Skip to Content

After you install your SAP NetWeaver Portal, you will probably access it using regular HTTP. So, you’ll use a URL that looks like: http://theportal.mycompany.com:50000/irj. If you use a logon form where you enter your portal username and password, thiose details will be sent to the portal server unencrypted, which means that a malicious person could in theory find that combination.

But did you know that you can use secure sockets to access the portal? By default, the portal is installed with SSL enabled. This means that you can change your URL slightly so that instead of typing “http”, you can use “https”, but you also need to add 1 to the port number (the number after the 🙂 so that your URL for the above example becomes https://theportal.mycompany.com:50001/irj.

However there are a few problems with this. Depending on your browser, you will probably get a screen that looks like either

image

or

image

This is because by default the portal’s standard SSL certificate has a few problems. These are:

  • it’s self signed, which means your browser doesn’t trust it;
  • it’s expired; and 
  • it’s been issued for an unexpected web site, localhost, not the one in the URL you entered.

This can be seen by opening up the certificate details:

image

So, why has this happened?

First some certificate basics. They are a way to certify an identity to help set up a trusting relationship. For SSL type access, they identify the system you are connecting to, so that you don’t end up at a phishing site. You as a user can also have a certificate, which then means the system you connect to knows who you are. An example of this user certificate is the SAP Passport which you can get from the SAP Service Marketplace. Once setup, this allows you to connect to the SAP Service Marketplace without having to enter your S-number and password. In effect, the SAP Marketplace web sites trust your passport.

The value of the server certificates for the portal are managed in the Key Store service of the Visual Administrator.

In the service_ssl view you can see the standard self signed certificate.

image

image

 

 

If you want to generate a certificate request for our real hostname instead of “localhost”, use the “Create” option and enter appropriate values. The most important is the common name, which is the hostname from the URL that you use to access the portal.

image

After generating the new certificate, you need to send this to a Certification Authority (CA) who will sign it and then send it back to you. This normally involves a fee of some sort. SAP provides limited lifetime certificates for testing purposes. Details can be found at http://service.sap.com/ssltest.  

From the same service we can see the available certification authorities (Trusted CAs) that we trust. This is important if we are going to use client certificates, such as an SAP Passport. Please note that CA certificates also have an expiration date.

image

The SSL provider service is where we specify which server identity (certificate) to use and, optionally, which client CAs we will trust. For example, if we decide to use SAP Passports to access the portal, then we need to trust the SAPPassportCA.

image

image

If we decide to request or require client certificates, this is where we specify the CAs to trust.

image

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

  1. Rahul Urs
    Good Job Michael !!
    a lot of companies use some of the noted SSL providers certificate and if you can give us more info on the comparison of various CA providers in comparison with SAP would be great info !!

    also when you say the below statement …can you guide us with more info  as i couldnt find this limited certificates you are talking about..

    “SAP provides limited lifetime certificates for testing purposes”

    (0) 
    1. Michael Nicholls Post author
      Glad you like it!
      SAP’s Trust Center Services (http://service.sap.com/tcs) offers a range of functions, including issuing of SAP Passports and issuing of SSL server certificates. In relation to the certificates, they can be purchased for a cost of 260 EUR (plus taxes) for the first year and 130 EUR (plus taxes) for the second year. These prices are from the web site. I don’t know how these compare to other CAs. I expect most other CAs will also have a pricing structure in place.

      SAP also offers SSL test server certifictes for 8 weeks for free. http://service.sap.com/ssltest has the details.

      Both types of certificate are “real” certificates. If installed correctly they should remove the annoying certificate errors I mentioned in the blog.

      Hope this helps.

