Certificate-based authentication in the SAP Cloud Connector
Hello SAP Community,
As this is my first SAP-blog, I would like to briefly introduce the main idea and my goal for the next post, as it will be the same for all future ones.
Without a huge technical background in network or PKI areas, sometimes my comments may seem too obvious for someone. However, my main idea was to save your time configuring new (or relatively new, or too complex that they always look like a new one) features. Let’s assume you could save one or two
days hours trying to figure out why your newly configured scenario doesn’t work, so you could spend these couple of hours enjoying your cup of coffee with colleagues. Sounds good, right?
I have only one wish from my side. Please, in case of mistakes, missed details, or, oh no, mistakes, feel free to point them out in the comments. Otherwise, let’s get started!
Just a couple of weeks ago, a new SAP Cloud Connector release was introduced by SAP: Next release of the Cloud Connector is available: 2.16.0 | SAP Blogs. One of the main features is the option to configure certificate-based authentication for the Cloud Connector administrator: Logon to the Cloud Connector via Client Certificate | SAP Help Portal.
- From an end user perspective, I liked this feature for the possibility of being smoothly authenticated with no need to remember another password.
- As a security specialist, I’m more than happy that my users won’t need to keep their another user/password pair on a sticker under their keyboard.
1. Change the Admin name.
Let’s briefly summarize the idea of the Cloud Connector’s user management approach. Here, you have two options to store your users:
- Local store
If you have LDAP configured, it means you have an excellent understanding of user maintenance already. Our main goal here is to make it possible for the Cloud Connector to map username from the client certificate to the actual user from the Cloud Connector user store. By default, the Cloud Connector admin has the name Administrator. If you have the option to create and sign the certificate with this name by your corporate Certificate Authority (CA), you may leave it as it is. Otherwise, you could change it by clicking on the Edit button. I will switch it to my I-user.
After this Cloud Connector will ask you to be restarted. Type your new username and password on the login screen and continue with the next steps.
2. Find your correct Root CA certificate.
Now it’s necessary to understand the basic certificate rule. You will always have a similar certificate chain:
- Root CA certificate
- Intermediary’s certificate (optional)
- Your client certificate (I-user in my case)
For certificate-based authentication, the Cloud Connector will ask you for your client certificate, which is stored in your local OS store and provided by your browser. To check the certificate’s validity, the Cloud Connector needs the Root CA certificate that was used to sign (or issue) your client certificate. So, you can simply ask your corporate CA to provide you with the Root certificate or copy it to a DER file via the View Certificate button.
3. Choose the required user mapping rule.
For now, you need to have the following prerequisites:
- Configured User Name in the User Store, which should be equal to the corresponding certificate field
- Root CA certificate (X.509) from your Certificate Authority
- Client certificate signed by the root CA certificate
3.1 To enable certificate-based authentication, click on the Switch to… button. The Edit Authentication window will appear.
3.2 Choose the required certificate field from your client certificate, which allows the Cloud Connector to perform user mapping based on the value:
- In my case, it’s CN = I-user from the certificate is equal to the User Name from the certificate store.
3.3 Import the Root CA X.509-certificate in the Authentication Allowlist:
After all the described steps, your User Administration and Authentication parts should look like:
Now, all client certificates of the end users signed by this particular Root CA certificate will be accepted by the Cloud Connector. If the user with the corresponding field (CN in my case) is found and mapped, such an end user will be successfully authenticated based on their certificate.
4. Restart everything and enjoy the smooth authentication.
If everything has been configured correctly, after the restart, you will get a pop-up to choose a required client certificate.
…and you are authenticated (hopefully). Well done!
Instead of a conclusion.
It may happen that, for some reason, your certificate-based authentication will not work due to an incorrectly configured certificate chain or allowlist or whatever, and you won’t be able to log into the Cloud Connector administrator console. In that case, just open the console and run the bat-file useBasicAuthentication.bat (the Cloud Connector installation folder) to reset the authentication method to user/password again.
I hope this short guide was helpful, and I will be glad to know if it could save a couple of hours for some of you.