on 10-29-2007 11:51 AM
Hello!
I am trying to configure my NW ABAP to work with certificates. I have followed the instructions in SAP help for <a href="http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm">Configuring the SAP Web AS for Supporting SSL</a> and <a href="http://help.sap.com/saphelp_nw70/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/content.htm">Configuring the System for Using X.509 Client Certificates</a>. I configured the PSEs, set the profile parameters, imported certificates into my browser from service.sap.com, set values in USREXTID table.
Now I can use the services from SICF via HTTPS with no problem by providing username and password when prompted by web browser. However, I can't make the browser prompt me for a certificate. I tried to play with service parameters in SICF. No matter what I do, my browser never asks me for a certificate. What am I missing?
Thanks for your hints!
Regards,
Igor
Here are my profile parameters:
[code]ssf/name = SAPSECULIB
ssf/ssfapi_lib = $(DIR_CT_RUN)\sapcrypto.dll
sec/libsapsecu = $(DIR_CT_RUN)\sapcrypto.dll
ssl/ssl_lib = $(DIR_CT_RUN)\sapcrypto.dll
icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=10
icm/server_port_1 = PROT=HTTP, PORT=8000, TIMEOUT=10
icm/HTTPS/verify_client = 1
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticket_only_to_host = 1[/code]
Hi Igor,
The browser will not prompt you to send the certificate, it just does it.
The certificate just authenticates the HTTPS connection.
If you want to connect an abap user with a client certiifcate, you have to do a maping beetween the DN of the certificate and an abap user.
This is done in view VUSREXTID. You can update it with SM30.
Choose "External ID Type" = DN (DN of Certificate (X500)).
Hope this helps.
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Olivier!
Thanks for your reply!
But sending default cert or selecting one is a browser setting, isn't it (e.g. in Firefox there are option buttons "Select one automatically" and "Ask me every time")? Then the browser prompts me to select which one I want to use (for instance, if I try to logon to SDN this happens every time). The browser should know somehow that the server expects a certificate. To me it seems that my server is failing to send such request and I don't know how to correct this. Am I right? Why would logging to SAP WAS service be different?
Or is there something specific with SAP WAS?
Thanks!
Regards,
Igor
Igor,
You are right that this the SSL server which asks a certificate from the client browser. It is part of the SSL handshake.
The server can be configured to either :
not ask for the certificate
ask for the certiifcate and if no certiifcate ask for basic authentication
require the client certiifcate
With IE 6, I am asked to validate the sending of my client certificate (S user) when connecting to service.sap.com
But when I use this client certificate to connect to a test R/3 system, I don't have to validate anything. The client certificate is sent automatically.
I made the correspondance between my S user and my abap user in VUSREXTID.
icm/HTTPS/verify_client = 1
this parameter means that your server asks for a certificate bu it is not mandatory.
Try to use
icm/HTTPS/verify_client = 2
The certificate will be mandatory.
To see exactly what's going on, increase the trace level of the ICM and you will see if your server actually askas for a client certificate.
Regards,
Olivier
Hello, Olivier!
I examined the trace - too big to quote, but I tried to find occurrences of the "
cert" word. It seems to me that the server requests a certificate, but the browser does not return one.
The log is full of lines like:
[Thr 3120] ->> SapSSLSessionInit(&sssl_hdl=010521B8, role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT))
I believe this means that the server is asking for the certificate. But then
comes (after a few tens of trace lines):
[Thr 2216] No Client Certificate
or
[Thr 2216] status = "new SSL session, NO client cert".
And now comes the strage one. The last one containing the "cert" word:
[Thr 792] ->> SapSSLGetPeerInfo(sssl_hdl=085D0CB0, &cert=07D4FE90, &cert_len=07D4FE88,
&subject_dn=07D4FE80, &issuer_dn=07D4FE84, &cipher=07D4FE60)
Is this how it should look? I created the USREXTID entry by importing the cert from my browser to STRUST,
and then copy-pasting the name to avoid typos. But I don't know what to do with
these hex values. Do you have an idea what now?
Thanks!
Regards,
Igor
Hello Igor,
Here is an extract of the ICM log for a successful HTTPS connection autentified with a client X.509 certificate. This comes from a R/3 4.7 with a 6.40 kernel.
