Show TOC

X.509 Client Certificate Authentication MethodLocate this document in the navigation structure

You can decide to use only the X.509 client certificate authentication method and disable other methods.

In this context, every Internet Communication Framework (ICF) service should be configured individually in order to allow only authentication through X.509 client certificates over SSL.

Proceed as follows:

  1. Use transaction SICF, and press F8.

    For more information, seeICF Services.

  2. On the Logon Data tab, right click the ICF node and choose Display Service, and then choose Required with SSL Certificate as the logon option.

    Using this option, only X.509 client certificates will be used for authentication to the ICF service.

  3. Save your settings.

Use the following steps to configure X.509 client certificates over SSL on SAP NetWeaver:

  1. Set up SSL for the system according to SAP Note 510007 Information published on SAP site.

  2. Enable X.509 client certificate settings as follows:

    1. In transaction SMICM, set the AS ABAP profile parameter icm/HTTPS/verify_client to the value 1 (accept certificates) via Start of the navigation path Goto Next navigation step Parameters Next navigation step Change End of the navigation path. For more information on this profile parameter, see the documentation about icm/HTTPS/verify_client.

    2. Restart the Internet Communication Manager ICM in transaction SMICM via Start of the navigation path Administration Next navigation step ICM Next navigation step Restart Next navigation step Yes End of the navigation path.

      For more information, see the documentation about ICM Administration.

    3. Use the Trust Manager (transaction STRUST) and import the issuing CA’s (Certificate Authority) root certificate of the connectivity provider into this SSL Server Standard PSE’s certificate list.

      • Select the node, SSL Server Standard in the tree on the left-hand side, and choose Start of the navigation path Certificate Next navigation step Import End of the navigation path and enter a path to the certificate location on the file system.

      • Certificate details should be uploaded into the Certificate List. Choose Add to Certificate List and save your settings.

    4. In the Trust Manager, export SAP Gateway’s SSL server certificate from SSL Sever Standard PSE and import it into the certificate store at the connectivity provider.

      • Select node SSL Server Standard in the tree on the left-hand side.

      • Select the SSL certificate under Own Certificate and choose Start of the navigation path Certificate Next navigation step Export End of the navigation path.

      • Select a proper location of the certificate in the file system.

      • Import it into the Trusted Certificate Store at the target connectivity provider’s system.

User Mapping and X.509 Certificates

If user names on the SAP Gateway system and the connectivity provider systems are identical, SAP Gateway should use the subject name on the X.509 client certificate sent as part of the SSL request, and map it to the local user name. When using X.509 certificates all users must be mapped on the internal SAP user names. You can use table USREXTID for this. You can maintain table USREXTID in two different ways:

  • Via view VUSREXTID.

    Usually you use this option if you have only a few users and your users have user names which differ from the local SAP user names.

    Maintain the user mapping by means of using the table maintenance transaction SM30.

  • Via report RSUSREXTID.

    Usually you use this option for mass user maintenance.

    Since the SAP Gateway user name is part of the distinguished name in the certificate subject an administrator could use report RSUSREXTID for batch user provisioning.

    You can make your settings for different kinds of users:

    • Individual user names

    • Alias names which you can assign via transaction SU01 on tab logon data.

    • Group names

      The SAP Gateway user mapping could be provisioned in a batch, in case the users are grouped together (that is, assigned to a user group).

Maintain the user mapping in the table USREXTID by means of using the table maintenance transaction SM30, view VUSREXTID.

Enter the following information in the corresponding fields:




User Group


User group’s name containing a list of mobile application users, for example.

Extern.ID Type


DN is used for X.509 certificates.

The external ID is the distinguished name from the digital certificate and must be entered exactly the same into the table, including the preservation of case and spaces.

For example, CN=testuser, O=SAP-AG, C=DE

Prefix of External Name

Prefix preceding the SAP user name in the user’s certificate

For example, CN=

CN is the external user name.

Suffix of External Name

Suffix succeeding the user name in X.509 client certificate

For example, O=1234567890-Demo, C=DE


If users identified in the connectivity provider and SAP Gateway are different, then the user mapping should be maintained in a different way:

  1. Use table USREXTID by means of the table maintenance transaction SM30, view VUSREXTID.

  2. Create a new entry and provide the following information in the corresponding fields:




    Type of External Id


    Distinguished name of certificate (X.500)


    Distinguished name as found in the user's certificate.

    For example,, , O=Company, C=US


    SAP system user ID

    For example, O=SAP-AG, C=DE

  3. Select the option Activated to activate the client certificate logon for the user.

  4. Save your settings.