In many cases a proxy is placed between the end user and the SAP backend, like a Web Dispatcher. User –> Proxy (intermediate) –> SAP The proxy / intermediate receives the user certificate, extracts and adds it to HTTP header SSL_CLIENT_CERT. When a connection to the SAP backend is opened, Read more…
After configuring your NW ABAP instance to support user logons with X.509 certificates, it is time to test the correct setup. The test is simple: access a HTTP service like Web Gui and log on by sending a user certificate. Activate SAP Web Gui service Tx: SICF Select webgui and Read more…
For this configuration step, the same pre-requisites as for 4.2 apply. This option is like a technical user with X.509. The logon is done with a X.509 certificate, and a fix SAP user is assigned. That is, your user will always log on with the same user id in SAP, Read more…
Besides mapping a X.509 user to a given user ID in an SAP system, you can also map the user by an alias or to a specific user. In step 4.3 I’ll show the configuration for alias mapping, and in 4.4 for a specific user. Create alias for user Tx: Read more…
This configuration is about enabling the user to log on via X.509 and get a valid SAP user assigned by mapping a property from the certificate to an SAP user property. Mapping the user via a wizard is the recommended approach. For this to work, you need to enable certificate Read more…
This approach is considered legacy, deprecated and is not recommended any longer by SAP. I just include this here as a reference for those that cannot update. Tx: SM30 Table VUSREXTID External ID Type DN Add a new entry. Switch to edit mode. Click on new entries A new entry Read more…
The user needs to have a valid X.509 certificate to be able log on at the SAP System (via ICM service). This certificate is issued by the intermediate CA. Create a CSR for a user and let the intermediate CA sign it. Following my own blogs, I get a certificate Read more…
Certificates are based on trust. Trust is established by trusting a PKI and the CA that issues certificates. To establish the trust needed for X.509 based user logon, import the certificates of the issuing PKI. In my case, I do have a root CA and intermediate CA. I’ll have to Read more…
SAP Help Configuring the SAP Web AS for Supporting SSLicm/HTTPS/verify_clientConfiguring the AS ABAP to Use X.509 Client Certificates A pre-requisite is to configure NW ABAP to support TLS / HTTPS. To be able to log on to NW ABAP using a X.509 user certificate, the ICM service must be configured Read more…
Problem After sending a request to the access token endpoint /sap/bc/sec/oauth2/token you get an internal server error 500. Investigation Tx: SA38 Program: SEC_TRACE_ANALYZER Run program. Select OAuth varian: click on Get Variants Click on Activate Trace is active. Reproduce the issue. The log trace for the user will show the Read more…