Skip to Content

<body><p>I wanted to allow my user’s logon to my ABAP server using X.509 client certificates. I knew of the SAP Passports option to enable this but could not find any guide outside the online help that detailed exactly how this could be done and how to resolve often encountered problems in this scenario. </p><p>In my case I configured this on the SAP netweaver 7.3 ABAP server. The customizing is well documented in the online help via the url </p><p>[http://help.sap.com/saphelp_nw73/helpdata/en/49/32de01e8945716e10000000a42189b/frameset.htm | http://help.sap.com/saphelp_nw73/helpdata/en/49/32de01e8945716e10000000a42189b/frameset.htm]</p><p>The main steps taken were</p><ul><li>Ensure https was configured (note 510007 detailed the config) on the system</li><li>Create the entry CERTRQ in table SSFAPPLIC and then create an entry in transaction SSFA with the same CERTRQ name. This will then show in transaction STRUST a new entry called CERTRQ with a red X. Highlighting this and right clicking the mouse will allow you to generate the required PSE file. Important here is that the algorithm is set to DSA and the key length is set to 1024 bits. The naming convention used for the PSE was CN=mycompany.com, OU=<installation number>-<Company Name>, O=SAP Trust Community, C=DE</li></ul><p> </p><ul><li>I Set the profile parameter <tt>login/certificate_request_subject to CN=&UNAME, OU=&WPOU, O=SAP Trust Community, C=DE</tt><tt> and</tt><tt> login/certificate_request_ca_url</tt><tt> to </tt><tt>https://tcs.mysap.com/invoke/tc/usercert</tt></li></ul><p><tt></tt></p><ul><li>Once the PSE was generated in STRUST a certificate request was sent via a support ticket to SAP to have it signed by the SAP Trust Services service. When the response was received this was imported into the CERTRQ PSE. Important here was that the signed response and the root CA was imported in the same step</li></ul><p> </p><p>I then tested the CERTREQ BSP in transaction SICF to see if it would work. This gave the error below <img  />//weblogs.sdn.sap.com/weblogs/images/26738/compressedx.509blog.jpg|height=202|alt=Error|width=350|src=https://weblogs.sdn.sap.com/weblogs/images/26738/compressedx.509blog.jpg! </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>I first checked that the certificate in STRUST was successfully signed i.e. if you see the text </p><p><img  /></body>

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Micha Altmeyer

    Hey Christopher,

    I am facing exactly the same problems which you describe in your blog post. How did you solve the problem?

    Best regards and many thanks for every hint!

    Micha

    (0) 

Leave a Reply