Configuring X.509 Certificates for SAP Single Sign-on

Import, export, and generate the X.509 certificates that secure communication paths between SAP Mobile Server and the SAP enterprise information system (EIS), and for client authentication, including single sign-on (SSO) with X.509 or SSO2 tokens.

Creating, Importing, and Exporting Certificates

Use Java keytool commands to import these certificates into the SAP Mobile Server truststore and keystore. For additional information, see Using Keytool to Generate Self-Signed Certificates and Keys.

  1. Import SAP CA certificates into the SAP Mobile Server truststore, including:
    • The standard SAP/DOE server root certificate (.crt or .cer) required to establish a trusted relationship between SAP Mobile Server and the SAP EIS.
    • Any CA certificate used to sign .pse certificates used for JCo/SNC communications.
    • For Gateway deployments where SAP Mobile Server is the Online Data Proxy (ODP), import the Gateway server's CA into the truststore of SAP Mobile Platform.

      The ODP requires two certificate files: one that contains the certificate and private key for use by the server, and another that contains only the certificate for use by clients. The certificates should be in the form of a PKCS#10 file using an RSA key pair (key lengths in the range of 512–16384 are supported), in PEM or DER format. The key usage should be set to Key Encipherment, Data Encipherment, Key Agreement (38).

    • Any other required SAP CA certificate. For example, any CA certificate used to sign a client certificate that is to be authenticated by SAP Mobile Server must be imported if you are implementing SSO with X.509.
      Note: If SAP Mobile Server is communicating with a server that is hosting a Web service that is bound to SAP function modules, import that server's CA certificate into the SAP Mobile Server truststore.

    For example:

    keytool -import -keystore SMP_HOME/Servers/UnwiredServer/Repository/Security/truststore.jks -file <CertificateFile>
    
Enter keystore password:  changeit
Trust this certificate? [no]:  yes
  
  2. Create a keystore on the SAP Mobile Server host into which you can import the certificate and private key (PKCS #12) issued by the SAP system administrator, then import the certificate into the SAP Mobile Server keystore. This certificate secures communications for packages and is used when a user uses an X.509 certificate rather than a user name and password. For example:

    keytool -importkeystore -srckeystore SUPAUTH.p12 -srcstoretype pkcs12 -srcstorepass <techuserpass> -srcalias CERTALIAS -destkeystore SMP_HOME/Servers/UnwiredServer/Repository/Security/keystore.jks -deststoretype jks -deststorepass changeit -destkeypass changeit

    Even if the EIS administrator is using the native SAP public-key infrastructure (PKI) to generate certificates, you must still import them into the SAP Mobile Server keystore. The certificate name, SUPAUTH and alias, CERTALIAS represent the type of package/client to be authenticated, for example:
    • TechnicalUser certificate with doectech alias – a DOE-C package client.
    • SAPUser certificate with SAPClient alias – a SAP or Web service MBO package client.
  3. Create and import the SUPServer certificate into the SAP Mobile Server keystore. For example:

    keytool -importkeystore -srckeystore <source>.p12 -srcstoretype pkcs12 -srcstorepass <techuserpass> -srcalias <tech user alias> -destkeystore l:/SAP/MobilePlatform/Servers/UnwiredServer/Repository/Security/keystore.jks -deststoretype jks -deststorepass changeit -destkeypass changeit

    Note: (3a)Use the following command to find the srcalias: 
    keytool -list -v -storetype pkcs12 -keystore <source>.p12 -storepass <source.password>
    Note: (3b) You can create the SUPServer certificate using Java keytool commands, a third-party tool such as OPENSSL, or the signing authority used to create all SAP server certificates, in which case you need not import any other CA signing authority certificate into the SAP Mobile Server truststore. However, if you create the SUPServer certificate with another CA signing authority, you must import that CA certificate into both the SAP Mobile Server truststore, and into the SAP Server using the STRUST transaction.
  4. Import the SUPServer certificate into SAP/DOE server using the STRUST transaction.

You can now configure your environment for mutual authentication and SSO, in which any client connecting to SAP Mobile Server presents credentials, and a server certificate (SUPAUTH) is selected for SAP Mobile Server to present to clients.

Parent topic: Single Sign-on for SAP