cancel
Showing results for 
Search instead for 
Did you mean: 

GSS-API(maj) : No credential were supplied , Unable to establish security context

Former Member
0 Kudos

I want to Configure SAP Abap (standalone) to use X509 Authentication.

I followed the following steps.

  1. Created the profile parameter
  • ssf/name= SAPSECULIB
  • ssl/ssl_lib =  C:\usr\sap\XYZ\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • sec/libsapsecu = C:\usr\sap\XYZ\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • ssf/ssfapi_lib = C:\usr\sap\XYZ\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • snc/gssapi_lib = C:\usr\sap\xyz\SYS\exe\uc\NTAMD64\sapcrypto.dll
  • snc/identity/as = p:CN=sr3, OU=I0020217358, O=Mycompany Inc, C=US
  • Restart the server .

  2.  Created pse for server

  • Transaction strust
  • created sapcryptolib pse
  • SNC ID which is taken from the instance parameter "snc/identity/as."
  • Assign Password

  3. Create PSE for the Client

  • Set the Environment variable SECUDIR to sec folder
  • Executed the command : sapgenpse gen_pse -v -p SR3.pse
  • Created pse with DN : CN=sr3, OU=I0020217358, O=XYZ Enterprise Solutions Holdings Inc, C=US
  • signed that certificate from ca authority and get sr3.crt ,
  • sapgenpse export_own_cert -v -p SR3.pse -o SR3.crt

4. Imported the Client Certificate to Server PSE.

  • Open the Node SNC (SAPCryptolib) again
  • Enter the SAPCryptolib password.
  • Import certificate button.
  • Set the file format to Base64 and choose the file
  • Added to Certificate List

  5.     Exported the Server Certificate.

  • At node SNC (SAPCryptolib),
  • Export certificate.
  • From the File tab, choose Base64 for the File format and provide a name for the file.

6.   Imported the Server Certificate to the Client PSE

  • sapgenpse maintain_pk -v -a SR3.crt -p SR3.pse

7. Created the cred_v2 file

  • sapgenpse seclogin  -p SR3.pse -x 123456 -O [<Windows_Domain>\]<sidadm>
  • runned sucessfully.

8.  Allowed SNC RFC Connection.

  • Start Transaction SM30 and enter the view VSNCSYSACL.
  • Choose "E" for the Type of ACL entry.
  • Enter System ID and SNC name.
  • Save the entry.

9. Map the X.509 Certificate to the User.

The X.509 Certificate must be accepted for a successful Login.

  • Start Transaction SM30.
  • Enter VUSREXTID and click Maintain.
  • Using the view VUSREXTID, you can setup a mapping between the Distinguished Name provided by a X.509 Certificate and an ABAP User.
  • Choose the Distinguished Name for the External ID type.
  • Create a new entry and activate it.

10. set the Environment variable : snc_lib: C:\Program Files (x86)\SAP\FrontEnd\SAPgui\Encryption\secgss.dll .on th host where sap gui is installed.

I followed all this step successfully.

but when i am using sap gui with SCN enabled  DN : p:CN=sr3, OU=I0020217358, O=Infor Enterprise Solutions Holdings Inc, C=US

i am receiving error.


GSS-API(maj) : No credential were supplied , Unable to establish security context.


Is there any thing  I did wrong or missed in this steps?

Does Out of box pki is necessery for sap gui to use x509 certificate?




Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi Nick,

This document has created  confusion in my mind about compatibility of SAP Gui with x509 Certificates  .

Client Certificate Logon for SAP GUI - User Authentication and Single Sign-On - SAP Library

can you help.

Former Member
0 Kudos

Sanket,

Yeah, I see the "help" doc.  SAP Help is one thing, but finding clear documentation that backs up what that "help" says is another.

Your best bet is to buy the SAP NW SSO license, and enable SSO to sapgui via SNC.  It's easy, and a lot of people do it.

I've done X.509 too for WEBGUI and CRM WEBCLIENT.  It's technically "free" in the sense of if you already have an internal CA and the ability to push out certs to all your users.  But again, I don't see how this would work for the PC SAPGUI, regardless of what the help documentation states.

If you don't have the infrastructure in place, the SAP NW SSO license also comes with features to push out X.509 as well.

NICK

Former Member
0 Kudos

Hey Sanket,

for sure if you are trying to enable X.509 for SAPGUI, you are barking up the wrong tree.

All the stuff you have done so far is for SNC, not X.509.

X.509 is only an option if you were trying to get to the WEBGUI SSO, like in a browser to the "webgui" webdynpro.

can you tell us exactly what you want to accomplish in terms of the SAP PC SAPGUI and/or the HTML browser "webgui"?

NICK

behlau_carlos
Contributor
0 Kudos

Hello Sanket,

if I am correct informed, you can't use X.509 Certifcates for SAP GUI.

You would use them for your SAP ITS Server (GUI for browser).

Best regards

Carlos Behlau

Former Member
0 Kudos

According to this post/document  I was planning to configure it.

Former Member
0 Kudos

Hi Sanket,

Have you gone through all the steps as per the below link

http://help.sap.com/saphelp_nw73/helpdata/en/4e/125e0a1e3d2287e10000000a15822b/content.htm Thanks, Jagadish

Former Member
0 Kudos

YES