cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL - How to create a certificate for a service user?

Go to solution
Former Member

on ‎09-30-2009 2:58 AM

0 Kudos

I have an SAP (PI) system to which a third party system (Siebel) needs to connect. I want that system to connect as an authenticated user and I need SSL security over the link. I don't want "&userid=xxxx,&password=yyy" in the URL for fairly obvious reasons.

I have called transaction STRUST and created server, anon client, standard client and an application client certificate. All certificates are signed using our internal PKI and corporate root certificate.

The Siebel team have provided me with both client and server certificate requests which I have signed using our internal PKI infrastructure and returned. These certificates, and the internal certifying authority root certificate chains have been installed in Siebel.

Now I want Siebel to launch an https session to access my PI system. PI should required client authentication in the SSL exchange and receive a certificate in response. Once the certificate is verified and the connection is thereby authenticated I need to assign an SAP service user to the connection.

How do I map an SAP NetWeaver userid to a certificate presented by a web client?

Does this mapping happen in the Java stack or the ABAP stack?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-30-2009 9:51 AM
0 Kudos

Check this maybe help: ClientCertLoginModule

http://help.sap.com/saphelp_nw70/helpdata/de/44/200cb204a75cfbe10000000a155369/content.htm

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎10-01-2009 1:17 AM
0 Kudos

Olivier, Mamba

Thank you. I think these tips will give me a fighting chance of finding the solution I need.

I'm still trying to get a clear statement of the exact connection points from my two third party consultants but I'm pretty sure that Siebel is trying to log on to a URL in the Java stack. It's probable, therefore that I'll need to chase down Mamba's link and work from there.

I did look into my ABAP stack in the VUSREXTID view and found that I have a certificate mapping to my userid! It uses the properties:

CN=my_PI_UME_userid, OU=TEST, O=mySAP.com User, C=DE

It was apparently created by me 27 days ago. I did experiment with STRUST but I thought I'd deleted the earliest attempts as soon as I was granted certificate signing authority in our internal PKI certificate authority.

Off to do some more reading...

Show replies
Show replies
Former Member
‎10-01-2009 9:36 AM
0 Kudos

Hi Nicholas,

>but I'm pretty sure that Siebel is trying to log on to a URL in the Java stack

One possible solution(I use it on my PI 7.0 system) for that is to call the java URL on the ABAP port.

In that case the abap ICM acts as a sort of reverse proxy and redirects the java URLs to the J2EE engine.

The potential trouble would be withe the SSO between the abap authentication and the java authentication.

Regards,

Olivier

Former Member
‎10-02-2009 12:07 AM
0 Kudos

Finally extracted some URL's from the development team.

A couple of interesting points:

I insist that the network team create an alias out of the system id for every SAP system installed and that alias points to the message server so users always logon to "sid.mycompany.com" instead of "somehost.mycompany.com". This allows me to move SAP instances without having to redeploy SAPGUI or retrain users. The developers were well trained and used "https://sid.mycompany.com:javasslport/path" but the server certificate was issued to the computer's machine host name, not the system id alias - certificate rejected!

And the penny dropped eventually that I'm never going to get a successful certificate based logon unless I configure the logon stack to include a certificate check before a basic (userid and password) logon check!

So:

I need to organise that there is a hostname based server certificate and an alias based server certificate (until I can get all my SAP systems installed using virtual hostnames).

I need to reconfigure the logon stack for the Java SOAP adapter (or probably for the whole J2EE engine) to look for certificates before userid/passwords.

Former Member
‎09-30-2009 1:10 PM
0 Kudos

Hi,

IF you want your Siebel system yo authenticate on the ABAP¨ stack of your PI system, then you do the mapping between the SSL client certificate and the abap user in view VUSREXTID "Assignment of External ID to Users".

You can choose the DN External ID Type (DN of Certificate X500).

Regards,

Olivier

Show replies
Show replies
Ask a Question