Skip to Content

Secure Login Server 3.0 - Remote CA Configuration

Sep 09, 2017 at 08:44 AM


avatar image

Hi guys,

after upgrading SLS to SP02 my Remote CA setup is no longer working. I removed all configurations and started from scratch to figure out what could be the issue.

I followed latest manual and SAP Note 2375797.

Created the destination with https://<URL> and WITHOUT the "/certsrv" in the NWA. Ping is successfully.

Tried with Basic Auth or a PFX with specified JAVA keystore - tried also with 1024 bit keysize - no difference, the Remote CA test fails and i cant enable the Remote CA in the SLAC.

In the logs i was able to find the following:

Looks as if the requested resource does not exist, which is true. The "/certsrv" is missing here. Does not help to append this to the destination configuration.

What else could be wrong in the setup? Please note I just upgraded to SP02 and it worked before.


1.png (119.9 kB)
2.png (155.0 kB)
3.png (102.7 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Carsten Olt Sep 17, 2017 at 04:31 PM

Update (to myself and others having this issue): now resolved!

I was able to figure out in the ADCS event log that my user has no permission on the template. instead Autoenrollment (as mentioned in the doc) you need to assign "Enroll" as well for your SLS user requesting the certificates. Now everything works and the SLS user is authenticating against the ADCS using a client certificate as well!

10 |10000 characters needed characters left characters exceeded
Carsten Olt Sep 17, 2017 at 04:23 PM

Update: Changed the url and appended /certsrv to the url e.g. https://adcs.domain.local/certsrv

Was able to ping destination

Now i got following error in the traces: iaik.asn1.DerInputException: Next ASN.1 object is no SEQUENCE!

Any idea?



10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Mar 11 at 06:28 PM

Hello Carsten

you seem to be one of the few configuring the scenario of remote CA. Can you please clarify me if this scenario let the secure login server to populate the table USREXTID in the SAP AS once the certificate is expired?

if not what is the pourpose of remote CA?

thank you.


Show 1 Share
10 |10000 characters needed characters left characters exceeded

Dear Bruno,

"A Secure Login Server Remote CA is a Web service of an existing enterprise PKI solution that allows client certification requests to be signed by the PKI instance instead of Secure Login Server. Secure Login Server only forwards the client request, and cares for proper authentication and name mapping." [Source: SAP Note 2375797]

The SLS Remote CA eliminates the need to operate and secure a key pair (CA) on the SLS itself. Instead the clients (users) requesting certificates for SSO are forwarded to the original CA operated behind the SLS and connected via Web service. This has to be seen independent of a user mapping in any table of the AS ABAP backend system and has nothing to do with it.

Cheers, Carsten