x509 login to sap netweaver using the netscaler for ssl termination.

There are multiple ways to setup the netscaler to pass a client certificate to a backend server.
You can use the ssl bridge setup pass all traffic directly to the sap server. This setup however creates a direct connection to the SAP server in the LAN which could be comprimised.

By checking the client certificate on the netscaler we do not directly expose the sap server to the Internet.

To do:

Netscaler:
– Create a service group the sap netweaver server as a member.
– Create a LB vserver with a trusted ssl certificate setup.
– Create a SSL policy which passes through the client certificate.
Forward the following information

Client certificate headerfield: SSL_CLIENT_CERT
Client certificate issuer: enabled
Client certificate subject: enabled

– Edit the lb vserver set the client certificate as mandatory
– Add the root ca for the client certificate on both the service group and lb vserver.

Sap NetWeaver:

• ICM Configuration

In the ICM profile set the following parameters to specify the Web Dispatcher as the “trusted intermediate”:
icm/HTTPS/trust_client_with_issuer =
icm/HTTPS/trust_client_with_subject =

If and of the Web Dispatcher client certificate are the same as these values, the ICM accepts the SSL header fields. If they are not the same, the ICM deletes them. If the SSL header fields are not set, the HTTPS request carries its own certificate and this is used to log on to the application server (direct connection from the browser to the application server, or end-to-end SSL).

The parameter must contain the whole character string of the certificate. If the certificate also contains the issuer CN=SAP CA, O=SAP CA INT, C=DE and the subject CN=sapwebdisp, O=SAP-AG, C=DE, the parameters must be set exactly in this way.

Each character, including spaces, must match exactly.

When you are running into issues you should enable extensive logging on the sap server. This should give a pretty indication in the problem cause.

Sources
http://help.sap.com/saphelp_nw73/helpdata/en/48/9ab5d73e6d062be10000000a42189d/content.htm
http://www.antonvanpelt.com/user-certificate-authorization-citrix-netscaler/

Special thanks to Rick Roetenberg for help creating the netscaler policies.

adminx509 login to sap netweaver using the netscaler for ssl termination.

Leave a Reply

Your email address will not be published. Required fields are marked *