Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Logon Failed using SSL Client Certificate

Go to solution
former_member343107
Participant

‎07-06-2007 9:27 AM

0 Kudos

Dear all,

I enabled the HTTPS service on an NW700 ABAP system. The certificate of the CA, who signed the client certificate, is imported into the "SSL Server" entry in transaction STRUST. The view VUSREXTID is also changed. An item is added to map the DN of the client to a user with SAP_ALL profile. The instance profile parameters are like these:

icm/HTTPS/verify_client = 1

snc/extid_login_rfc = 1

snc/extid_login_diag = 1

On the client side, the client certificate was imported into IE browser. But when I tried to access the URL "https://.....", the web page shows "Call of URL xxx terminated due to error in logon data". And the error code is "ICF-LE-https-c:100-l:E-T:5-C:5-U:-P:-L:5".

Does anybody have idea what's the possible reason? And how can I decide whether this problem is caused by the mapping of certificate and user name?

Thanks + Best Regards

Jerome

1 ACCEPTED SOLUTION

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎07-06-2007 9:49 AM

0 Kudos

I'd recommend to refer to <a href="https://service.sap.com/sap/support/notes/495911">SAP Note 495911</a> for instructions on how to analyse such problems.

In addition you might consider to activate the ICM trace (using ABAP transaction SMICM -> goto -> trace ...). Please notice: after you have imported the CA certificate into the certificate list of the SSL server PSE (using STRUST) you might still have to restart the ICM (using SMICM -> Administration -> ICM -> Exit Soft); this is required since the ICM is caching the PSE file; in future releases this is automated (by triggering a PSE cache invalidation; no ICM restart required).

Cheers, Wolfgang

8 REPLIES 8

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎07-06-2007 9:49 AM

0 Kudos

I'd recommend to refer to <a href="https://service.sap.com/sap/support/notes/495911">SAP Note 495911</a> for instructions on how to analyse such problems.

In addition you might consider to activate the ICM trace (using ABAP transaction SMICM -> goto -> trace ...). Please notice: after you have imported the CA certificate into the certificate list of the SSL server PSE (using STRUST) you might still have to restart the ICM (using SMICM -> Administration -> ICM -> Exit Soft); this is required since the ICM is caching the PSE file; in future releases this is automated (by triggering a PSE cache invalidation; no ICM restart required).

Cheers, Wolfgang

Go to solution
former_member343107
Participant
In response to WolfgangJanzen

‎07-06-2007 10:40 AM

0 Kudos

Hi Janzen,

Thanks a lot for the help. The problem was found. In the view VUSREXTID, I specified the DN to be

"E = email@client.com

CN = ClientCompanyClient

OU = ClientCompanyOrgUnit

O = ClientCompany

S = CA

C = US", which is retrieved from IE Browser -> Internet Options -> Content -> Certificates.

But in the ICM log, the DN is recorded as "EMAIL=email@client.com, CN=ClientCompanyClient, OU=ClientCompanyOrgUnit, O=ClientCompany, SP=CA, C=US". So I changed the DB view accordingly. It works.

But I still have a question, where should I find the correct DN of the client so that I can write it to the DB view VUSREXTID? It sounds not so good to check the ICM trace each time:-(

Best Regards

Jerome

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to WolfgangJanzen

‎07-06-2007 11:10 AM

0 Kudos

Hi Jerome,

Well, unfortenately the mapping is performed based on the printable name (and not on the ASN.1 notation). Since the printable name is not canonical there are various different versions / results (even different versions of Windows show different visualizations of certificates).

For the ABAP system it is important that the same printable name is used when maintaining the mapping that is also used when performing the logon. Therefore I'd recommend to visualize the certificate in the ABAP system itself, using transaction STRUST: just use any PSE (preferable: the SSL server PSE) to import the certificate you want to analyse (notice: you do not need to add the certificate to the PSE nor do you need to save the PSE, afterwards - so don't worry).

As of NetWeaver 7.1 ABAP transaction SM30 / EXTID_DN allows you to upload an X.509 certificate. Then, all the parsing is done automatically; all you need is to assign a user. That feature might be downported to NW 7.0 (aka NW 2004s) - notice: "might" (it's <u>not</u> an announcement).

Cheers, Wolfgang

Go to solution
former_member343107
Participant
In response to WolfgangJanzen

‎07-06-2007 11:14 AM

0 Kudos

Thanks a lot for the suggestion!

Best Regards

Jerome

Go to solution
Former Member
In response to WolfgangJanzen

‎08-20-2007 8:21 AM

0 Kudos

Hi both,

The post is old but, may be you could help me...

I'm investigating all the tools for digital signature, single sign-on, secure access...but I think I don't understand very well STRUST transaction...I've installed CRYTOPLIB but no external product. Otherwise, I have a certificate in a Card and a reader for it...

Could you please give me a hand?

Thanks in advance.

Regards.

Urtzi.

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to WolfgangJanzen

‎08-20-2007 8:48 AM

0 Kudos

Hi Urtzi,

so, what actually you intend to achieve? Do you want to use the X.509 client certificate (which needs to be present at the user's browser) for Single Sign-On? Or do you need to use the (X.509) certificate to perform digital signature operations (-> SSF, Secure Store and Forward) at the user agent (browser / SAPGUI)?

Yes, it is possible to use SmartCards which store the X.509 client certificate (and the corresponding private key) at the client side - provided that you have installed the proper hardware (and corresponding drivers). The SSL server (here: the SAP NetWeaver Application Server) will not be aware of that - whether the X.509 client certificate is stored in the keystore file (respectively Windows registry) or on a SmartCard; it's fully transparent to the SSL peer.

Best regards, Wolfgang

PS: the "import certificate (by file upload)" feature (in transaction EXTID_DN) was downported to NW 7.0 (aka NW 2004s); it will come with SP 14 (by end of this year).

Go to solution
Former Member
In response to WolfgangJanzen

‎08-20-2007 11:29 AM

0 Kudos

Hi Wolfgang,

Thanks for your quick response...

I don't have very clear what I want to use or which is the best way...I'm still in researching stage...:-) and customer hasn't allready specified what he wants...

We want to research and learn as many as we can to offer to customer the best alternative...

All I know is that customer would need:

- Single sign-on to the system, including SAP systems and Portal

- Digital signing documents.

They work with a local CA called Izenpe (www.izenpe.com) and they give you a SmartCard with your key...

I've found program SSFSDEMO and it works ok: it calls 'izenpe's libraries and sign the document ok. But I find the problem that the moment I call SSFS_CALL_CONTROL function I lose program control... I would prefer customize SAP using SIGNO,SIGNA, ELSIG00, ELSIG01...transactions to allow SAP user to sign or not, but sign with my certificate...

I don't have any external security product to configure...as far as I know customer is against paying for an any other product...

What do you think?

Thank you very much for your help!

Regards.

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to WolfgangJanzen

‎08-20-2007 1:59 PM

0 Kudos

I'd suggest that you create a new thread to discuss this topic.