cancel
Showing results for 
Search instead for 
Did you mean: 

Question about X.509 certficiates and NetWeaver SSO

blair_towe2
Participant
0 Kudos

Good afternoon - Today, we currently can use X.509 certificates that exist in each user's internet browser to perform single sign-on to web-based SAP applications. Can NetWeaver Single Sign-On use the same certificates that have been generated using our internal Microsoft Certificate Server to perform single sign-on to AS ABAP via SAPGui? Or would we have to generate new certificates using Secure Login Server component of NW SSO and have these be the certificates that are used for both SAPGui logons and web-based SAP applications?

I'm trying to understand which way will be the easiest to manage the administrative tasks. The existing X.509 certificates are maintained automatically by our Windows server group, while the Secure Login Server will likely be maintained by the Basis team.

Any information would be appreciated!

Regards,

Blair Towe

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hey Blair,

Yes, for sure, SAP can re-use the X.509 that are already on the user's PC.  You just have to make sure you have everything correct in STRUSTSSO2.  By that, I mean the SMICM must have the HTTPs port and in STRUST, you must have the cert signed by the same CA, or at least have that CA listed in STRUST.  There are also a bunch of profile params you can put in to restrict further the signed CA name.  Also you must update the VUSREXTID table in SM30 to map the SAP ID, to the "CN=xxxx" for each user.

NICK

Answers (3)

Answers (3)

Former Member
0 Kudos

Nick - you responded to an extremely old posting which the poster never updated.

Blair - This is documented in the Secure Login Client manuals.  You can use both existing Kerberos and x.509 certificates if your users and configuration are maintained properly.  If you have not hidden them through profile settings, they will show in the Secure Login Client and can be selected for Login to SAP.

Check out video 5 on this link: http://scn.sap.com/docs/DOC-40179

frane_milicevic
Active Participant
0 Kudos

Hi Blair,

yes this is possible (if the certificates are available in Microsoft Certificate Store).

But keep in mind to create the "matched" certificates in SAP AS ABAP Backend (SNC).

The proposed solution from Samuli is of course also possible, because maybe it is also a question of cost for cerfiticates.

Another advantage of using short lived certificates (provided by Secure Login Server) is that there is no need for implementing CRL/OCSP.

Best regards,

Frane

Former Member
0 Kudos

NWSSO generates temporary X.509 certificates, so you would end up with two certificates for users. There should be no problem having both certificates in the browser. You may have to flag the MSC one as default however, otherwise users would have to choose which certificate is used. NWSSO uses only the certificates it creates (especially in the case of SAP GUI) but the SAP systems will accept any valid certificate installed in the browser. In the long run I would look at migrating to a NWSSO only solution for SAP.

See the attached presentation to sched some light on the certificate generation process.

http://scn.sap.com/docs/DOC-32787