1633696 - X.509 client authentication via SAP Web Dispatcher

X.509 client certificate authentication via SAP Web Dispatcher with End-to-End SSL and ICM - Configuration Overview

The configuration of X.509 client certificate authentication for the Netweaver AS Java increases in complexity when the communication first goes through intermediary servers such as the SAP Web Dispatcher and ICM. 

This Knowledge Based Article is intended to provide an overview of the configurations steps required to implement client certificate authentication on the Application Server Java for a very specific case where: 

• The SAP Web Dispatcher is installed in front of a Netweaver Application Server with ABAP and Java and all https requests to the Netweaver Application Server with ABAP and Java go through the Web Dispatcher.
• The SAP Web Dispatcher is configured to not terminate incoming SSL connections but to tunnel the SSL connection to the Application Server with ABAP and Java where ICM terminates the SSL connection.
• If ICM determines that an initial https request was intended for the Application Server Java, ICM establishes a new SSL connection to the Application Server Java and forwards the request to it, where the end users client certificate is used for authentication

Netweaver AS Java 6.40

Netweaver AS Java 7.00

Netweaver AS Java 7.01

Netweaver AS Java 7.02

SSL Java ICM Web Dispatcher End-to-End SSL AcceptClientCertWithoutSSL ProxyServersCertificates PROT=ROUTER , KBA , BC-JAS-SEC-LGN , Logon, SSO , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-SEC-SSL , Secure Sockets Layer Protocol , How To