[Thr 2944] IcmExternalLogin: Connection request from Client received
[Thr 2944] IcmServIncrRefCount: bt1fsapltb02:1422 - serv_ref_count: 2
[Thr 2944] IcmConnIntegrateServer: accepted connection from 172.xx.xx.xx on service 1422
My ICM is configured to ask for a certificate
[Thr 2428] <<- SapSSLSessionInit()==SAP_O_K
[Thr 2428] in: args = "role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 2428] out: sssl_hdl = 00000000002CA9E0
The certificate from the browser is received :
[Thr 4536] <<- SapSSLSessionStart(sssl_hdl=00000000002CAB40)==SAP_O_K
[Thr 4536] status = "new SSL session, received client cert"
[Thr 4536] Client DN = "CN=S0000xxxxxx, OU=SAP Service Marketplace, O=SAP Trust Community, C=DE"
The DN is extracted fro mthe client certificate
[Thr 5424] <<- SapSSLGetPeerInfo(sssl_hdl=00000000002CAB40)==SAP_O_K
[Thr 5424] HttpLogHandler: cert issued for "S0000xxxxxx"
In view VUSREXTID, I have this mapping :
External ID type : DN
External ID : CN=S0000xxxxxx, OU=SAP Service Marketplace, O=SAP Trust Community, C=DE
Seq No : 000
User : OCHRETIE ( my abap user)
Activated : X
The result is :
In the ICM HTTP logs, I'm authentified with the CN from the certificate :
172.xx.xx.xx - S0000xxxxxx [30/Oct/2007:09:15:56 +0100] "GET /sap/bc/bsp/sap/it00/misc_echo.htm HTTP/1.1" 302 25
In the abap stack (STAD), I'm authentified with my abap user :
09:15:55 bt1fsapltb02_TLG misc_echo.htm T 0 OCHRETIE 377
Simple, no ?
It seems that you have a problem with your certificate...
Regards,
Olivier
Thanks a lot, Olivier!
This is very valuable - now I know what to expect in trace. My server (seems to) requests the certificate just as yours does:
[Thr 3496] in: args = "role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
... but doesn't get one:
[Thr 3496] status = "new SSL session, NO client cert"
I tried both with IE and Firefox, imported all SAP TCS root certificates... With the same result. I even tried deleting all personal certificates from IE except one.
Maybe my server is set to ask client cert, but for some reason doesn't do that? Do you have an idea what else to try?
Could you give me your SSL-related profile parameters setting to compare?
Can you remember something special about SSL Server certificate requests / responses?
If you feel any bells ringing, please shout!
Thanks!
Regards,
Igor
Hi Igor,
I don't really understand your problem as my browser never had a problem to send the certificate.
Maybe that instead of a browser, you can try to use an abap system as the https client. This could make you understand is the problem is really on the browser side.
Here are my R/3 4.7 ICM SSL settings:
icm/server_port_1 = PROT=HTTPS,PORT=1422
icm/HTTPS/verify_client = 1
ssf/name = SAPSECULIB
ssf/ssfapi_lib = D:\usr\sap\TLG\SYS\exe\run\sapcrypto.dll
sec/libsapsecu = D:\usr\sap\TLG\SYS\exe\run\sapcrypto.dll
ssl/ssl_lib = D:\usr\sap\TLG\SYS\exe\run\sapcrypto.dll
In STRUST the SSL Server PSE is defined. The SSL server certificate is self signed (test system).
The CA certiifcate from the client certiifcate is entered in the certificate list.
After entering this CA certificate in the certificate list, did you restart the ICM ?
It is mandatory.
Regards,
Olivier
Igor,
Do you have a reverse proxy like the SAP Web Dispatcher or Apache between your browser and the ICM ?
If yes, it has to be configured to transmit the client certificate.
I would advice to try first without a reverse proxy.
Just a thought, as I'm currently dealing a lot with https and reverse proxies on my current project...
Olivier
Just a simple question for all using x.509 and SSO: which 3rd party provider are you guys (and gals) using for SSO?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just a follow-up - was able to solve the problem by reviewing profile parameter:
icm/server_port_2 = PROT=HTTPS,PORT=8405,TIMEOUT=900,VCLIENT=2
I had VCLIENT=0, and while the online help for 640 suggested that VCLIENT was not evaluated on 640, the 700 online help suggested that VCLIENT=0 would override
icm/HTTPS/verify_client = 2
Which was in fact the case...!
