Skip to Content
avatar image
Former Member

Client Certificate Authentication with Self-signed Certificates

Hi Experts.

I am working with a client who wants to allow access to its AS2 services (SAP B2B Addon)  ONLY through X.509 Client Certificate Authentication.

Fig 1.  Just an example of how partners will configure our services.

We've been arguing about if this options can be used with self-signed certificates (OPTION 1) or if we can ONLY use certificates issue by a

Certification Authority (CA) as part of a public-key infrastructure (PKI) or a Trust Center Service (like VeriSign) (OPTION 2) .

The following SAP documentations explain that this can be done with OPTION 2

https://help.sap.com/saphelp_nw70ehp1/helpdata/en/62/881e3e3986f701e10000000a114084/content.htm?frameset=/en/b0/881e3e3986f701e10000000a114084/frameset.htm&current_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm&node_id=36&show_children=false

https://help.sap.com/saphelp_nw73/helpdata/en/4f/991d85b10c16c7e10000000a42189d/content.htm

There are some SAP consultants that said that this can be done with self-signed certificates. But none of them have explained how can this be achieved. We run the authentication with TrustedCAs Certs and run OK!. With Selfsigned Cert doesn't run..  (see both logs on following picture.)

I need a official stand from SAP about Self signed cert and Certificate authentication.  Or I need a way to configured this scenario with Selfsigned certs. Any comments will be appreciated.

Regards
Henry

AS2CC2.png (14.9 kB)
AS2CC3.png (450.1 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 22, 2015 at 04:15 PM

    Hi Guys

    Thanks on all of your replies.  

    Andrew the SelfSigned Cert is imported on the ICM_SSL_XXXX and TrustedCAs keystore and also on the Users - Certificate tab.   Even that the problem persist.   Have you done  this type of configuration successfully before?

    I am going to test Steven's idea. It sounds like a way to pass the cert chain... I don't know if this could be a viable approach in a productive scenario.

    I'll let you know it turns out.

    Regards

    Henry

    Add comment
    10|10000 characters needed characters exceeded

    • Hey Henry,

      Great news, I have a partner that runs exactly this way!  There are a few more things to check.

      1. Is the certificate a wildcard (eg "*.abc123.com")?  I have never been able to get a wildcard to work for client authentication.

      2. Is the self-signed certificate actually able to be used for client authentication?  It needs to be explicitly defined if you built it in OpenSSL for example.

      To check, you can open it in Windows and it should say "Proves your identity to a remote computer."  If it doesn't say that you can also see if Enhanced Key Usage on the Details tab contains "Client Authentication (1.3.6.1.5.5.7.3.2)".  Note: "All issuance policies" or "All application policies" does not necessarily mean that it has client authentication.

      I have seen certificates that do not contain that information because of how it was designed.  This command should be able to tell you for sure.

      openssl x509 -in <certificate to check> -purpose -noout -text.  I grabbed it from openssl - how to read the keyusage of a X509 V3 certificate? - Stack Overflow

      3. Finally, the certificate could be corrupt.  If you're testing internal, you can build a new certificate.  These are the commands that I wrote for the partner to create a self-signed certificate that they use for client authentication.  You may need to retype the commands, sometimes copy/paste messes up the dashes

      Create the cert:

      openssl req -x509 -newkey rsa:2048 -keyout <certkey>.pem -out <certname>.pem -days 730

      Add client authentication:

      openssl x509 -in <certname>.pem -addtrust clientAuth

      Export the private key (keep this safe!):

      openssl pkcs12 -export -out <certificate1>.pfx -inkey <certkey>.pem -in <certname>.pem

      Get the public key:

      openssl pkcs12 -in <certificate1>.pfx -clcerts -nokeys -out <public_cert>.pem

      Let me know how that goes for you.

      Andrew

  • Oct 21, 2015 at 03:18 PM

    Hi Henry,

    As far as I am aware it will not work with self-signed certificates ... having said that ...

    It will work with own created certificates which are authored by your own root CA certificate ...

    So company X creates its own root CA certificate ( eg with OpenSSL toolset ) - which is used to obtain its own signed certificate ( again with OpenSSL ) ... The root certificate needs to be added in your Trusted CA keystore ... and you should be good to go ...

    Steven

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 22, 2015 at 01:06 AM

    Hi Henry,

    There should not be a problem using a self-signed certificate.  The biggest thing that is normally missed is adding the self-signed certificate as both a Trusted CA as well as the user certificate itself.  Being that there is no chain, essentially, you need to trust the certificate as both a CA and a user certificate.

    For ease of use, I keep my Trusted CA's the same as my ICM CA's so I can both send and receive to the same certificates.

    As all systems are slightly different, there may be something configured in your system that is blocking this (or you may have business saying that you are not allowed to use self-signed).  I have never experienced a setting that would block self-signed.

    Hopefully that sheds some light on it.

    Andrew

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Andrew,

      Interesting ... I recall trying that as well - putting the certificate in the Trusted CA - and it still didn't work as it seemed the code was really trying to find a 'chain' in the certificate and hence failed ... ( kinda like Henry's log is showing ... ).

      Might be depending on the version though ... I think I had this issue on 7.1 ...

      Let us know how this goes Henry ... I am kinda interested to find out ...

      Cheerio,

      Steven

  • avatar image
    Former Member
    Oct 22, 2015 at 05:27 PM

    Hi Henry ,

    We can make this scenario work. We have had trouble with it and took a long time to figure  out.

    Can you please follow the below steps ?

    1./nwa – configuration – security - sssl  : Change the client authentication mode to request& Restart ICM

    2. /nwa – configuration – security  – authentication and single sign on : Select client_cert and edit it:


    CertloginModule:SUFFICEINT


    3. sap.com/com.sap.aii.adapter.as2.app*AS2 : client_cert


    4. In NWA add the certificate to the partner user profile


    Thanks,

    Dhanish

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Henry

      I will just recap the steps what we did :

      1. /nwa – configuration – security - sssl  : Change the client authentication mode to request& Restart ICM
      2. /nwa – configuration – security  – authentication and single sign on : Select client_cert and edit it:

               CertloginModule:SUFFICEINT

               BasicPasswordLoginModule: Optional

               Now to find AS2 you need to delete the TYPE – Template And press enter to see all options

               Search for as2 (sap.com/com.sap.aii.adapter.as2.app*AS2) & Edit and Change to Client Cert                and save

         3. Go to /nwa  - go to configuration – security - certificate and keys

              Go to the ICM_SSL_* view and add in the partner certificate

         4. Go to identity management and find the trading partner user id ->add the partner certificate there too

      Thanks,

      Dhanish

      Capture.JPG (103.5 kB)