Overview
Nov 29, 2017 The file contains the public certificate for the private key. To download the root certificate select Download Root Certificate from the actions button in the line of the private Key Pair. Download Root Certificate for a Key Pair will create a file with the name rootCA.cer in the download directory. The file contains the root certificate for the private key. SAP Process Integration Add comment 10 10000 characters needed characters left characters exceeded.
of the authentication and several login modules can be combined to make a login module authentication stack) in this regard are the ClientCertLoginModule and the CertPersisterLoginModule.
Authentication can also be done to non-SAP Systems that support SSL. No user intervention is needed and this authentication mechanism can be used for both the Internet and the Intranet.
1) Configure SSL on the SAP Application Server JAVA
This is needed cause when using the client certificate, authentication takes places transparently for the user with the underlying SSL security protocol. There are two ways by which SSL configuration can be achieved:
Manually, by configuring the ICM and the AS Java keystore separately.
or
By using the SSL configuration tool in the SAP NetWeaver Administrator.
Short summary of the steps involved:
Cisco asa pre shared key generator. Maintain the required ICM (Internet Communications manager) parameters in the instance profile including the HTTPS port.
Generate a key pair for SSL using the ICM and have it signed by the Certification Authority.
Import the signed Certificate response to /nwa service_ssl and to the instance-specific views ICM_SSL_<ID>.
Generate / Update PSE
More info:
http://help.sap.com/saphelp_nw73/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm
2) Set the UME parameter: ume.logon.allow_cert to true.
The default value of the parameter is FALSE.
When set to TRUE, users will have the option of mapping their client certificates to their user ID in the logon screen and administrators can map client certificates to users in the UME administration console. This change can be done using the User management expert console:
For more info, check: https://help.sap.com/saphelp_nw73/helpdata/en/4a/864d94a016203be10000000a42189b/frameset.htm
Restart the SAP Application Server JAVA for the changes to take effect.
3) Place the root certificates for each of the client certificates CAs as a CERTIFICATE entry in the ICM_SSL_<instance_ID> view.
If the certificate exists as a file in your file system, you can import it to the AS Java Key Storage. If needed, export the certificate from the Internet Explorer certificate tab and then import it to the ICM view:
If the certificate already exists in another Key Storage view on the AS Java, you can copy the existing certificate entry to the corresponding view. The final configuration:
On older servers (release 6.40 and 7.00), navigate to the Visual Admin → server →services → ssl Provider and in the tab 'Client Authentication', choose the option 'Request client certificate' and apply the Trusted Root Certificate using the button Add:
4) Set the VCLIENT profile parameter of ICM
Configure the VCLIENT profile parameter of ICM as below:
• Request (but not require) that the user presents a client certificate for authentication.
• Require that client certificates are to be used for authentication.
For more info, check :
An ICM restart is needed for the changes to take effect.
4) Configure the ClientCertLoginModule and Adjust the login module stack
This is needed for establishing the AS Java user ID from the client certificate and filtering the provided certificates. Also the applications that accept client certificates are configured with this step.
Navigate to /nwa → configuration → security → Authentication and Single Sign-On: Authentication and configure the 'ticket' authentication stack:
On SAP Application Server JAVA release 6.40 and 7.00, add the ClientCertLoginModule using the Visual admin → server → services → security provider → ticket as shown below:
Once the logon module is added, click on 'modify' to add the rules:
Using Stored Certificate Mappings
For more help, check:
and
Using Rules Based on Client Certificate Subject Names
For more help, check:
and Openssl generate rsa key pair windows.
https://help.sap.com/saphelp_nw73/helpdata/en/4a/48baeaba4b044ee10000000a421937/content.htm
6) OPTIONAL: Adjust the login module stacks and configure the login modules for those applications that accept Client Certificates as the authentication mechanism.
For example in the below picture, the application sap.com/portletbrowser*portletbrowser authentication has been changed from Basic (using user name and password) to Ticket (which now has the client certificate logon module details configured).
If all the configurations are done correctly, the next time the SAP Application Server JAVA URL, say : http://<hostname>: port/useradmin is called, the logon screen should not appear and the user should get logged in using the client certificate.If the authentication is traced using the Troubleshooting Wizard (for SAP AS Java 7.20, see SAP Note No. 1332726 and for releases prior to 7.1, check SAP Note No. 1045019) the whole logon sequence can be seen.
Below are some excerpts from the logs when the login using client certificates was successful:
From the traces, the matched user details can be seen:
Using X.509 Client Certificates on SAP NetWeaver AS for Java
REQUESTING S USER ID:
SAP Trust Center Service's root certificates
https://support.sap.com/support-programs-services/services/trust-center/download/root-certificates.html
SAP AS JAVA WIKI
Related Posts