CC 7.0.7 - Client connection w/o certificate

Hi together!

I have set up a SAP CC 7.0.7 system by following the Installation and Configuration guides.

Now I've noticed that I am able to login to the CDT Client without having imported the client certificate to the Client-PC.

I don't use SSO (single-sign-on) but want to to restrict access to the system to clients that have the certificate only.

Any suggestions about a missing checkbox or something else?

Which settings should I validate?

Thanks,

Robert

SAP Managed Tags:
SAP Contact Center

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (1)

Hello Robert,

you must have trusted root certificate to be installed on the client workstation to connect to BCM system. If the client computers "can see" certificate server you do not need client certificate to be installed on it.

BR,

Anton.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Anton,

using a completely new installed PC I can't connect to BCM 6 because of a certificate error (CERT_AUTH_ERR, certificate is not installed)

Deinstalling BCM 6 and installing CC 7.0.7 workstation components I can connect to CC 7 without any problems. I don't have installed any other certificate.

The certificate issuer is "thawte". It is an public certificate issuer. So I am not able to "see" the certificate Server as it might would be for an company internal certificate server.

regards,
Robert

Hi Robert,

if you installed an official server certificate from Thawte on your BCM server, then you don't need to install any certificate on the clients, because this certification authority is by default in the list of Trusted Root Certification Authorities. Therefore the client will trust your BCM server, too.

As long as the certification authority used by the BCM server is in the list of Trusted Root Certification Authorities, you are able to login in to CDT.

It was the same at BCM6.

BR,

Thomas

Hi Thomas,

I am a little bit confused about who has to trust.

I thought that the BCM server has to trust the connecting clients and therefore the clients need a client certificate. So only clients with the right client certificate are able to login to the BCM server.

It doesn't make any sense to me that the clients have to trust the BCM Server. This trust can be reached by using the HTTPS login address.

How can it be archieved to deny clients connections which are not allowed?

Only by username and password? This is a really low security level...

Thanks,

Robert

Hello

With the soft phone, HTTPS is only used for loading the UI framework. All data is transmitted over the secure TLS connection between client and CoS (Terminal <--> Connection Server). So there you could theoretically have already two different certificates on the server side (IIS, CoS) - and to keep things simple, their issuer needs to be trusted by your workstation. Unencrypted connection to CoS is not supported.

For authenticating the user, you can use client certificates instead of userid and password. See Connection Server Variables, especially variables Use Client Certificate (CoS) for Client Authentication, Client Certificate Is Mandatory and Client Certificate's Attribute Used for Authentication.

In case you need to reside for uid+pw based login, please review your Authentication Policy settings.

Also the Security Guide might be worth a look.

BR
-Lasse

Hi Lasse,

thanks for your answer, but I would like to archive a 2-level-authentication:

I would like to authorize the PC to connect to the CC by a client certificate
I would like to authenticate the user by username and password

This way only PCs with the requested client certificate can establish a TLS connection encrypted with the private key of the client certificate. The CC is only accepting TLS encrypted traffic with can be decrypted by the client certificate that resides at the CC server, too.

AND

Users have to authenticate themselves by username and password.

This way we can be sure that a connection can only be established from PCs where we installed the client certificate. Under BCM 6 I got a CERT_AUTH error on every PCs that didn't have the client certificate. With BCM 7 I can login from this PCs as well.

I wouldn't like to authenticate the users with user certificates. This would increase the cost dramatically as we have to pay for every created user certificate.

Any further suggestions?

Thanks,
Robert

Hi Robert,

you could install an own certification authority on your BCM server and use this self-signed server certificate for your BCM installation.

Now your clients need to have the root certificate of this certification authority to be installed in "Trusted Root Certification Authorities". So you don't have costs for a certificate and you have to install a certificate on the clients.

With this certification authority you could even create user certificates without any costs.

BR,

Thomas

Hi Thomas,

that would be great if it were possible, but...within our organisation it is not longer allowed to setup/run an own CA. We can use external CAs only.

Regards,

Robert

Hi Robert,

it seems what you say is conflicting.

You say:

I would like to authorize the PC to connect to the CC by a client certificate
I would like to authenticate the user by username and password

And then you add:

I wouldn't like to authenticate the users with user certificates. This would increase the cost dramatically as we have to pay for every created user certificate.

Problem is, you cannot authenticate the PC to the Contact Center, only the User, this is the Single Sign On (SSO) function mentioned earlier.

But actually it depends on what Certificate the PC itself has and if there is a strict binding between PC and User.

If the PCs certificate is about the same as the Users certificate for SSO needs to be, you could enter the users PCs certificate in the users certificate configuration.

Otherwise I see only the possibility to achieve this on network level, e.g. have a Firewall allow only certified Client Workstations to even access the Contact Center Servers. But this solution would not to be discussed here.

Maybe a htaccess list on Webservers could achieve something like this as well, but I am not sure about certificates here and maintaining those files would be a nightmare.

Regards,

Alexander

Hi Alexander,

thanks for your answer.

It seems that it is not possible anymore to allow incoming connection requests only to clients with client certificate.

BR,

Robert

Hi Robert

It seems that you might be trying to achieve something that is not supported in the product; a shared client certificate (+ respective private key) for multiple clients to use and for SAP CCtr to verify, and just after that to request for user id and password.

So we have to back what already said.

The confusion can partly be caused by the use of term “client certificate” in SAP Contact Center (BCM) documentation when talking about the server certificate of COS.

The possession of certificate (chain) of the issuer of COS certificate is not a secure way of authorizing users/PCs to connect to COS. With proper tools, it could be possible to grab the issuer’s certificate from network communications between PC and COS.

BCM6 shouldn't have behaved differently in this respect, unless there was erroneous COS certificate validation in the terminal in certain scenarios.

Kind Regards,
-Lasse

Ask a Question

Top Q&A Solution Author

User

Count