How to enable SSO using X.509 client certificates in ABAP app server?
Instead of using the user ID and password to access a service from the Web Application Server ABAP via HTTPS, it is possible to use a client certificate for authentication purposes.
Import the CA certificate into the SSL server Standard
As a given user ID holds a certificate from a trusted CA, the certificate from the CA must be imported into the SSL server Standard PSE via STRUST. Just click on the button highlighted by the red rectangle:
Once the certificate is loaded, just click in the “Add to Certificate List” button (see “1” in red); the certificate will be displayed in the “Certificate List” section (see “2” in red):
Maintain the client certificate
It is necessary to map the client certificate with the actual user ID in the ABAP system. It is time to use transaction code SM30, loading maintenance view “VUSREXTID“:
The “External ID type” is “DN”:
Click on the “New Entries” button to add the client certificate (DN) and map to the existent user ID in the ABAP side:
Inform the External ID (the DN field of the client certificate), the user ID (as created in transaction code SU01), then mark the “Activated” checkbox and save the entry. The information presented is:
There are cases where the DN length from the user ID exceeds the length of column EXTID in table USREXTID. This is not a problem: just use the button highlighted (red square) above to load the actual certificate. The system is able to store the entire subject name in the database table or calculates a hash value (and store the original subject name in a second database table).
At last, but not least, profile parameter icm/HTTPS/verify_client must be set to 1 (if the system should accept the client certificate) or 2 (the use of client certificates is mandatory).
Test if the SSO is working
For testing purposes, I used the WEBGUI internet service (via HTTPS) to test if the SSO works (assuming that the WEBGUI was correctly setup in the system): https://<FQDN>:<HTTPS port>/sap/bc/gui/sap/its/webgui
The SM50 logon trace (SAP note 495911) shows the following:
You can read more about the use of X.509 certificates in AS ABAP in the SAP Help page.
Hi Cristiano,
Very helpful information.
With Regards
Ashutosh Chaturvedi
Christiano.
I followed your steps but I am not having any success. I am using a .cer fie that I import from my browser but I do not believe this right CA certificate.
how can I get the CA certificate?. Should I be asking our active directory person to create the CA certificate from active directory so I am loaded it into strust?
thanks
Hello Juan,
You need to import into the certificate list of STRUST the certificate from that CA that signs the X.509 client certificates you intend to use.
Example: I have a certificate with DN= CN=cristiano.hansen,OU=... and it is signed by a CA. This CA has a certificate with DN= CN=myCA.com,OU=...
The certificate from the CA needs to appear in the certificate list of your SSL server Standard PSE.
A SM50 logon trace should help you finding more information about what might be missing.
Kind regards,
Cris
Thanks for the reply.
Today, I was given a x.509(Digicert) from my security team. They said they added this digicert into my AD account.
Below isX.509 into Strust. Is the correct .cer file I need ? I don't see any reference to my account name .
thanks
Hello Juan,
Is this certificate the one used to sign your X.509 client certificate? Have you already mapped (SM30) your client certificate with your user ID?
Regards,
Cris
I got to to work.
The problem was that the Root cerfiticate and usercertificate were alittle different so it wasn't communicating.
Once I uploaded the correct Root certificate into STRUST, everything worked well.
Hi Cris,
I'm very new to using certificates, but what I am trying to do is set up a certificate in STRUST that I have generated from my Anaplan userid ( this has come as a .cer file ).
I'm not sure where exactly this should be set up within STRUST
Within STRUST I have folders for
System PSE
SSL Server Standard
SSL Client Anonymous
SSL Client Standard
Any help would be much appreciated.
Kind regards
Graham Day
Hi Graham,
In the SSL Server Standard, you should put, in the certificate list, the certificate from the CA that signed your client certificate (section "Import the CA certificate into the SSL server Standard" above).
The next step is to follow section "Maintain the client certificate".
Then test the SSO and see whether it works. You can use the logon trace from SAP Note 495911 to check the results (the obvious result would be to successfully access a service without the need of username/password).
Let me know whether you have more questions.
Kind regards,
Cris
Hi Cris,
Thanks for the response, I have applied the user Certificate from Anaplan.
What I would like to do is use this Certificate in an SM59 connection so that I can call Anaplan API Web Services via the CL_HTTP_CLIENT. I'm not sure if I have the correct set up.
I have attached the certificate in STRUST and also the SM59 set up.
This is the ANAPLAN certificate
Here is my SM59 set up
Any help would be much appreciated.
Thanks
Graham
Hi Graham,
I suggest to use the logon trace from SAP Note 495911 and see what might be going wrong.
Kind regards,
Cris
Hi Cristiano, I managed to get connectivity by writing my own REST API's which avoided using HTTPS. I would much prefer to use the STRUST certificate and HTTPS. If you have some time, this is is what I have set up so far. I have created my own SSL Client Identity and loaded the certificates against it ( PKCS#12, so it should contain both Public and Private Keys) What I’m not clear on is how I populate the HTTP request, this needs the Authorisation Header to contain the Public Key. How do I retrieve this from STRUST? Also the Body of the request requires 2 strings of data, First String is a random string of characters encoded in Base64 and the Second String is the First String signed by the Private Key. How do I get SAP to sign this data with the Private Key in STRUST. I have looked at a few of the standard classes such as CL_SMIME / CL_ST_CRYPTO_X509 – my thinking is that I could create an instance based on my SSL Client Identity I have created. Any help guidance would be much appreciated. Kind regards Graham