cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connect to sapstartsrv via sapcontrol -prot NI_HTTPS & SSO

hinrich_benitt
Explorer

on ‎01-09-2015 3:43 PM

0 Kudos

Hello,

I try to setup a https based connection to the sapstartsrv service including a client certificate SSO. The server validation for SSL is successfully done at client side. The sapcontrol program validates the server certificate (based on self signed certificates issued by myself as this is just for test purpose)

I can see the request for the client certificate in the trace information of the sapstartsrv.log

[Thr 139637867071232] ->> SapSSLSessionInit(&sssl_hdl=7efff976be18, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 139637867071232] <<- SapSSLSessionInit()==SAP_O_K

[Thr 139637867071232]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

...

[Thr 139637867071232]   No Client Certificate

The sapcontrol program should now send a client certificate... but I run into a http 401

sapcontrol -prot NI_HTTPS -host <remotehost> -nr <instancenumber> -function GetVersionInfo -debug

FAIL: HTTP error, HTTP/1.1 401 Unauthorized


If it is done via -queryuser the sapcontrol shows up with the requested information. But I want to do the authorization based on the certificate without providing user / pwd.


service/sso_admin_user_0 ist defined in the profile of sapstartsrv (default.pfl) which enables the request for the client certificate.

Self signed client certificate was added to SAPSSLC.pse on the sapcontrol side. The access is done from a linux system to another linux system. I read notes 1439348 and 1642340 and the sapcontrol / sapstartsrv is on kernel 7.21 PL 201.


Any ideas or suggestions on this issue ? 


Kind regards, Hinrich


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member324409
Discoverer
‎08-28-2019 4:18 PM

Hi Hinrich

I'm trying to do exactly what you did but using my own CA.

Can you please provide more details on the first steps? What did you do to get here?

  • "The server validation for SSL is successfully done at client side." How do you check that?
  • The sapcontrol program validates the server certificate (based on self signed certificates issued by myself as this is just for test purpose)

I tried to generate certificate from a CSR of the SAPSSLC PSE and import the root certificate from my CA into this PSE.

I see nothing in sapstartsrv.log relating to certificates.

Thanks a lot!

Show replies
Show replies
Sriram2009
Active Contributor
‎01-10-2015 1:40 PM
0 Kudos

Hi

Could you refer the SAP Notes

1565645 - SAP composite note: sapcontrol


1361528 - Error Message - FAIL: HTTP error, HTTP/1.1 401 Unauthorized


BR

SS

Show replies
Show replies
former_member264551
Explorer
‎02-26-2015 6:32 AM
0 Kudos

Hi

I am trying to get SSO to work form SAP LVM to saphostagent with X509 and have recived this information from SAP

please note that SSO only works with signed certificates,
using self-signed certificates will not work.

I saw you mention self signed certificats

Ask a Question