Technical Articles
How to configure X.509 certificate Logon to Netweaver AS ABAP from SAP Web Dispatcher
In this blog we will discuss about steps required to configure the X.509 certificate logon from web dispatcher. We have to configure few parameters and SSL certificates
1) icm/HTTPS/verify_client
SSL clients do not automatically send their certificate. The server has to ask for the certificate. On the application server you can control this behavior by using profile parameter.
Profile parameter icm/HTTPS/verify_client.has to be configured in Web dispatcher and ICM
This dynamically changeable parameter has three options:`
0 : SAP Web Dispatcher does not ask for client certificates
1 (default): SAP Web Dispatcher asks for client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, for example, basic authentication (default setting.
2: SAP Web Dispatcher requires a client certificate. The connection is terminated if the client does not send a certificate.
if authentication is mandatory with certificate you can set the parameter to ‘2’ to ensure that clients send their certificates.
2) Backend system is only allowed to accept client certificates that have been forwarded by a trusted intermediary .Check trusted intermediaries are properly configured in the backend system to have the trusted intermediate, the following parameters must be set in the ICM profile:
“icm/HTTPS/trust_client_with_issuer” and “icm/HTTPS/trust_client_with_subject” or icm/trusted_reverse_proxy_<xx> = SUBJECT=”<subject of wd client certificate>”, ISSUER=”<issuer of wd client certificate>” If <subject> and <issuer> of the Web Dispatcher client certificate are the same ICM accepts the SSL header fields. Each character including spaces should match. If they are not the same, the ICM deletes them.
3) icm/HTTPS/forward_ccert_as_header
In SAP Web Dispatcher profile, parameter icm/HTTPS/forward_ccert_as_header has to be set to TRUE, which is the default value. There is no action required unless the value is set to FALSE
By default, the original client certificate is included in the HTTP request header SSL_CLIENT_CERT. However, you can configure the name of this field (and all other header fields containing information about the forwarded certificate) by using a profile parameter.
4) Establish trust between client and server. SSL connection the client has to trust the server. The client checks whether the server can be trusted by comparing the server’s SSL certificate and the certificates in its certificate chain to a list of configured certificates that can be trusted. If the server offers a certificate that is not in this list and whose root CA’s and intermediary CA’s certificate are not in this list, the client will not trust the server and will abort the SSL handshake following below points to be checked for trust. It is recommended to use the CA Signed certificate only.
Import the required certificates
a Web Dispatcher server (SAPSSLS.pse) file, the required certificates are:
Web Dispatcher server certificate a CA signed certificate. It is also required to import the Root and all Intermediate CA certificates certificate chain of the CA that signed the certificate. Certificate chain of the CA that signed the end users client certificates;
b. Web Dispatcher client (SAPSSLC.pse) file, the required certificates are:
Web Dispatcher client certificate a CA signed certificate and also required to import the certificate chain of the CA that signed the certificate. Certificate chain of the CA that signed the backend server certificate.
c. Backend server (SAPSSLS.pse) file, the required certificates are:
Its own server certificate CA signed certificate and also import the certificate chain of the CA that signed the certificate.
Certificate chain of the CA that signed the end user client certificates;
Certificate chain of the CA that signed the Web Dispatcher client certificate.
5) If cipher suites are configured check whether proper cipher suites are used and there should not be mismatch between TLS protocol versions and cipher suites and also check Common CryptoLib supported version . Check whether the browser has proper client certificate and users have valid certificate. It is recommended to use CA signed certificate.
Test X.509 certificate Logon on AS ABAP via the Web Dispatcher
Once the configuration of client authentication from web dispatcher is completed. By using below URL then access should be granted to application without being asked to enter a userid and password. For example:
https://<webdispatcher_host>:<web_dispatcher_https_port>/sap/bc/weddynpro/service-name
This is a bit confusing. When we set the ICM parameters :
“icm/HTTPS/trust_client_with_issuer” and
“icm/HTTPS/trust_client_with_subject"
this are the ones in client certificate or the cert values from WD itself ?
I would appreciate an example for this setup