Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Questions regarding client authentication with x.509 certificates

Former Member
0 Kudos

Dear experts,

we run a SAP NetWeaver Portal (NW 7.0 SP11) and would like to implement client authentication with x.509 certificates. In SAP Library I found the following [section|http://help.sap.com/saphelp_nw70/helpdata/EN/62/881e3e3986f701e10000000a114084/frameset.htm] describing how to configure SAP NW AS Java for client authentication with x.509 certificates. We configured our test system and everything works like a charm. However, before we going to implement this in production our security experts would like to know the following information:

1) From official SAP documentation we see that SAP NW AS Java supports Certificate Revocation Lists (CRL). But does SAP NW AS Java support Online Certificate Status Protocol as well?

2) Our client certificates will contain an attribute called Certificate Policy. This is a numeric value (OID) which maps to a specific level if assurance for which the certificate can be used. For example one OID could map to Medium Assurance Level Software and another OID could map to Medium Assurance Level Hardware. Is it possible to to create some kind of filter based on this assurance level?

3) Does SAP NW AS Java support path validation? With PV correctly enabled it means we only need to put the Root CA certificate into the certificate store (trusted CAs) of the SAP NW AS Java and not the whole certificate chain.

I would be happy if you could shed some light onto this.

Best regards,

Martin

16 REPLIES 16

Former Member
0 Kudos

Hello Martin,

Please use the following link to know about using x.509 certificates.

http://help.sap.com/saphelp_nwpi71/helpdata/en/43/85496b532f2673e10000000a1553f7/frameset.htm

Hope it helps,

Cheers,

Satish.

0 Kudos

Hi Satish,

thank you for your answer. Unfortunately, the SAP Library section you recommended did not contain any answer to my questions.

Do you kow where else I could get answers to my questions?

Best regards,

Martin

0 Kudos

> thank you for your answer. Unfortunately, the SAP Library section you recommended did not contain any answer to my questions.

Hi Satish,

This is not the first time in the past days that a link of yours has turned out to be unnecessary.

Please do not do quick-searches and randomly paste links in the hope of... a shrubbery.

Thanks,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> 3) Does SAP NW AS Java support path validation? With PV correctly enabled it means we only need to put the Root CA certificate into the certificate store (trusted CAs) of the SAP NW AS Java and not the whole certificate chain.

According to my colleagues:

>yes, we do support path validation and only the end point CA must be included into TrustedCAs.

Your other two questions I have to postpone.

The colleague who could answer them straight (and reliably) is currently on vacation.

But most likely it will be:

1) OCSP support: yes (for NWAS Java).

2) Certificate Policy support: no

0 Kudos

IIRC, the NWAS Java does not support OCSP buyt it will be implemented in a future version. The SAP Crypto Lib (for NWAS ABSAP) does not support OCSP either and never will. You'll need a third party product for that.

0 Kudos

"Never say never"

0 Kudos

Hi Wolfgang,

thank you very much for your answer. Do you know where I could get an official statement of SAP regarding this question? Preferrable, somewhere in [SAP Library|http://help.sap.com/saphelp_nw70/helpdata/en/e1/8e51341a06084de10000009b38f83b/frameset.htm].

Otherwise, I guess I will have to test it on my local test system. Do you know if the following test setup would work.

- user with x.509 client certificate issued by CA2

- root certificate of CA1 which issued CA2's server certificate in the portal's keystore

Do I need to have a connection from my portal server to the CA servers?

Best regards,

Martin

0 Kudos

Hi Sietze,

thank you too for your answer. But again, I will have to have some kind of official documentation/vendor statement before I can use the information provided by you. Do you know where I could get this.

Because I am on the Java stack, I do not care what ABAP can or cannot :-). Do you know in which version of the SAP NW AS Java OCSP will be implemented?

Best regards,

Martin

0 Kudos

>

> Do you know where I could get an official statement of SAP regarding this question? Preferrable, somewhere in [http://help.sap.com/saphelp_nw70/helpdata/en/e1/8e51341a06084de10000009b38f83b/frameset.htm|SAP Library].

I doubt that you'll find answers to your very concrete questions in the SAP Help Portal.

I advice you to get in contact with the SAP Security Product Management via mail: security(at)sap.com.

0 Kudos

>

> Do you know in which version of the SAP NW AS Java OCSP will be implemented?

This is a portfolio planning question - Sietze will not be able to answer it.

I've checked the specification document and can confirm: OCSP was only planned to be implemented "later".

I don't know whether the portfolio planning is finalized and which part of it is ready to be announced publically. So, I repeat my advice: contact the Security Product Management (either by mail or on the next TechEd).

0 Kudos

Because this is one of things that differentiate the Secude library from the SAP Crypto Lib. But we're getting off topic here...

0 Kudos

Well, unfortenately there's only one SSL library which you can use with an ABAP system ...

But anyway: certificate revocation (OCSP, CRLs, ...) is a feature which should be controlled by the application. Some applications have a higher demand than others regarding such a security check - and we have to keep in mind that this check (especially the online check via OCSP) has some negative performance impact.

It's like with using ec cards: it might depend on the payment amount (or the store policy) when to request an online verification (via PIN code) and when not.

Keeping in mind that certificates are not only used for mutual SSL authentication but could also be used for digital signatures or message encryption (e.g. XML Encryption) it should be clear that certificate revocation checks have be be requested / controlled by the application (framework).

Whether the actual check is implemented in the library or somewhere else is a second issue.

Cheers, Wolfgang

0 Kudos

Hi Wolfgang,

thank you very much for your advice. I contacted SAP Security Product Management and will wait for an answer. I'll post the answers here.

Best regards,

Martin

0 Kudos

Well, unfortenately there's only one SSL library which you can use with an ABAP system ...

Well, this is most definitely untrue. This used to be the case but has been remedied some years ago.

0 Kudos

>

>

Well, unfortenately there's only one SSL library which you can use with an ABAP system ...

> Well, this is most definitely untrue. This used to be the case but has been remedied some years ago.

I'm referring to (already) officially supported / certified solutions.

0 Kudos

Hello Martin,

Did you finally get an official answer from SAP Security Product Management ?

Regards,

Olivier