Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication to mobile services application using certificates issued by custom CA

former_member219027
Explorer
‎07-19-2018 10:03 PM
To access Mobile services applications using certificates issued by an enterprise CA that is not part of the Trusted Certificate Authorities for Client Certificate Authentication, there are two options.

  • Setup a custom domain and upload the desired CA certificates as trusted entries. Configure mobile services applications to use X.509 Certificate authentication.

  • Configure the mobile application to use SAML as the authentication mechanism. Setup a custom SAML IdP to require certificates to authenticate the user and issue a SAML response to the cloud platform. This is preferable if you wish to use such certificates for accessing multiple applications deployed in the cloud platform account and not just mobile services applications. Please note that the IdP configuration to require certificate authentication should be handled by the IdP administrator.


 

This blog focuses on the first alternative. To authenticate users to mobile services applications using certificates issued by custom CA, follow the steps below to configure the cloud platform account:

  1. Set up custom domain using Cloud Platform documentation on Configuring Custom Domains. In the step to “Add the custom domain”
    neo add-custom-domain --account mysubaccount --user mymail@example.com --host hana.ondemand.com
    
--custom-domain www.example.com --application-url mysubaccountmyapp.hana.ondemand.com --ssl-host mysslhostname

    application-url value should be “mobile-<account-id>. <landscape_identifier>.hana.ondemand.com”, where <landscape_identifier> is similar to us1, eu1, and so forth. For ex: mobile-abcd1234.hana.ondemand.com or mobile-abcd1234.eu1.hana.ondemand.com or mobile-abcd1234.ap1.hana.ondemand.com

  2. Upload the custom CA certificate(s) used for issuing the user certificates to the Big IP instance serving the custom domain as trusted CA(s) so that the user certificates can be validated successfully. Refer to Managing Client Certificate Authentication for Custom Domains for details.

  3. Follow mobile services documentation on the topic “Configuring X.509 Certificate Authentication” to create and upload a keystore with the above trusted CA certificate(s) to mobile services.

Labels in this area
Popular Blog Posts