ICM in NetWeaver ABAP is not reading the HTTP header and accepting the transmitted X.509 certificate simply like that. I’ll show here a picture that shows what an intermediate server is sending to NetWeaver. You can see that two certificates are transmitted to SAP: the user X.509 as well as Read more…
In many cases a proxy is placed between the end user and the SAP backend, like a Web Dispatcher. User –> Proxy (intermediate) –> SAP The proxy / intermediate receives the user certificate, extracts and adds it to HTTP header SSL_CLIENT_CERT. When a connection to the SAP backend is opened, Read more…
Certificates are based on trust. Trust is established by trusting a PKI and the CA that issues certificates. To establish the trust needed for X.509 based user logon, import the certificates of the issuing PKI. In my case, I do have a root CA and intermediate CA. I’ll have to Read more…
OK, now it will get complicated. Certificate based logons do not really like reverse proxies. First step is to ensure that the client has a certificate that is accepted by the SAP NetWeaver ABAP PSE. For this, the certificate must be signed by a CA that the ABAP PSE trusts. Read more…
In case your ICF will serve only as a HTTPS server, you do not need to do this. In case you want your ABAP server to connect to another web server, this may be of interest. In that case, your ABAP server acts as a client and will receive a Read more…
After the server certificate is installed, ICM should automatically make use of it. To see if SSL/TLS connections are now working, two tests should be executed: Check SSL port setup Access service using TLS 1. Making Sure the SSL Port is set up correctly This step checks that ICM is Read more…
After the CA issued the certificate, it must be imported into the PSE that issued the CSR. During the import step a verification of the private / public key will happen. This ensures that you import the right public key into the PSE. This also means that you cannot use Read more…
The certificate request created in the previous step must be send to a CA. The CA is responsible to create a valid server certificate based on the information provided by the CSR. Important: the certificate emitted by the CA must follow the PKCS#7 certificate chain format. The response file must Read more…
In the previous step a new PSE for SSL server was created, but the containing server certificate is self-signed. This means that no sane web browser will accept your certificate without showing a warning message to the user. To have a valid server certificate, it must be signed by a Read more…
SAP stores certificates in PSE files (for the Java guys: JKS). By default, there are several PSEs available, one for each use case (system, SSL, web service, etc). A PSE has a subject which stands for the name of the server. Changes are good that the subject value created by Read more…