Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

expiration of x.509 certificates

Former Member
475

I followed the SAP documentation to setup authentication using x.509 certificates


http://help.sap.com/saphelp_nw04s/helpdata/en/b1/07dd3aeedb7445e10000000a114084/frameset.htm

which worked....

The user certificate imported into SAP (table USREXTID) has subsequently expired.


A new user certificate was acquired and imported into the users

browser, but NOT into SAP.


The issue is that, without having to update SAP, the user can

successfully authenticate to SAP again using the new certificate.


Therefore SAP is not distinguishing between the old expired certificate

and the new certificate.


This creates a huge security issue. If the device containing the

certificate is lost (for example) the certificate would be revoked.

However once the user has a new device and is issued with a new

certificate the old device would also be able to successfully logon to

SAP.

The steps in short are;

1. Issue certificate to user

2. Load into USREXTID using SM31

3. Expire/revoke the certificate

4. Issue user with new certificate

5. test logon - logon SUCCEEDS, the logon should FAIL (because the new

certificate is not loaded into USREXTID)

We need to be able to ensure that only the current, valid certificate

allows access to SAP. Can this be achieved?


The way that this is currently working means that we would have to

change the users DN every time a new certificate is issued, surely this can't be the case?

2 REPLIES 2

mvoros
Active Contributor
0 Kudos
205

Hi,

Here I assume that you have records in table USREXTID with type DN. The way how it works is that if a user presents a certificate that is trusted by system (signed by trusted certificate) than the system tries to map distinguished name (DN) stored in certificate to SAP account. If this is successful then user gets authenticated against the system. So you can have multiple certificates issued for same ID. It's basically same as having two passports. Standard way of preventing usage of stolen certificate (passport) in this scenario is to have a list of revoked certificates (CRL). I don't think that this is supported by ABAP AS.

What you could try to do is to use records in table USREXTID with type HX. In this case a link is created for SAP account and hash value of one particular certificate. So you can easily revoke stolen certificate by changing hash value in this table. The issue is that it will require significantly more maintainable. I've never tested this but it should work,.

Cheers

matthias_buehl
Advisor
Advisor
0 Kudos
205

Hi,

the old expired certificate will already be rejected during the SSL Handshake when it is sent to the server because the SSL implementation checks the validity of the  SSL client certificate. (Validity/Trust/CRL)

Then there is a second step where the (accepted) client certificate is mapped to a user. There only the mapping is checked.

Try to connect wich the old vertificate. It should fail 😉

AS ABAP is able to check CRLs as of 7.03

Best regards

Matthias