Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Using X.509 client certificates Logon for SAPGUI

Former Member
0 Kudos

Hello,

In my company, we are currently investigating the possibility to use X.509 client certificates (on smartcards) for all authentication needs. I am in charge of the SAP softwares part.

I have already tested successfully the usage of X.509 client certificate HTTPS Logon on Netweaver 7.0 (ECC 6.0).

I am now investigating the possibility of SAPGUI authentication with X.509 certificates.

It seems that is is now possible when reading this page on help.sap.com :

[Client Certificate Logon for SAP GUI |http://help.sap.com/saphelp_nwpi71/helpdata/en/43/ce385e2dde0a98e10000000a1553f6/content.htm]

The only problem is that is a help page for PI 7.1. I cannot find anything similar in Netweaver 7.0 or ECC6 6.0 help.

Has anyone experimented with SAPGUI X.509 Logon ? If yes on which SAP software ?

Do you think that it would be possible with ECC 6.0 ?

Is it possible only with Neweaver 7.1 based systems ?

Thanks in advance to share your information on this subject !

Best Regards,

Olivier

6 REPLIES 6

Former Member
0 Kudos

I have done Single-Sign-On evaluations on 46C systems where you can use client certificates, so I don't think that release dependency nor component (PI) is an issue in principle for 3rd party products.

I guess the big question is whether you already have a PKI in place or the hardware, and whether the costs of the certification service / server and software is acceptable to sign them for transparent (subsequent) authentication.

It is certainly usefull to avoid long trust chains...

IMO, given the current choice between an investment in proprietary SAP protocol based SSO and SAP's trend towards standard protocols, I would recommend considering what the front ends for the "lion's share" of the users will be in 2 or 5 years time.

If much of it can be covered by portals, even ITS's, PI message exchange accross systems, etc to support the end users, then spending a lot of money on SAPGui support infrastructure is less attractive. But keeping the PKI is IMO worth it.

Just my opinion,

Julius

0 Kudos

Hi Julius,

Thanks for answering.

Yes, we will create a company PKI.

The goal is to give each employee a single smartcard for physical access to the company buildings and for all logical acccesses (all software applications, ECC6 will be a pilot application and we need both sapgui access and BSP http access)

>It is certainly usefull to avoid long trust chains...

What do you mean ? Is a 3 levels CA tree too much in your opinion ?

It is already sure that we will have 2 levels at least at the company level but people are now talking wether or not to manage the Root CA at the Holding company level (Group level) or only at the company level.

I guess that sapgui will still be widely used in 2 or 5 years time even nearly all specific applications are now BSP based.

Best Regards,

Olivier

0 Kudos

Hi Olivier,

I was not thinking about the CA tree. Not sure about that one actually. I guess a consideration would also be whether you already have communication partners (external?) using a product which might be different to the one you are wanting to use. I remember some discussions about this in the past, but am not sure whether customers have run into problems specifically with this later as a result of the CA tree.

Hopefully some one else can still comment on that.

But the simpler it is, the less certificate administration it will mean for you and make it re-usable...

What I meant by "long trust chains" was only that (re)authenticating the client user from the backend where possible is safer IMO than passing the trust along from one server to the next in the communication to avoid having to enter passwords all the time - like trusted RFC does for example or SAP Logon Tickets to some extent.

Cheers,

Julius

0 Kudos

Hi Julius,

Thanks for the explanation, I understand now what you meant and I agree with you.

One of the main goal of the project is to use "strong authentication" whenever possible.

Best Regards,

Olivier

Frank_Buchholz
Advisor
Advisor
0 Kudos

Hi Oliver,

Well, the chapter [Client Certificate Logon for SAP GUI|http://help.sap.com/saphelp_nwpi71/helpdata/en/43/ce385e2dde0a98e10000000a1553f6/frameset.htm] lists some prerequisites:

To use SNC for authentication, the product you use must be certified by the SAP Partner Program. For more information, see [Secure Network Communications (SNC).|http://help.sap.com/saphelp_nwpi71/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm]

You see, there is no change: Since release 3.1 you can use X.509 client certificates for the SAPGUI only if you use an SNC partner product which uses the certificate to establish the SNC secured connection.

Kind regards

Frank Buchholz

0 Kudos

Hi Frank,

Thanks for this confirmation. It was what I supposed but I was surprised to find the information only in PI 7.1 help.

OK, now I have to check the different external security SNC partners...

Best Regards,

Olivier