Solved: Using Client Certificates via an Intermediary Serv...

Former Member · ‎03-15-2009

Hi,

We are planning to use client certificates for authentication for connection to Biller Direct application ( web application running over Netwearver J2EE). Biller direct will be accessed from the internet by the customers.

As per our design, customer will conenct using HTTPS and SSL will terminate at the the Intermediary Server and from there we plan to use HTTP conenction to connect to J2EE Server.

As per SAP documenttaion, the intermediary server passes the useru2019s certificate to the J2EE Engine in a header variable and the J2EE Engine accepts this certificate based on its trust relationship to the intermediary server.

I have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or this is not needed as we are accepting the connection from the intermediary server which is trusted by the J2EE engine.

Thanks,

Vikrant Sud

Former Member · ‎03-16-2009

Hi,

> have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or >this is not needed as we are accepting the connection from the intermediary server which is trusted by >the J2EE engine.

I think it depends from your Biller Direct application.

In my company we use Rosettanet B2B with SAP XI and have this setup :

Internet -- https --> Apache -- https --> Web dispatcher -- https --> SAP J2EE PI

The client certificate from the B2B partner is sent up to SAP PI and we did not have to set the certificate in the user mast.

We did have to import the certificate in the J2EE keystore and to configure the Rosettanet connector.

Regards,

Olivier

Former Member · ‎03-16-2009

Hi,

> have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or >this is not needed as we are accepting the connection from the intermediary server which is trusted by >the J2EE engine.

I think it depends from your Biller Direct application.

In my company we use Rosettanet B2B with SAP XI and have this setup :

Internet -- https --> Apache -- https --> Web dispatcher -- https --> SAP J2EE PI

The client certificate from the B2B partner is sent up to SAP PI and we did not have to set the certificate in the user mast.

We did have to import the certificate in the J2EE keystore and to configure the Rosettanet connector.

Regards,

Olivier

Former Member · ‎03-16-2009

In our company users come in through our corporate portal (Intermediary server using SSL) and we have set-up SSO from the corporate portal to sap enterprise portal using http header logon module.

You don't have to maintain user certificate in user master. You just have to configure the http header logon module on the J2EE engine.

Users logs on to intermediary server ~~> intermediary server directs the request to J2EE with the user name in the header~~> J2EE checks UME and if the user ID exists, logs on the user

Former Member · ‎03-16-2009

Hi,

Thanks for your reply.

Your reply does open a new way of authentication, which we did not explore till now. My question was more related to 'Using Client Certificates for User Authentication', any suggestions about user certificates in that area?

Thanks,

Vikrant Sud

Former Member · ‎03-16-2009

sorry for not reading your question correctly.Hope i got it right this time

the underlying concept is the same for all authentication schemes, whether uidpwdlogon or certlogon or header. In your case you need to configure the client logon module stack, you need to map the client certificate to user id on UME. there are 2 ways to do it, please check the link below for detailed information.

http://help.sap.com/saphelp_nw70/helpdata/EN/8a/8bc061dcf64638aa695f250ce7ca78/frameset.htm

Using Client Certificates via an Intermediary Server