Assume that you use SAP WebIDE for developing an application and that you have to consume an OData service from an on-premise NetWeaver ABAP system. In SCP, the destination is configured, and SAP Cloud Connector is working. For principal propagation, X.509 is used. Problem When you select the OData service Read more…
SSO logon with an X.509 certificate offers some benefits. In this blog, I’ll cover the main benefits, problems and attention areas when using X.509 for SSO. As a practical example the X.509 logon with NetWeaver ABAP is shown. To access an ICM service on a NetWeaver ABAP system (NW ABAP), Read more…
ICM in NetWeaver ABAP is not reading the HTTP header and accepting the transmitted X.509 certificate simply like that. I’ll show here a picture that shows what an intermediate server is sending to NetWeaver. You can see that two certificates are transmitted to SAP: the user X.509 as well as Read more…
In many cases a proxy is placed between the end user and the SAP backend, like a Web Dispatcher. User –> Proxy (intermediate) –> SAP The proxy / intermediate receives the user certificate, extracts and adds it to HTTP header SSL_CLIENT_CERT. When a connection to the SAP backend is opened, Read more…
After configuring your NW ABAP instance to support user logons with X.509 certificates, it is time to test the correct setup. The test is simple: access a HTTP service like Web Gui and log on by sending a user certificate. Activate SAP Web Gui service Tx: SICF Select webgui and Read more…
For this configuration step, the same pre-requisites as for 4.2 apply. This option is like a technical user with X.509. The logon is done with a X.509 certificate, and a fix SAP user is assigned. That is, your user will always log on with the same user id in SAP, Read more…
Besides mapping a X.509 user to a given user ID in an SAP system, you can also map the user by an alias or to a specific user. In step 4.3 I’ll show the configuration for alias mapping, and in 4.4 for a specific user. Create alias for user Tx: Read more…
This configuration is about enabling the user to log on via X.509 and get a valid SAP user assigned by mapping a property from the certificate to an SAP user property. Mapping the user via a wizard is the recommended approach. For this to work, you need to enable certificate Read more…
This approach is considered legacy, deprecated and is not recommended any longer by SAP. I just include this here as a reference for those that cannot update. Tx: SM30 Table VUSREXTID External ID Type DN Add a new entry. Switch to edit mode. Click on new entries A new entry Read more…
The user needs to have a valid X.509 certificate to be able log on at the SAP System (via ICM service). This certificate is issued by the intermediate CA. Create a CSR for a user and let the intermediate CA sign it. Following my own blogs, I get a certificate Read more…