

Setting up the Trust Manager

To use a separate PSE for signing the certificate requests, perform the following steps.

  1. Use a table maintenance transaction (SE16) to create an entry in table SSFAPPLIC for the certificate request application. Use the following information:

    Field

    Value

    APPLIC

    CERTRQ

    B_TOOLKIT

    X

    B_FORMAT

    X

    B_PAB

    X

    B_PROFID

    X

    B_PROFILE

    X

    B_DISTRIB

    X

    Leave all other fields blank.

  2. Use transaction SSFA to create a Secure Store and Forward (SSF) application for the trust manager. Use the following information for the entry:

    Field

    Value

    SSF Application

    CERTRQ

    Security Product

    SAPSECULIB

    SSF format

    International standard PCKS#7

    private address book

    <filename>.pse

    Example: SAPCERTRQ000.pse

    SSF Profile Name

    <filename>.pse

    Example: SAPCERTRQ000.pse

    The file name should be the same for both the Private Address Book and the SSF Profile Name.

    SSF Profile ID (Opt)

    <blank>

    Distribute PSE (Only SAPSECULIB)

    Activation
Creating the PSE to Use for Signing the Requests

Use the trust manager (transaction STRUST) to create a PSE. Depending on the option you want to use, either select the node for the entry you created above or select the system PSE. Note that:

  • Use the DSA algorithm with a 1024-bit key.

  • For the requirements on the Distinguished Name as well as additional information, see the documentation provided by the SAP TCS at http://service.sap.com/TCS.

    The information is provided in the document under   SAP Trust Center Services in Detail   SAP Passports in Your SAP Solution   CP - RA Certificate for SAP Passport via Customer's Solution   .

Registering the System with the SAP Trust Center Service

  1. Create a certificate request for the PSE that you created above:

    1. Select an application server node for the PSE with a double-click so that it appears in the Own Certificate section of the trust manager screen.

    2. Choose the symbol for Create Certificate Request.

      The certificate request appears in the Certificate Request dialog. See the example below.

      Example Example

      -----BEGIN CERTIFICATE REQUEST-----

      MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS

      BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK

      BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i

      4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF

      AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2

      MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC

      QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC

      zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi

      +6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=

      -----END CERTIFICATE REQUEST-----

      End of the example.

    3. Copy the certificate request's content to a customer message under the component BC-SEC.

      The SAP TCS will validate your information and send you a response, which contains the system's signed public-key certificate.

  2. Import the response into the PSE you created above:

    1. If the request is still displayed, then close the Certificate Request dialog.

    2. Make sure the PSE to use for signing certificate requests is displayed in the Own Certificate section.

    3. Choose the symbol for Import Cert. Response.

      The Certificate Response dialog appears.

    4. Open the response you received from the SAP Trust Center Service in a text editor.

    5. Copy the content of the response to the Certificate Response dialog and choose Enter.

      The response is imported into the PSE.

  3. Save the data

Assigning Users the Authorizations to Use the Certificate Request Service

  1. Use role maintenance (transaction PFCG) to assign the following authorizations to a role:

    • S_USERCERT, activity 49

    • S_TABU_DIS, activity 02, authorization group SCUS

    There is no standard role available that contains these authorizations, so you either have to create a new role or add them to an existing role.

  2. Assign this role to users who will log on with the SAP Passport.

Result

When users access the certificate request service, they receive a client certificate from the SAP Trust Center Service that they can use for future access to the system.

More Information