Configuring Client Certificate Authentication (mutual https) on SAP Gateway

Topics

Introduction

Using user certificates (X.509 certificates) for authentication is often a secure and convenient way for authentication. When using the browser, there is no need for the user to specify his credentials, because the browser can receive the corresponding user certificate from the system’s keystore.

Certificate Database in STRUST

When you want to use client certificates (X.509 certificates) for authentication against the netweaver, you need to import the CA and intermediate CA certificates first that were used to sign these user certificates.

Before importing root certificates the internal certificate database should be maintained.

Click in STRUST on Certificate > Database which will open a screen where table VSTRUSTCERT can be maintained.

/wp-content/uploads/2015/07/image27_739864.png

  /wp-content/uploads/2015/07/image28_739874.png

Import the CA certificate (ending should be .cer, DER encoded) and choose in tab “Database” the custom created trust center: Z_CA

/wp-content/uploads/2015/07/image29_739876.png

After that the CA certificate will be shown and can be imported by clicking on “Add to Certificate List”

/wp-content/uploads/2015/07/image30_739877.png

CA certificate should be shown in certificate list

/wp-content/uploads/2015/07/image31_739878.png

Click on Save!

Certificate/User Mapping

There are mainly two ways how to map user certificates to SAP internal user. The recommended (and newer) approach is using rule-based certificate mapping. The old approach is using the table view USREXTID where each user and certificate has to be mapped manually). I will only describe the new recommended way by using rule-based certificate mapping.

Rule-Based Certificate Mapping

If you do not want to map each single user certificate and also not want to use batch processing, you need to define a general rule-based certificate mapping so that the Netweaver can automatically map user certificates. This is also SAP best practice!

Rule-based certificate mapping (transaction CERTRULE) enables the mapping of users from parts of the subject or the subject alternative name of an X.509 certificate for a given issuer to the user ID or alias of a user master record. With a few rules, you can enable logon with X.509 certificates for all your users. The tool also enables you to load an X.509 certificate and check if a rule applies to the certificate and if the certificate maps to a user. For individual users that do not map to the rules you can create exceptions.

Once enabled, rule-based mapping replaces manual mapping in the table USREXTID. If you currently use table USREXTID for certificate mapping, use transaction CERTRULE_MIG to create a set of rules based on your current entries.

Your administration user needs authorization: S_RZL_ADM and S_USER_GRP

Make sure profile paramater login/certificate_mapping_rulebased is set to 1 (Careful, after that table USREXTID is not used any longer)

Check at first if rule-based certificate mapping is really activated. For that you can e.g. open transaction SM30 maintain table VUSREXTID. You should get a warning that you cannot use this manual mapping anymore, because certificate logon is rule-based. (If you do not get this warning, check your profile parameter again)

/wp-content/uploads/2015/07/image39_739904.png

Go transaction CERTRULE and click on the “Import” Button

/wp-content/uploads/2015/07/image32_739879.png

After that the certificate information are imported, additionally you can see under “Certificate Status based on Persistence” if an already existing mapping rule could be used to map this certificate (in our case not yet)

Activate Edit mode and add a new rule

/wp-content/uploads/2015/07/image33_739886.png

In my case the certificate’s subject contains the username, so I choose CN

/wp-content/uploads/2015/07/image34_739887.png

The subject filter can be adjusted…

  1. E.g. available attributes in my certificate :

/wp-content/uploads/2015/07/image35_739888.png

Save changes!

After that the Mapping status (and user status should be green) and the rule got added.

/wp-content/uploads/2015/07/image36_739892.png

You can test other user certificates. The DN has to match exactly the rule’s pattern (also the order and number of attributes)

If you test with a user certificate which is matching the rule, but where the associated user is not available in the user store, it will be shown as below:

/wp-content/uploads/2015/07/image37_739893.png

Explicit Mappings

If you want to add specific certificates which are not covered by a rule, you can use the “Explicit Mapping” functionality. When importing the certificate into CERTRULE choose “Explicit Mapping”

/wp-content/uploads/2015/07/image38_739894.png

For more information check http://help.sap.com/saphelp_nw74/helpdata/en/8f/1aa732c9614eae91b52b836c1fb885/content.htm

Testing Client Certificate Authentication

Fo testing purpose you can install your user certificate into the personal system certificate store. You can do/verify this by calling certmgr.msc and checking folder Personal > Certificates

/wp-content/uploads/2015/07/image43_739905.png

If you now call again the ping service https://<gateway server>:<https port>/sap/bc/ping you should get logged in directly (without the need for inserting user/password).

Dependent on your browser settings it might be also possible that a popup is displayed where you can choose the matching client certificate

/wp-content/uploads/2015/07/image44_739906.png

SAP Gateway is now prepared for client certificate authentication. that means that you can now establish mutual https connections also between SMP and SAP Gateway…

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Oliver Hütköper

    Hi Marvin,

    thanks for this nice introduction to Client Certificate Authentication.

    When the user gets the popup to select a certificate, all certificates are shown, that match the CAs accepted by our SAP system. Is it possible to further filter this list?

    Our users have multiple certificates from the same CA. But only one can be used to authenticate on our SAP system. Therefore we would like to limit the list of certificates to this single certificate. Is this possible?

    Thanks and best regards,
    Oliver

     

    (0) 

Leave a Reply