cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Client Certificate Authentication with Self-signed Certificates

Go to solution
Former Member

on ‎10-21-2015 3:40 PM

0 Kudos

Hi Experts.

I am working with a client who wants to allow access to its AS2 services (SAP B2B Addon)  ONLY through X.509 Client Certificate Authentication.

Fig 1.  Just an example of how partners will configure our services.

We've been arguing about if this options can be used with self-signed certificates (OPTION 1) or if we can ONLY use certificates issue by a

Certification Authority (CA) as part of a public-key infrastructure (PKI) or a Trust Center Service (like VeriSign) (OPTION 2) .

The following SAP documentations explain that this can be done with OPTION 2

https://help.sap.com/saphelp_nw70ehp1/helpdata/en/62/881e3e3986f701e10000000a114084/content.htm?fram...

https://help.sap.com/saphelp_nw73/helpdata/en/4f/991d85b10c16c7e10000000a42189d/content.htm

There are some SAP consultants that said that this can be done with self-signed certificates. But none of them have explained how can this be achieved. We run the authentication with TrustedCAs Certs and run OK!. With Selfsigned Cert doesn't run..  (see both logs on following picture.)

I need a official stand from SAP about Self signed cert and Certificate authentication.  Or I need a way to configured this scenario with Selfsigned certs. Any comments will be appreciated.

Regards
Henry

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-22-2015 5:15 PM
0 Kudos

Hi Guys

Thanks on all of your replies.  

Andrew the SelfSigned Cert is imported on the ICM_SSL_XXXX and TrustedCAs keystore and also on the Users - Certificate tab.   Even that the problem persist.   Have you done  this type of configuration successfully before?

I am going to test Steven's idea. It sounds like a way to pass the cert chain... I don't know if this could be a viable approach in a productive scenario.

I'll let you know it turns out.

Regards

Henry

Show replies
Show replies
andrew_purgert
Explorer
‎10-22-2015 5:47 PM
0 Kudos

Hey Henry,

Great news, I have a partner that runs exactly this way!  There are a few more things to check.

1. Is the certificate a wildcard (eg "*.abc123.com")?  I have never been able to get a wildcard to work for client authentication.

2. Is the self-signed certificate actually able to be used for client authentication?  It needs to be explicitly defined if you built it in OpenSSL for example.

To check, you can open it in Windows and it should say "Proves your identity to a remote computer."  If it doesn't say that you can also see if Enhanced Key Usage on the Details tab contains "Client Authentication (1.3.6.1.5.5.7.3.2)".  Note: "All issuance policies" or "All application policies" does not necessarily mean that it has client authentication.

I have seen certificates that do not contain that information because of how it was designed.  This command should be able to tell you for sure.

openssl x509 -in <certificate to check> -purpose -noout -text.  I grabbed it from openssl - how to read the keyusage of a X509 V3 certificate? - Stack Overflow

3. Finally, the certificate could be corrupt.  If you're testing internal, you can build a new certificate.  These are the commands that I wrote for the partner to create a self-signed certificate that they use for client authentication.  You may need to retype the commands, sometimes copy/paste messes up the dashes

Create the cert:

openssl req -x509 -newkey rsa:2048 -keyout <certkey>.pem -out <certname>.pem -days 730

Add client authentication:

openssl x509 -in <certname>.pem -addtrust clientAuth

Export the private key (keep this safe!):

openssl pkcs12 -export -out <certificate1>.pfx -inkey <certkey>.pem -in <certname>.pem

Get the public key:

openssl pkcs12 -in <certificate1>.pfx -clcerts -nokeys -out <public_cert>.pem

Let me know how that goes for you.

Andrew

Answers (4)

Answers (4)

jaehoo
Discoverer
‎02-28-2023 7:08 PM
0 Kudos

Hi evreyone,

I've succesfully configured the certificate authentication in Soap sender adapter using my self-signed certificate by my own CA on SAP PO 7.5

But the are a few additional steps that I want to share to complete this post, you can find in my blog all the steps.

https://jaehoo.wordpress.com/2023/02/28/sap-pi-po-soap-sender-adapter-enable-https-with-client-authe...

