Configuring the System to Use the SAP Trust Center Service

When using X.509 client certificates for authentication in your system, you can simplify the task of distributing certificates to users by using the SAP Trust Center Service. When using this feature, users will receive their SAP Passport (X.509 client certificate) per Internet directly from the SAP Trust Center Service.

Prerequisites

The system is configured for using the Secure Sockets Layer (SSL) protocol.
With the exception of the user mapping table USREXTID, the system is configured for using X.509 client certificates for authentication.

Note
When the user receives his or her certificate, the AS ABAP also automatically maps the certificate to the user's account, eliminating the need to maintain the mapping table USREXTID manually.

End of the note.

The following profile parameters are set in the AS ABAP's default profile:

Profile Parameters	Default value	Additional Notes
`login/certificate_request_subject`	`CN=&UNAME, OU=&WPOU, O=mySAP.com User, C=DE`	This is the naming pattern to use for the users' Distinguished Names. When the certificate is issued, the SAP Trust Center Service replaces `&UNAME` with the user's ID and `&WPOU` with the application server's Organizational Unit (OU) as specified in the corresponding Personal Security Environment (PSE) that is used for signing the certificate request.
`login/certificate_request_ca_url`	`https://tcs.mysap.com/ invoke/tc/usercert`	URL for the SAP Trust Center Service

Procedure

To configure the system for using the SAP Trust Center, you must:

Decide which PSE to use. You can either use the system PSE or create a separate one that is used explicitely for signing certificate requests. Note that:
- If you want to create a separate PSE to use for signing requests, then you must first set up the trust manager. See the description below.
- Otherwise the system uses the system PSE. In this case, you must create a new PSE and use a Distiguished Name that complies to the naming convention specified by the SAP Trust Center Service.
Note
If you replace an existing system PSE, then note the following:
- Export any certificates contained in the old system PSE's certificate list and re-import them into the new system PSE's certificate list.
- If the system has been set up as a ticket-issuing system for logon tickets, then also reconfigure any accepting systems. (Import the new certificate into each system's corresponding certificate list and maintain the access control lists.)
End of the note.
Create the PSE to use for signing the requests.
Register the system with the SAP Trust Center Service. For further information, see http://service.sap.com/TCS.
See SAP Trust Center Services in Detail SAP Passports in Your SAP Solution .
Assign users the authorization to use the certificate request service.

These steps are described in detail below.

Setting up the Trust Manager

Perform the following steps if you want to use a separate PSE for signing certificate requests.

Use a table maintenance transaction (SE16) to create an entry in table SSFAPPLIC for the certificate request application. Use the following information:

Field

Value

APPLIC

CERTRQ

B_TOOLKIT

X

B_FORMAT

X

B_PAB

X

B_PROFID

X

B_PROFILE

X

B_DISTRIB

X

Leave all other fields blank.

Field	Value
APPLIC	`CERTRQ`
B_TOOLKIT	`X`
B_FORMAT	`X`
B_PAB	`X`
B_PROFID	`X`
B_PROFILE	`X`
B_DISTRIB	`X`

Use transaction SSFA to create a Secure Store and Forward (SSF) application for the trust manager. Use the following information for the entry:

Field	Value
SSF Application	`CERTRQ`
Security Product	`SAPSECULIB`
SSF format	`International standard PCKS#7`
private address book	`<filename>.pse` Example: `SAPCERTRQ000.pse`
SSF Profile Name	`<filename>.pse` Example: `SAPCERTRQ000.pse` The file name should be the same for both the Private Address Book and the SSF Profile Name.
SSF Profile ID (Opt)	`<blank>`
Distribute PSE (Only SAPSECULIB)	`Activation`

Creating the PSE to Use for Signing the Requests

Use the trust manager (transaction STRUST) to create a PSE. Depending on the option you want to use, either select the node for the entry you created above or select the system PSE. Note that:

Use the DSA algorithm with a 1024-bit key.
For the requirements on the Distinguished Name as well as additional information, see the documentation provided by the SAP TCS at http://service.sap.com/TCS.
The information is provided in the document under SAP Trust Center Services in Detail SAP Passports in Your SAP Solution CP - RA Certficate for SAP Passport via Customer's Solution .

Registering the System with the SAP Trust Center Service

Create a certificate request for the PSE that you created above:
1. Select an application server node for the PSE with a double-click so that it appears in the Own Certificate section of the trust manager screen.
2. Choose the symbol for Create Certificate Request.
  The certificate request appears in the Certificate Request dialog. See the example below.
  
  Example
  -----BEGIN CERTIFICATE REQUEST-----
  
  MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbS
  
  BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaXMxDDAK
  
  BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWznQ9I+i
  
  4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PHEWKiF
  
  AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO3Wj2
  
  MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQwAC
  
  QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAFL+qC
  
  zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qEluP/Kfi
  
  +6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=
  
  -----END CERTIFICATE REQUEST-----
  
  End of the example.
3. Copy the certificate request's content to a customer message under the component BC-SEC.
  The SAP TCS will validate your information and send you a response, which contains the system's signed public-key certificate.
Import the response into the PSE you created above:
1. If the request is still displayed, then close the Certificate Request dialog.
2. Make sure the PSE to use for signing certificate requests is displayed in the Own Certificate section.
3. Choose the symbol for Import Cert. Response.
  The Certificate Response dialog appears.
4. Open the response you received from the SAP Trust Center Service in a text editor.
5. Copy the content of the response to the Certificate Response dialog and choose Enter.
  The response is imported into the PSE.
Save the data

Assigning Users the Authorizations to Use the Certificate Request Service

Use role maintenance (transaction PFCG) to assign the following authorizations to a role:
- S_USERCERT, Activity 49
- S_TABU_DIS, Activity 02, Authorization Group SCUS
There is no standard role available that contains these authorizations, so you either have to create a new role or add them to an existing role.
Assign this role to users who will log on with the SAP Passport.

Result

When users access the certificate request service, they receive a client certificate from the SAP Trust Center Service that they can use for future access to the system.

More Information

Overview of how requesting SAP Passports works in SAP systems: Using SAP Passports Provided by the SAP Trust Center Service

Configuring SSL: Configuring the AS ABAP for Supporting SSL

Configuring the Use of Client Certificates for Authentication: Configuring the System for Using X.509 Client Certificates

Using transaction SSFA: Maintaining Application-Specific Information

Using the Trust Manager: Trust Manager

Role maintenance: Role Administration