Skip to Content

Connect to sapstartsrv via sapcontrol -prot NI_HTTPS & SSO


I try to setup a https based connection to the sapstartsrv service including a client certificate SSO. The server validation for SSL is successfully done at client side. The sapcontrol program validates the server certificate (based on self signed certificates issued by myself as this is just for test purpose)

I can see the request for the client certificate in the trace information of the sapstartsrv.log

[Thr 139637867071232] ->> SapSSLSessionInit(&sssl_hdl=7efff976be18, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 139637867071232] <<- SapSSLSessionInit()==SAP_O_K

[Thr 139637867071232]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"


[Thr 139637867071232]   No Client Certificate

The sapcontrol program should now send a client certificate... but I run into a http 401

sapcontrol -prot NI_HTTPS -host <remotehost> -nr <instancenumber> -function GetVersionInfo -debug

FAIL: HTTP error, HTTP/1.1 401 Unauthorized

If it is done via -queryuser the sapcontrol shows up with the requested information. But I want to do the authorization based on the certificate without providing user / pwd.

service/sso_admin_user_0 ist defined in the profile of sapstartsrv (default.pfl) which enables the request for the client certificate.

Self signed client certificate was added to SAPSSLC.pse on the sapcontrol side. The access is done from a linux system to another linux system. I read notes 1439348 and 1642340 and the sapcontrol / sapstartsrv is on kernel 7.21 PL 201.

Any ideas or suggestions on this issue ? 

Kind regards, Hinrich

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 10, 2015 at 01:40 PM
    Add comment
    10|10000 characters needed characters exceeded

    • Hi

      I am trying to get SSO to work form SAP LVM to saphostagent with X509 and have recived this information from SAP

      please note that SSO only works with signed certificates,
      using self-signed certificates will not work.

      I saw you mention self signed certificats