Enable certificate based logon – 1 Prepare SAP NetWeaver ABAP system for user certificate based logon

One of the more secure ways to authenticate you is to use a user certificate for logon. A pre-requisite for this is to have ICF running on HTTPS, with a valid server side certificate. How to do this was already discussed and showed here. Next pre-requisite is of course to have a valid user certificate. To obtain one is the task of the CA. You than have to

  • enable certificate based logon for a ICF service and
  • tell ABAP how to interpret the received certificate.

I am now taking a closer look at how to tell ABAP how to interpret the received certificate. This is done by configuring SAP NetWeaver ABAP to map the CN name of the certificate to a user Id. The following steps demonstrate how to do this manually for each user. Yes, for each user. Nothing you can do in a PRD environment with thousands of users. There you`ll have to write a report or use the rule based wizard available as of SAP NetWeaver ABAP 7.4. But for now, let`s do it manually for each user.

Transaction: SE11

Database table: VUSREXTID

Select Contents

For external ID type, give DN.

DN is the distinguished name of the certificate, aka the subject. This is the part of the certificate that informs the common name (CN). For a server certificate, this is the FQDN of the server, for a user, it is normally the user id.

Click OK

Select edit.

Select New Entries

Enter the data.

The external ID value is determined by the user certificate. In my case, the user certificate contains as subject only CN=tobias.

Save to persist the information.


The certificate that contains the CN=tobias is linked to the user id tobias in the system. After the certificate was validated, it is used to log on this linked user id. This also means that a simple form of user mapping can be realized

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.