I would surmise the Basis 7.00 functionality was brought into Basis 6.40 at some point with a SP...
thanks
-JB
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am trying to implement SSO thru Web Based Gui and using Digital Certificate for the user authentication. I have done the followings
1- I have configured my SAP ECC AS ABAP Server for SSO / HTTPS.
2- My server is signed with SAP AG test root Server certificate.
3- I am using x.509 free generator to generate Client certificate
4- I have mapped this client certificate in table USREXTID
5- I have also installed the above client certificate in my browser.
Now, when I am accessing the Server thru HTTPS web link, I am getting this Windows:
See the screenshot from the link.
http://www.zshare.net/image/812282264b4e0cc2/
Itu2019s accepted as SAP Service / TCS certificate is not a known CA for the world.
On clicking Continue, the System asks for the User ID and Password:
See the screenshot from the link.
http://www.zshare.net/image/81228268eda10f1c/
I believe it shouldnu2019t ask for the user ID and password I as have installed the digital certificate and have maintained it under VUSREXTID
Some part of my SMICM is below:
[Thr 5920] CONNECTION (id=2/11092):
used: 1, type: 1, role: 1, stateful: 0
NI_HDL: 52, protocol: HTTPS(2)
local host: 172.16.0.56:1443 ()
remote host: 172.19.65.2:52123 ()
status: NOP
connect time: 08.10.2010 08:52:32
MPI request: <0> MPI response: <0>
request_buf_size: 0 response_buf_size: 0
request_buf_used: 0 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 5920] MPI:6 create pipe 0000000004A00AE0 1
[Thr 5920] MPI<1749>6#1 Open( ANONYMOUS 6 1 ) -> 6
[Thr 5920] MPI<1749>6#2 Open( ANONYMOUS 6 0 ) -> 6
[Thr 5920] MPI:9 create pipe 0000000004A00F60 1
[Thr 5920] MPI<174a>9#1 Open( ANONYMOUS 9 0 ) -> 9
[Thr 5920] MPI<174a>9#2 Open( ANONYMOUS 9 1 ) -> 9
[Thr 5920] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5920] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5920] out: sssl_hdl = 0000000009E15130
[Thr 5920] NiIBlockMode: set blockmode for hdl 52 TRUE
[Thr 5920] SSL NI-sock: local=172.16.0.56:1443 peer=172.19.65.2:52123
[Thr 5920] <<- SapSSLSetNiHdl(sssl_hdl=0000000009E15130, ni_hdl=52)==SAP_O_K
[Thr 5920] <<- SapSSLSessionStart(sssl_hdl=0000000009E15130)==SAP_O_K
[Thr 5920] status = "new SSL session, NO client cert"
[Thr 5920] IcmPlCheckRetVal: Next status: READ_REQUEST(1)
[Thr 5920] IcmReadFromConn(id=2/11092): request new MPI (0/0)
[Thr 5920] MPI<1749>6#3 GetOutbuf -1 1771d0 65536 (0) -> 0000000004B77240 0
[Thr 5920] <<- SapSSLReadPending(sssl_hdl=0000000009E15130)==SAP_O_K
[Thr 5920] out: pendlen = 0
[Thr 5920] <<- SapSSLRead(sssl_hdl=0000000009E15130)==SAP_O_K
[Thr 5920] result = "max=65463, received=430"
[Thr 5920] IcmReadFromConn(id=2/11092): read 430 bytes(timeout 500)
[Thr 5920] BINDUMP of content denied
[Thr 5920] PlugInHandleNetData(rqid=2/11092/1): role: 1, status: 1
#content-length: 0/0, buf_len: 430, buf_offset: 0, buf_status: 0
Olivier,
Thanks for replying!
Igor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Suffering from similar situation as described in this thread.
