X.509 Certificate and SAP Server certificate

Former Member · ‎05-07-2013

Hi Team,

We have configured SAP Netweaver SSO 1.0(using X.509 certificate) on our SAP system. We have used only secure login library and secure login client( Without secure login server) . We are about to complete the configuration but stuck with up X.509 certificate. SNC is activated on SAP system.

As of now, we have completed below steps:

Install Secure login library:

1. Installed SLL on SAP application server

2.Environment variable SECUDIR is set properly

3.Test Secure login library is working fine. Output of snc is shown below.

Product version : Secure Login Library 1.0 SP 4 Patch 3

: CryptoLib 8.3.7.11

: aix-6.1-ppc-64

GSS library : available

GSS library name : libsecgss.so

PSE directory : (existing) /usr/sap/GO0/DVEBMGS00/sec

PSE file : (existing) /usr/sap/GO0/DVEBMGS00/sec/pse.zip

STRUST cred file : (existing) /usr/sap/GO0/DVEBMGS00/sec/cred_v2

SNC config file : (existing) /usr/sap/GO0/DVEBMGS00/SLL/gss.xml

PSE accessible : yes

PSE logged in : yes

PSE credentials : MasterPassword SystemDefault

Kerberos keyTab : Not existing

------------------------------------------------------------------------------

SNC keys registered : 1 entries

1: STRUST certificate CN=GO0, OU=SAP Security, O=SAP Trust Community

Trusted certificates:

from STRUST :

1: CN=GO0, OU=SAP Security, O=SAP Trust Community

4. SAP Parameter configuration

5.Import X.509 Certificate

We have SAP server certificate response signed by CA. So we have exported SAP server certificate in PSE format and imported on system PSE. Is this correct way of importing X.509 certificate into SAP system?

Install secure login client:

1.Installed SLC

2.Configured X.509 Certificate SNC Name in SAP GUI

3.User mapping in SU01 - X.509 Certificate

I assume that X.509 certificate to be available to all user station and it should be visible in secure login client. Do I need to provide SAP server certificate( .cer) to CA team to publish to all users station. ie Microsoft Certificate Store

Is both SAP server certificate signed by CA and X.509 certificate same?

While importing X.509 certificate into SAP system, I have followed below steps. Is it correct?

We have SAP server certificate response signed by CA. So we have exported SAP server certificate in PSE format and imported on system PSE.

Please advice.

Thanks !

srinivaas · ‎02-02-2016

Hi All,

We are also going to configure the SSO with X.509 certificate. Windows IIS to SAP Portal system.

Could you please share your knowledge or documents.

Thanks

Srini T.

Former Member · ‎05-07-2013

I think there are some terminology issues here. CAs sign certificate requests, not responses. A certificate response is already signed by the CA. Yes, you will have to find a way to distribute the X.509 certificates on the clients since you are not using the Secure Login Server to create the certificates. Notice that the certificates you distribute on the clients have to be trusted by the SAP system meaning the root CA used to sign them must exist in the SAP system.

X.509 Certificate and SAP Server certificate

Accepted Solutions (0)

Answers (2)

Answers (2)

Re: ODATA V4 RAP - How to retrieve messages in res...

Re: Shared variable doesn't work when exported to ...

Re: Filter on multiple criteria

Re: Shared variable doesn't work when exported to ...

Re: Unable to connect to Datasphere using the CLI