SAP SSO between SAP Systems with X.509 Certificate

andreas_zigann · ‎08-17-2020

Hello,

I am looking for a way to use SAP NW SSO X.509 Certificate instead of Assertion Ticket for SSO between on SAP ABAP System webservice to the next SAP ABAP System webservice (No J2EEs envolved).

The users get SAP NWSSO Client Zertificates at the moment and are asked for choosing the right certificate anytime switching the system.

Because of security reasons we like to use X.509 and DN of the users instead of assertion tickets, especially we can not guarantee the identical identity of SAP user accounts with same name.

Can I use the X.509 certificate insted of assertion ticket?

Perhaps it would be better to suppress the question to select the right client X.509 certificate. But I have no idea how.

Best Regards

Andreas

sankar_27 · ‎10-05-2020

Dear Andreas ,

1. Map X.509 certificate (chronological name) with ABAP user in the view VUSREXTID

2. Create a trusted between ABAP systems and deactivate password in the front-end system

3. Ensure to grant authorizations (S_RFC, S_RFCACL, S_SERVICE ) in both systems

another approach is rule-based certificate mapping.

Thanks , Sankar

cris_hansen · ‎09-05-2020

Hi Andreas,

As long as you have the certificate mapped to an ABAP user, it should work.

Keep in mind that you also need to change the "Logon Data" tab in SICF for the service you want, changing to alternative logon procedure and having only the "Logon Using SSL Certificate" on the list (or, at least, have it as the first option).

You can use the SM50 logon trace (SAP Note 495911) to verify whether it works.

Regards,

Cris

SAP SSO between SAP Systems with X.509 Certificate

Accepted Solutions (0)

Answers (2)

Answers (2)

Change default date format for a language in SAP B...

Re: SAC BW live connection: Error Illegal State: d...

Re: LLM, RAG and Cloud Foundry: No space left on d...

Re: Has the SAP Master Data Integration service be...

Re: Deployment Error with 'destination' Variable i...