Additional Blogs by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using SAP Passports (X.509 client certs) in the SAP Web AS ABAP

ChrisPS
Contributor
‎10-28-2011 5:10 AM
0 Kudos

<body><p>I wanted to allow my user’s logon to my ABAP server using X.509 client certificates. I knew of the SAP Passports option to enable this but could not find any guide outside the online help that detailed exactly how this could be done and how to resolve often encountered problems in this scenario. </p><p>In my case I configured this on the SAP netweaver 7.3 ABAP server. The customizing is well documented in the online help via the url </p><p>[http://help.sap.com/saphelp_nw73/helpdata/en/49/32de01e8945716e10000000a42189b/frameset.htm | http://help.sap.com/saphelp_nw73/helpdata/en/49/32de01e8945716e10000000a42189b/frameset.htm]</p><p>The main steps taken were</p><ul><li>Ensure https was configured (note 510007 detailed the config) on the system</li><li>Create the entry CERTRQ in table SSFAPPLIC and then create an entry in transaction SSFA with the same CERTRQ name. This will then show in transaction STRUST a new entry called CERTRQ with a red X. Highlighting this and right clicking the mouse will allow you to generate the required PSE file. Important here is that the algorithm is set to DSA and the key length is set to 1024 bits. The naming convention used for the PSE was CN=mycompany.com, OU=<installation number>-<Company Name>, O=SAP Trust Community, C=DE</li></ul><p> </p><ul><li>I Set the profile parameter <tt>login/certificate_request_subject to CN=&UNAME, OU=&WPOU, O=SAP Trust Community, C=DE</tt><tt> and</tt><tt> login/certificate_request_ca_url</tt><tt> to </tt><tt>https://tcs.mysap.com/invoke/tc/usercert</tt></li></ul><p><tt></tt></p><ul><li>Once the PSE was generated in STRUST a certificate request was sent via a support ticket to SAP to have it signed by the SAP Trust Services service. When the response was received this was imported into the CERTRQ PSE. Important here was that the signed response and the root CA was imported in the same step</li></ul><p> </p><p>I then tested the CERTREQ BSP in transaction SICF to see if it would work. This gave the error below <img  />//weblogs.sdn.sap.com/weblogs/images/26738/compressedx.509blog.jpg|height=202|alt=Error|width=350|src=https://weblogs.sdn.sap.com/weblogs/images/26738/compressedx.509blog.jpg! </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>I first checked that the certificate in STRUST was successfully signed i.e. if you see the text </p><p><img  /></body>

1 Comment
Popular Blog Posts
Top kudoed authors
View all