Thanks.

Show replies
Show replies
Former Member
‎10-22-2015 6:27 PM
0 Kudos

Hi Henry ,

We can make this scenario work. We have had trouble with it and took a long time to figure  out.

Can you please follow the below steps ?

1./nwa – configuration – security - sssl  : Change the client authentication mode to request& Restart ICM

2. /nwa – configuration – security  – authentication and single sign on : Select client_cert and edit it:


CertloginModule:SUFFICEINT


3. sap.com/com.sap.aii.adapter.as2.app*AS2 : client_cert


4. In NWA add the certificate to the partner user profile


Thanks,

Dhanish

Show replies
Show replies
Former Member
‎10-22-2015 6:56 PM
0 Kudos

Joseph

Thank you for your reply.

I checked point 1 and 2 and is configured like you mentioned.

I have a question on point 3 "sap.com/com.sap.aii.adapter.as2.app*AS2 : client_cert".
Where do I set this?

And when you say "In NWA add the certificate to the partner user profile ". You mean to import the certificate on useradmin on Certificate Tab, right?

Thanks
Henry

Former Member
‎10-26-2015 10:26 AM
0 Kudos

Hi Henry

I will just recap the steps what we did :

  1. /nwa – configuration – security - sssl  : Change the client authentication mode to request& Restart ICM
  2. /nwa – configuration – security  – authentication and single sign on : Select client_cert and edit it:

         CertloginModule:SUFFICEINT

         BasicPasswordLoginModule: Optional

         Now to find AS2 you need to delete the TYPE – Template And press enter to see all options

         Search for as2 (sap.com/com.sap.aii.adapter.as2.app*AS2) & Edit and Change to Client Cert                and save

   3. Go to /nwa  - go to configuration – security - certificate and keys

        Go to the ICM_SSL_* view and add in the partner certificate

   4. Go to identity management and find the trading partner user id ->add the partner certificate there too

Thanks,

Dhanish

andrew_purgert
Explorer
‎10-22-2015 2:06 AM
0 Kudos

Hi Henry,

There should not be a problem using a self-signed certificate.  The biggest thing that is normally missed is adding the self-signed certificate as both a Trusted CA as well as the user certificate itself.  Being that there is no chain, essentially, you need to trust the certificate as both a CA and a user certificate.

For ease of use, I keep my Trusted CA's the same as my ICM CA's so I can both send and receive to the same certificates.

As all systems are slightly different, there may be something configured in your system that is blocking this (or you may have business saying that you are not allowed to use self-signed).  I have never experienced a setting that would block self-signed.

Hopefully that sheds some light on it.

Andrew

Show replies
Show replies
Steven_UM
Contributor
‎10-22-2015 8:45 AM
0 Kudos

Hi Andrew,

Interesting ... I recall trying that as well - putting the certificate in the Trusted CA - and it still didn't work as it seemed the code was really trying to find a 'chain' in the certificate and hence failed ... ( kinda like Henry's log is showing ... ).

Might be depending on the version though ... I think I had this issue on 7.1 ...

Let us know how this goes Henry ... I am kinda interested to find out ...

Cheerio,

Steven

Steven_UM
Contributor
‎10-21-2015 4:18 PM
0 Kudos

Hi Henry,

As far as I am aware it will not work with self-signed certificates ... having said that ...

It will work with own created certificates which are authored by your own root CA certificate ...

So company X creates its own root CA certificate ( eg with OpenSSL toolset ) - which is used to obtain its own signed certificate ( again with OpenSSL ) ... The root certificate needs to be added in your Trusted CA keystore ... and you should be good to go ...

Steven

Show replies
Show replies
Ask a Question