      (0) 
      1. Santiago Ruiz Ramos
        Yes, of course, we can access http…, we want to change our way of accessing the portal, changing username and password by certificates.
        Our EP level is 7.01 sp03.
        I can access at https… too, but I must write user-password each time, it seems that portal doesn’t recognize the certificate. I haven’t any error message when I access, but always I must write user-password.
        Let me, ask you another question, because until now I have only theoretical knowledge about certificates topics. With your guide I have installed a certificate in our server, and I have install it in my broser(is it necessary?), but I was looking for more information and I read something about user certificate, must I install another user  certificate (with my user id) in my broser?
        Thanks a lot, for your help.
        (0) 
        1. Michael Nicholls Post author
          The certificate loaded on the server is not the same as the one you load in your browser. You need to get a client certificate for your browser. This needs to be obtained from your client certificate provider, or you could try to use the SAP Passport from the SAP service marketplace.
          (0) 
          1. Santiago Ruiz Ramos
            Thanks Michael, please confirm me if my idea is right, I got a certificate for servers with a trust sign from a CA(SAP server CA), and can our users get a user certificate with a trust sign form our servers? (our servers can be a CA?). Is it possible? or user certificate must be sign by another CA (SAP for example)?
            I’m using for server certificate SAP limited lifetime certificate for testing purposes “Server CA”, is this certificate good for server?, because you tell about SAP Passports, can we use it as users certificate?

            I’m sorry if there are too questions, but I need for help. Thanks again.

            (0) 
            1. Michael Nicholls Post author
              You can think of certificates a bit like regular passports.

              When I travel I use a passport issued by the Australian government. The document has been signed by them and says that they believe the person holding the passport is really me. When I arrive in Europe, each passport control looks at the passport and decides that because they trust passports issued by the Australian government, then I am that person.

              The person at passport control has a nice badge of some sort which tells they really work for the government where I am arriving. As such I am going to let them hold my passport while they look at it. Their badge has been issed by their government, who I trust to only give that badge to someone what  works for them.

              Let’s compare this to secure communication on the web.

              When I communicate with a web site over SSL, I am saying that I only want to talk to a web site that is really who I think it is. In other words if I go to https://sdn.sap.com, I know I won’t end up at fakewatches.com pretending to be sdn.sap.com. My browser looks at the server side certificate at the site I am looking at and looks at who signed its certificate. If it is in the browser’s list of certificate issuers I trust, then I know I am at the real sdn.sap.com.

              That’s what you have done so far by getting a temporary server side certificate from https://service.sap.com/ssltest.

              It is the same as turning up at passport control for a country and giving them a letter from your mother saying that you really are who you say you are. Will the passport control trust your mother? Probably not. They will only trust you if you have a passport issued by a country whose issuing process they trust.

              In relation to our use of secure communication with a web site, that’s where client side certificates come in. They are a way for you to tell the web site’s server who you are without entering any details. They must be issued by a known certification authority or the server that you give them to is not going to trust them. The “known list of certification authorities” must be maintained by the server administrator. In the case of the SAP portal, this is done through the Java Visual Administrator tool.

              So, if you want to use client side certificates you need to do a few things.

              The first is you need to have a server side certificate which has been signed by someone that your browser trusts. Setting up this trust involves loading the server side certificate’s certification authority file into your browser.

              Then you need to find someone to issue client side certificates. There are some sites who charge for this, others do it for free. They need to be loaded into your browser before they can be used to access a web site. They also need to be issued by someone that your server trusts.

              Then you need to tell the portal how to match a client side certificate to a username. This is a once off process for each user and their certificate. It is either done by the portal user administrator using the /useradmin tool, or it might be able to be done by the end user.

              In relation to your question, you can get an SAP Passport for your Service Marketplace S-number by going to https://service.sap.com/certreq. This is an example of a client side certificate. However, before you can use this to connect to the portal you need to make sure the portal trusts the SAP Passport CA and you need to map the S-number details to your portal username.

              (0) 
              1. Santiago Ruiz Ramos
                Thanks a lot for your clear help, but I would like if you can confirm me two ideas.
                1st. Our first idea was that …
                “our users get an user certificate with a trust sign from our servers”, can our trusted servers be a CA for ourselve?” or user certificate must be sign by another CA (SAP for example)? …
                2nd. …and in this case how can we asociate user certificate with SAP Passport (for test) to access to our portal (not for sap marketplace).
                Again, thanks in advance.
                (0) 
                1. Michael Nicholls Post author
                  Answer 1: A user cerfificate can be signed by any CA, but you must be able to get the CA certificate to install in the portal server. If your non-portal servers have their own signing mechanism that is probably for encryption, not for authentication, so that won’t help.

                  Answer 2: The SAP passport can only be used for authentication if you can get a copy of the SAP Passport CA loaded into your portal server. I don’t know if this is available from SMP.

                  (0) 

Leave a Reply