On one hand, I'm encouraged that I've been following pretty much all the same steps described in this thread, but disheartened that Igor's ultimate fix (importing CA cert) hasn't helped us here -
There was one big 'eureka' moment in this thread however - thanks Olivier for putting up an icm trace on a working system -
Whereas y'all are seeing
[Thr 3120] ->> SapSSLSessionInit(&sssl_hdl=010521B8, role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT))
[Thr 2216] No Client Certificate
[Thr 2216] status = "new SSL session, NO client cert".
I am seeing
[Thr 1086949728] ->> SapSSLSessionInit(&sssl_hdl=0x2aaeea7ae8, role=0 (SERVER), auth_type=0 (NO_CLIENT_CERT))
[Thr 2216] No Client Certificate
[Thr 2216] status = "new SSL session, NO client cert".
Odd that auth_type=0 consistently through all my troubleshooting machinations, even though I've set
icm/HTTPS/verify_client = 1
and tried also
icm/HTTPS/verify_client = 2
Any ideas here? Guess it's time to track down the latest icman patch for 640 kernel...
thanks
-Justin Burmeister
Hello,
I have a similar issue and am going crazy...
I would like to have SSL reencryption between the webdisp and an EP 7 but I don't know why the portal wants to map the webdispatcher certificate to the first user which logs into the system (then all users who have a x509 client certificate installed on their browser will log in as the first user)
Basically the ssl termination at the webdispatcher works fine but with ssl encryption between the webdisp and the portal the client certificate is lost somewhere
I followed these links
http://help.sap.com/saphelp_nw70/helpdata/EN/62/881e3e3986f701e10000000a114084/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/bc/2ee9a2d023d64eac961745ea2cb503/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/14/29236de1864c6e8d46e77192adaa95/content.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/43/c38e0001581bbce10000000a1553f7/content.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/44/200cb204a75cfbe10000000a155369/content.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/ea/301e3e6217b40be10000000a114084/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/76/6d4fa247d0d647b5bd40745400d873/frameset.htm
do you have any idea ?
many thanks and regards,
Michele
Further to my above post, when I thoroughly checked my SMICM logs with Olivier CHRETIEN logs, i found the followings differences .
in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
in my trace "role=2 (SERVER)u201D
while the value from Olivier CHRETIEN log is
"role=0 (SERVER)u201D
Does it make any difference?
Secondly when I a m trying to access WEB Gui with IE 8, my trace says like that
SapSSLSessionStart(sssl_hdl=0000000009E15130)==SSSLERR_CONN_CLOSED
And when I tried to access the site with firefox I am getting the following!
<<- SapSSLSessionInit()==SAP_O_K
in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
out: sssl_hdl = 0000000009E15130
NiIBlockMode: set blockmode for hdl 49 TRUE
SSL NI-sock: local=172.16.0.56:1443 peer=172.19.65.2:52385
<<- SapSSLSetNiHdl(sssl_hdl=0000000009E15130, ni_hdl=49)==SAP_O_K
<<- SapSSLSessionStart(sssl_hdl=0000000009E15130)==SAP_O_K
status = "new SSL session, NO client cert"
I believe its strange behavior between the two browsers, Firefox has been able to transmit my client certificate and IE not, but even with the Firefox my issue still persist, and system ask for the user ID and Password .
Hi, Igor
I have the same problem and i can't resolve it. Could You help me.
I have NW2004s ABAP and want configure SSL and X.509.
And now i want to ask some questions.
1. You said that You imported certificates into Your browser from service.sap.com.
Did You import S-user certificate ?
2. Distinguished Name as found in the user's certificate.
CN=S-User, OU=SAP Service and etc ....
3.Do i need configure SSL Server and SSL Client PSE
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
>>1. You said that You imported certificates into Your browser from >>service.sap.com.
>>Did You import S-user certificate ?
Yes I did that : I use it to connect to service.sap.com, SDN, and I configured my test R/3 system to accept it for authentication. It means I did a mapping betwwen my S user and my abap user.
>>2. Distinguished Name as found in the user's certificate.
>>CN=S-User, OU=SAP Service and etc ....
Yes, that is the look of the Client certificate from service.sap.com.
>>3.Do i need configure SSL Server and SSL Client PSE
If you want to try client certificate authentication, you need to configure the ICM as an SSL server and so to create an SSL server PSE in STRUST.
There is no need for a SSL client PSE.
Regards,
Olivier
User | Count |
---|---|
84 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.