There are multiple ways to setup the netscaler to pass a client certificate to a backend server.
You can use the ssl bridge setup pass all traffic directly to the sap server. This setup however creates a direct connection to the SAP server in the LAN which could be comprimised.
By checking the client certificate on the netscaler we do not directly expose the sap server to the Internet.
– Create a service group the sap netweaver server as a member.
– Create a LB vserver with a trusted ssl certificate setup.
– Create a SSL policy which passes through the client certificate.
Forward the following information
Client certificate headerfield: SSL_CLIENT_CERT
Client certificate issuer: enabled
Client certificate subject: enabled
– Edit the lb vserver set the client certificate as mandatory
– Add the root ca for the client certificate on both the service group and lb vserver.
• ICM Configuration
In the ICM profile set the following parameters to specify the Web Dispatcher as the “trusted intermediate”:
The parameter must contain the whole character string of the certificate. If the certificate also contains the issuer CN=SAP CA, O=SAP CA INT, C=DE and the subject CN=sapwebdisp, O=SAP-AG, C=DE, the parameters must be set exactly in this way.
Each character, including spaces, must match exactly.
When you are running into issues you should enable extensive logging on the sap server. This should give a pretty indication in the problem cause.
Special thanks to Rick Roetenberg for help creating the netscaler policies.