Using Web Administration Interface with X.509 Certificate (SAP Library

Using Web Administration Interface with X.509 Certificate

Use

You can set up the administration for the ICM and the SAP Web dispatcher from the browser. SAP recommends you use the Web administration with X.509 client certificates (with SSL). This is much more secure and the logon popup is omitted when the Web administration is first called up.

Prerequisites

The configuration of the ICM and Web dispatcher must fulfill the following conditions.

SSL

● SSL is configured in the ICM or Web dispatcher and a TTPS port has been opened (see Structure link Configuring SAP Web Dispatcher to Support SSL).

● For the HTTPS port the value of Structure link icm/HTTPS/verify_client must be 1 or 2 (server must ask for the client certificate).

● The user has a client certificate that the server accepts (the CA which has issued the client certificate must be trusted); see Structure link Using X.509 Client Certificates.

Web Administration Interface

You have set up the Web administration interface as described in Setting Up the Web Administration Interface.

Procedure

Enter the client certificate belonging to the user in the authentication file (standard name icmauth.txt). You enter the certificate in an optional column at the end of the file (see Structure link icm/HTTP/auth_<xx>).

Example

binadm:$apr1$/iTOQ...$s9FZ5iYn7KA4f6HhCjHJu/:user

icmadm:$apr1$zO.S6/..$D6cx7JNx102MDmYeFKSSL1:admin:CN=muster,*

In this column enter the distinguished name (DN) as it stands in the client certificate. In the browser this is often entered as the subject of the client certificate. As you can see in the example, the wildcards '?'and '*' are used to specify the certificate.

Example

For instance, the distinguished name of the client certificate could have the following value in full: CN=muster, O=SAP-AG, C=DE

When you set icmon -a in the authentication file, you can change the DN of the client certificate as well as the password and group of an existing user.

If you want a user to be able to log on only with the X.509 client certificate, you can enter an x as the password (for queries), which makes the following entry (in the example) in file:

icmadm:x:admin:CN=muster,*