Adapter for SAP 10.1 | webMethods Adapter for SAP Documentation | webMethods Adapter for SAP Installation and User’s Guide Documentation | Security | User Authentication Between Adapter for SAP and an SAP System | Authentication Through X.509 Certificate
 
Authentication Through X.509 Certificate
 
Example
Another method for user authentication in the Integration Server is through client authentication as a part of the SSL protocol. This requires that the corresponding HTTPS listener (port) requests a Client Certificate and that the client sends a trusted certificate that is mapped to an existing Integration Server user. A certificate is considered "trusted" if it has been issued by a CA (Certificate Authority) and is listed in a local CA Certificate Directory.
It is then possible to logon to the SAP system by means of this X.509 certificate. You need to install and configure a library supporting SAP's Secure Network Communication (SNC) Standard. SNC works on top of the RFC protocol. The following instructions describe the setup of this authentication method.
See Using Adapter for SAP with the SAP Cryptographic Library for SNC for more information about SNC and adapters for SAP.
User Authentication via X.509 Certificate
Important:
For the authentication via certificates against an SAP system, it is required to enable SNC connections for the RFC Connection defined at Adapter for SAP and on the SAP system. These settings are listed in the section Configuring Adapter Connections. For detailed information on the SAP system and RFC client settings for SNC see the corresponding SAP documentation.
Important:
The HTTPS port defined on Integration Server should have the Request Client Certificate option set for the Client Authentication field.
Important:
SNC connections opened with the X.509 certificate are locked to the HTTPS session and will remain open until the HTTPS session is closed.
Tip:
For more information on ports, see webMethods Integration Server Administrator’s Guide for your release.
If you want to log on to an SAP system via an Integration Server using any SAP user and a certificate, you can do so by providing a trusted certificate for Integration Server.
Important:
Before you can log on to Integration Server using a trusted certificate, you have to import the (personalized) client certificate for each user from a local directory to Integration Server and map it to Integration Server user.
For validation purposes, you must also enter the path to the CA Certificate directory. The CA Certificate directory specifies the name of your local directory containing the root certificates of CAs that this server trusts. You may specify the directory using an absolute path or one that is relative to the Integration Server_directory directory.
When a user logs on (for example, from a Web client) using this certificate, Integration Server verifies the root certificate in the CA Certificate directory and then passes the client certificate, including the user name, to the SAP system. However, you must make sure that this user can access the services he wants to execute in Integration Server. That is why you must map the client certificate to the corresponding Integration Server user, or alternatively to a (standard) Integration Server user, depending on the authorizations required. If you want to execute a protected service within the Integration Server, the mapped user must be allowed in the corresponding ACLs (access control lists). For more information on ACLs, see webMethods Integration Server Administrator’s Guide for your release.