Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
bpasynkov
Product and Topic Expert
Product and Topic Expert
8,578

Introduction


Hello SAP Community,

As this is my first SAP-blog, I would like to briefly introduce the main idea and my goal for the next post, as it will be the same for all future ones.

Without a huge technical background in network or PKI areas, sometimes my comments may seem too obvious for someone. However, my main idea was to save your time configuring new (or relatively new, or too complex that they always look like a new one) features. Let's assume you could save one or two days hours trying to figure out why your newly configured scenario doesn't work, so you could spend these couple of hours enjoying your cup of coffee with colleagues. Sounds good, right?

I have only one wish from my side. Please, in case of mistakes, missed details, or, oh no, mistakes, feel free to point them out in the comments. Otherwise, let's get started!

Feature overview


Just a couple of weeks ago, a new SAP Cloud Connector release was introduced by SAP: Next release of the Cloud Connector is available: 2.16.0 | SAP Blogs. One of the main features is the option to configure certificate-based authentication for the Cloud Connector administrator: Logon to the Cloud Connector via Client Certificate | SAP Help Portal.

  • From an end user perspective, I liked this feature for the possibility of being smoothly authenticated with no need to remember another password.

  • As a security specialist, I'm more than happy that my users won't need to keep their another user/password pair on a sticker under their keyboard.


How-to steps


1. Change the Admin name.

Let's briefly summarize the idea of the Cloud Connector's user management approach. Here, you have two options to store your users:

  1. Local store

  2. LDAP


If you have LDAP configured, it means you have an excellent understanding of user maintenance already. Our main goal here is to make it possible for the Cloud Connector to map username from the client certificate to the actual user from the Cloud Connector user store. By default, the Cloud Connector admin has the name Administrator. If you have the option to create and sign the certificate with this name by your corporate Certificate Authority (CA), you may leave it as it is. Otherwise, you could change it by clicking on the Edit button. I will switch it to my I-user.


Local User Store and default authentication method: User/Password


After this Cloud Connector will ask you to be restarted. Type your new username and password on the login screen and continue with the next steps.

2. Find your correct Root CA certificate.

Now it's necessary to understand the basic certificate rule. You will always have a similar certificate chain:

  1. Root CA certificate

  2. Intermediary's certificate (optional)

  3. Your client certificate (I-user in my case)



Usual certificates chain


For certificate-based authentication, the Cloud Connector will ask you for your client certificate, which is stored in your local OS store and provided by your browser. To check the certificate's validity, the Cloud Connector needs the Root CA certificate that was used to sign (or issue) your client certificate. So, you can simply ask your corporate CA to provide you with the Root certificate or copy it to a DER file via the View Certificate button.


Saving the Root CA certificate


3. Choose the required user mapping rule.

For now, you need to have the following prerequisites:

  • Configured User Name in the User Store, which should be equal to the corresponding certificate field

  • Root CA certificate (X.509) from your Certificate Authority

  • Client certificate signed by the root CA certificate


3.1 To enable certificate-based authentication, click on the Switch to... button. The Edit Authentication window will appear.

3.2 Choose the required certificate field from your client certificate, which allows the Cloud Connector to perform user mapping based on the value:

  • In my case, it's CN = I-user from the certificate is equal to the User Name from the certificate store.


3.3 Import the Root CA X.509-certificate in the Authentication Allowlist:

 


Edit Authentication


After all the described steps, your User Administration and Authentication parts should look like:


Final configuration


Now, all client certificates of the end users signed by this particular Root CA certificate will be accepted by the Cloud Connector. If the user with the corresponding field (CN in my case) is found and mapped, such an end user will be successfully authenticated based on their certificate.

4. Restart everything and enjoy the smooth authentication.

If everything has been configured correctly, after the restart, you will get a pop-up to choose a required client certificate.


Select a certificate for authentication


…and you are authenticated (hopefully). Well done!

Conclusion


Instead of a conclusion.

It may happen that, for some reason, your certificate-based authentication will not work due to an incorrectly configured certificate chain or allowlist or whatever, and you won't be able to log into the Cloud Connector administrator console. In that case, just open the console and run the bat-file useBasicAuthentication.bat (the Cloud Connector installation folder) to reset the authentication method to user/password again.

I hope this short guide was helpful, and I will be glad to know if it could save a couple of hours for some of you.