Configuring HTTPS at Transport Level with X.509 Certificate Authentication

The AS ABAP and AS Java technology stacks of SAP NetWeaver also enable you to configure Web service (WS) access authentication at the HTTP transport level using X.509 client certificates. For this access scenario, the AS ABAP or AS Java authenticate the WS access with the underlying SSL security protocol.

You use the SAP NetWeaver Administrator (NWA) tool to configure both the AS ABAP and AS Java systems for using transport level authentication with X.509 client certificates.

Prerequisites

To use X.509 client certificates for WS consumer authentication on the AS Java you also have to enable the use of SSL on the AS Java and the AS ABAP. More information: Using SSL on the AS Java and Using the Secure Socket Layer Protocol with the AS ABAP.

Procedure

1. Configure a WS Service Endpoint for Providing a Web Service

In NetWeaver Administrator, choose SOA Management Application and Scenario Communication Single Service Administration Service Definitions .
Find the service for the service endpoint that you want to configure, and select it.
On the Configumation tab page, select the service endpoint to be configured.
Choose the Security tab page and switch to change mode.
Under Transport Protocol, select the HTTPS option.
Under HTTP Authentication, check the X.509 Client Certificate checkbox to permit Single Sign-On with X.509 client certificates for WS consumers.

2. Configure a WS Port for Consuming a Web Service

In NetWeaver Administrator, choose SOA Management Application and Scenario Communication Single Service Administration Consumer Proxies .
Find the service for the service endpoint for which you want to configure a logical port, and select it.
On the Configumation tab page, select the logical port to be configured.
Choose the Security tab page and switch to change mode.
Under Authentication, choose the HTTP Authentication option, and the X.509 Client Certificate radio button.
Use the Details button to
- For an AS Java:
  - choose the PSE and the private key corresponding to the X.509 client certificate to use for consuming the WS.
  - Configure mutual authentication using SSL with the SSL server certificate options
- For an AS ABAP:
  - choose the PSE and the private key corresponding to the X.509 client certificate to use for consuming the WS.