we run a SAP NetWeaver Portal (NW 7.0 SP11) and would like to implement client authentication with x.509 certificates. In SAP Library I found the following [section|http://help.sap.com/saphelp_nw70/helpdata/EN/62/881e3e3986f701e10000000a114084/frameset.htm] describing how to configure SAP NW AS Java for client authentication with x.509 certificates. We configured our test system and everything works like a charm. However, before we going to implement this in production our security experts would like to know the following information:
1) From official SAP documentation we see that SAP NW AS Java supports Certificate Revocation Lists (CRL). But does SAP NW AS Java support Online Certificate Status Protocol as well?
2) Our client certificates will contain an attribute called Certificate Policy. This is a numeric value (OID) which maps to a specific level if assurance for which the certificate can be used. For example one OID could map to Medium Assurance Level Software and another OID could map to Medium Assurance Level Hardware. Is it possible to to create some kind of filter based on this assurance level?
3) Does SAP NW AS Java support path validation? With PV correctly enabled it means we only need to put the Root CA certificate into the certificate store (trusted CAs) of the SAP NW AS Java and not the whole certificate chain.
I would be happy if you could shed some light onto this.