Show TOC

Procedure documentationConfiguring X.509 Client Certificates for BPM-UWL Communication Locate this document in the navigation structure

 

You can configure your system so that the tasks generated in Business Process Management (BPM), both on local and remote systems, are displayed in the Universal Worklist (UWL) together with the tasks pertaining to other SAP NetWeaver Portal work areas. For more information, see Configuring Business Process Management with the UWL.

You can configure the BPM UWL connector, which provides the tasks from the BPM system to the UWL, to use X.509 certificates for authentication in its internal communication.

Prerequisites

  • You have configured the use of SSL/HTTPs in both the consumer (UWL) and the provider (BPM) systems. For more information, see Configuring the Use of SSL on the AS Java.

  • You have imported a certificate of a trusted Certification Authority (CA) which will be used to verify the incoming SSL requests. Make sure that in your trusted CAs in both systems you have imported the certificates from the corresponding CAs.

Procedure

1. Generate a Key Pair Entry on the Consumer System

  1. Log in as an administrator to SAP NetWeaver Administrator through http://<host>:<port>/nwa and navigate to   Configuration Management   Security   Certificates and Keys  .

  2. On the Key Storage Content tab, create a key store view with name BPMUWLKeyStore.

    For more information about creating a key store view, see Managing Key Storage Views.

  3. In this key store view, create a new entry with name UWLSSLClientIdentity and with a common name equal to the fully qualified domain name of the consumer system.

    For more information, see Creating a Key Pair and Public-Key Certificate.

  4. Generate a CSR Request for this entry and sign it with the CA as defined in the prerequisites section. Import the received CSR response.

  5. Export the entry's own certificate. To do that, choose the Export To File pushbutton, select PKCS#8 Key Pair format, select the first X.509 Certificate file entry with file name containing “cert1” and choose Download to store it in the file system.

2. Configure the Consumer to use X.509 Certificate for the Requests to the Provider

In case the connection between the consumer and the provider systems has already been configured and you want to make it work with X.509 certificate, follow the steps below.

  1. Log in as an Administrator to the portal through http://<host>:<port>/irj and navigate to   System Administration   System Configuration   System Landscape Overview  .

  2. Find the BPM system that is created to represent the provider in the consumer portal and choose the Open Object pushbutton to edit it.

  3. On the Properties tab page, find User Management and change the logon method to X509CERT in the dropdown menu. Choose the Save pushbutton.

    Note Note

    If you are using a local connection, that is both BPM and UWL are running on the same system, and you want to work with X.509 certificate, keep in mind that SAP_LocalSystem cannot work with X.509 certificates. You need to deactivate the SAP_LocalSystem BPEMUWLConnector system and configure a new connection between BPM and UWL as a remote one.

    End of the note.

In case the connection between the consumer and the provider systems has to be made from scratch, follow the steps below.

  1. Configure your provider and consumer systems. For more information, see Configuring Business Process Management with the UWL, section Remote Connection.

  2. After you have done the necessary configurations for the consumer system, open the Properties tab page, find User Management and change the logon method to X509CERT in the dropdown menu. Choose the Save pushbutton.

  3. Register the system alias as the item provider for UWL as described in the document mentioned in step 1.

3. Enable Authentication with X.509 Certificate on the Provider System

  1. Log in as an administrator to the user management engine (UME) of the provider system through http://<host>:<port>/useradmin.

  2. Choose the User Management Configuration pushbutton and then choose Open Expert Mode pushbutton.

  3. In the dialog that appears, search for ume.logon.allow_cert property.

  4. Choose the Modify pushbutton and set the property to true if it is false. Choose the Save pushbutton.

  5. In UME, choose the Identity Management pushbutton and search for user uwl_service.

  6. Select the uwl_service user and on the Certificates tab page choose   Modify   Browse   to upload the exported certificate described in the Generate a Key Pair Entry on the Consumer System section above.

  7. Log in as an Administrator to SAP NetWeaver Administrator through http://<host>:<port>/nwa and navigate to   Configuration Management   Security   Authentication and Single Sign-On  .

  8. On the Authentication tab page, enter web in the Type column filter

    and sap.com/tc~bpem~him~uwlconn~provider~ear*sap.com~tc~bpem~him~uwlconn~provider~web in the Policy Configuration Name column filter.

  9. Select the application and add the ClientCertLoginModule login module with a proper flag under Login Modules on the Authentication Stack tab page.

    In case you need authentication with X.509 Certificates only, then you need to delete all the other login modules for this application. In this case there is no need to add the consumer system in the trusted systems on the provider side.