X.509
Certificates
In this scenario you must first configure a working SSO account for the logged-on user (for example ASPNET or other Windows user that your application runs under). The SAP system examines the X509 certificate to determine an external user ID. This external user is logged on to the SAP system. This allows you to only have to setup an SSO connection between the web server and the SAP system and then using the certificate field to map from the X509 certificate to the SAP user.
Alternatively, you can use Active Directory or IIS mapping and impersonate the user. This method is discussed in part in the section on Kerberos or NTLM SSO with impersonation above.
In the connector, the SAPLogonDestination X509Certificate property should contain the value of the X509 certificate BASE64 encoded. This should be set at runtime after reading the contents of the X509 certificate from the user’s browser.
|
Certificate Field |
Returns |
|
Request.ClientCertificate.Subject |
The subject that is mapped to SAP external user ID in table VUSREXTID. For example: CN=SAPDotNet |
|
Request.ClientCertificate.Certificate |
A byte array containing the binary stream of the entire certificate content. You must use the Convert.ToBase64String function to format it for sending to SAP system |
The following example shows code for using the browser certificate in SapLogonDestination:
|
sapLogonDestination1.X509Certificate = Convert.ToBase64String(Request.ClientCertificate, 0, Request.ClientCertificate.Length);
|
Do not use USER parameter in your Destination component with X.509certificate logon.
Setting Up Certificate Mapping to SAP User in the SAP System
The procedure consists of the following steps:
· You enable an SNC connection between IIS and the SAP system with transaction SNC0.
· You map the certificate to SAP table VSUSREXTID.
Input for Setting Up Certificate
|
Step |
Option |
Explanation |
|
Enable
an SNC connection between IIS and the SAP system.
|
System ID |
Enter your SAP system ID. |
|
SNC name |
Enter the Secure Network Communications (SNC) user name. For example for Kerberos enter: p:<SAPService_User@<DOMAIN_NAME> For more information on SNC names refer to the SNC User Guide in the SAP Service Marketplace at the internet address: service.sap.com |
|
|
Entry for RFC ... Entry for ext. ID |
Activate all entries for RFC, CPIC, DIAG, certificate, ext. ID |
|
|
Map the certificate to the SAP user with transaction SM30 |
External ID type |
... ... 1. Maintain table VUSREXTID 2. Enter DN for External ID type |
|
External ID |
Enter the ID exactly as stated in the certificate, for example CN=SAPDotNet To find out the Subject name (External ID) you have the following options: · Using the Internet Explorer ... a. In the Internet Explorer, choose Tools → Internet Options → Content → Certificates. b. Select the certificate and choose View. c. On the Certificate screen, choose Details. d. Go to Subject to see the name. · Using SAP Process Tracing ... a. Use transaction SM50. b. Turn on tracing for the component SECURITY and use trace level 2: § Choose Process → Trace → Display settings → Display Components and select SECURITY. § Choose Process → Trace → Dispatcher → Change Trace Level and enter 2 for the trace level. Now tracing is enabled on the SAP application server. c. Run the .NET Connector application that is using the x.509 certificate to connect to the SAP system. d. On the SAP application server search for a file named dev_wp<workprocess_number> (for example, dev_w0) that contains the text string CertGetInfo. The subject name is next to the text string. ... |
|
|
User |
Enter your SAP user name. |
Setting Up Certificates in IIS:
For certificates to work you have to configure IIS to use HTTPS.
Here is an example for an ASPX page code to test whether certificates are working in IIS:
|
User (from Context): <%=Context.User.Identity.Name%> <P> User (from Thread): <%=System.Threading.Thread.CurrentPrincipal.Identity.Name%><P> Certifcate: <%=Request.ClientCertificate.Subject%> |
For more information about using X.509 certificates in Windows 2000, refer to the Step-by-Step Guide to Mapping Certificates to User Accounts at http://www.microsoft.com/windows2000/techninfo/planning/security/mappingcerts.asp