on 04-06-2016 3:54 AM
We are activating SLS 2 SP06 to generate X.509 certificates for our iPad users.
The certificates will have a long lifetime so we need to be able to revoke them if an iPad is lost.
Is there a solution for this?
Thank you for you help.
Russ
Hi Colin
We had a similar function with longer lifetime certificates before rolling out the SAP authenticator app. Before then we placed rewrite rules within the web dispatcher to block client certificates for a device that was lost. i.e. SSL_CLIENT_CERT_SUBJECT as per SAP Note 1612828.
This was in addition to the recommendation that Stephan has made, i.e. locking associated accounts.
Rgrds
Craig
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Colin,
If you and your team would like to find more about the future direction and plans for improvement of the SAP Single Sign-On product, you can simply Join the SAP Single Sign-On Customer Engagement Initiative.
Regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Secure Login Server is designed to issue short-lived certificates in a short-term way. One of the reasons for such approach is to eliminate the need for revocation management of certificates.
However, SLS allows to configure also longer life times. The recommendation here is to revoke or lock on account and permission level. If your iPad was stolen, there will be more risks to be handled than this certificate.
But we are also planning the integration of third party enterprise PKIs like ADCS, allowing to issue certificates with CRL DPs or OCSP AIAs. SLS then acts as Registration Authority with the full bundle of user authentication and user name mapping capabilities.
-- Stephan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colin,
Since SLS is designed to issue short term X509 certificates, it does not need to generate CRLs for X509 certificates. The concept is based on short term validity of X509 certificates, and therefore there is no need of a CRLs feature on the SLS.
Regards,
Marcus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.