cancel
Showing results for 
Search instead for 
Did you mean: 

SSL and X.509: browser doesn't prompt for a certificate

former_member185943
Participant
0 Kudos

Hello!

I am trying to configure my NW ABAP to work with certificates. I have followed the instructions in SAP help for <a href="http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm">Configuring the SAP Web AS for Supporting SSL</a> and <a href="http://help.sap.com/saphelp_nw70/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/content.htm">Configuring the System for Using X.509 Client Certificates</a>. I configured the PSEs, set the profile parameters, imported certificates into my browser from service.sap.com, set values in USREXTID table.

Now I can use the services from SICF via HTTPS with no problem by providing username and password when prompted by web browser. However, I can't make the browser prompt me for a certificate. I tried to play with service parameters in SICF. No matter what I do, my browser never asks me for a certificate. What am I missing?

Thanks for your hints!

Regards,

Igor

Here are my profile parameters:

[code]ssf/name = SAPSECULIB

ssf/ssfapi_lib = $(DIR_CT_RUN)\sapcrypto.dll

sec/libsapsecu = $(DIR_CT_RUN)\sapcrypto.dll

ssl/ssl_lib = $(DIR_CT_RUN)\sapcrypto.dll

icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=10

icm/server_port_1 = PROT=HTTP, PORT=8000, TIMEOUT=10

icm/HTTPS/verify_client = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

login/create_sso2_ticket = 2

login/accept_sso2_ticket = 1

login/ticket_only_to_host = 1[/code]

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Igor,

The browser will not prompt you to send the certificate, it just does it.

The certificate just authenticates the HTTPS connection.

If you want to connect an abap user with a client certiifcate, you have to do a maping beetween the DN of the certificate and an abap user.

This is done in view VUSREXTID. You can update it with SM30.

Choose "External ID Type" = DN (DN of Certificate (X500)).

Hope this helps.

Olivier

former_member185943
Participant
0 Kudos

Hi, Olivier!

Thanks for your reply!

But sending default cert or selecting one is a browser setting, isn't it (e.g. in Firefox there are option buttons "Select one automatically" and "Ask me every time")? Then the browser prompts me to select which one I want to use (for instance, if I try to logon to SDN this happens every time). The browser should know somehow that the server expects a certificate. To me it seems that my server is failing to send such request and I don't know how to correct this. Am I right? Why would logging to SAP WAS service be different?

Or is there something specific with SAP WAS?

Thanks!

Regards,

Igor

Former Member
0 Kudos

Igor,

You are right that this the SSL server which asks a certificate from the client browser. It is part of the SSL handshake.

The server can be configured to either :

  • not ask for the certificate

  • ask for the certiifcate and if no certiifcate ask for basic authentication

  • require the client certiifcate

With IE 6, I am asked to validate the sending of my client certificate (S user) when connecting to service.sap.com

But when I use this client certificate to connect to a test R/3 system, I don't have to validate anything. The client certificate is sent automatically.

I made the correspondance between my S user and my abap user in VUSREXTID.

icm/HTTPS/verify_client = 1

this parameter means that your server asks for a certificate bu it is not mandatory.

Try to use

icm/HTTPS/verify_client = 2

The certificate will be mandatory.

To see exactly what's going on, increase the trace level of the ICM and you will see if your server actually askas for a client certificate.

Regards,

Olivier

former_member185943
Participant
0 Kudos

Thanks, Olivier!

This is not so good solution, because I can't set a default certificate in browser. I suppose the first one (or even worse: radnom) is sent. Anyway, I'll try and let you know.

Igor

Former Member
0 Kudos

It seems to me that all client certificates are sent until one is OK....

The order seems random.

I agree that this behaviour is strange !

Olivier

former_member185943
Participant
0 Kudos

Hello, Olivier!

I examined the trace - too big to quote, but I tried to find occurrences of the "

cert" word. It seems to me that the server requests a certificate, but the browser does not return one.

The log is full of lines like:

[Thr 3120] ->> SapSSLSessionInit(&sssl_hdl=010521B8, role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

I believe this means that the server is asking for the certificate. But then

comes (after a few tens of trace lines):

[Thr 2216]   No Client Certificate

or

[Thr 2216]          status = "new SSL session, NO client cert".

And now comes the strage one. The last one containing the "cert" word:

[Thr 792] ->> SapSSLGetPeerInfo(sssl_hdl=085D0CB0, &cert=07D4FE90, &cert_len=07D4FE88,
	 &subject_dn=07D4FE80, &issuer_dn=07D4FE84, &cipher=07D4FE60)

Is this how it should look? I created the USREXTID entry by importing the cert from my browser to STRUST,

and then copy-pasting the name to avoid typos. But I don't know what to do with

these hex values. Do you have an idea what now?

Thanks!

Regards,

Igor

Former Member
0 Kudos

Hello Igor,

Here is an extract of the ICM log for a successful HTTPS connection autentified with a client X.509 certificate. This comes from a R/3 4.7 with a 6.40 kernel.

[Thr 2944] IcmExternalLogin: Connection request from Client received

[Thr 2944] IcmServIncrRefCount: bt1fsapltb02:1422 - serv_ref_count: 2

[Thr 2944] IcmConnIntegrateServer: accepted connection from 172.xx.xx.xx on service 1422

My ICM is configured to ask for a certificate

[Thr 2428] <<- SapSSLSessionInit()==SAP_O_K

[Thr 2428] in: args = "role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 2428] out: sssl_hdl = 00000000002CA9E0

The certificate from the browser is received :

[Thr 4536] <<- SapSSLSessionStart(sssl_hdl=00000000002CAB40)==SAP_O_K

[Thr 4536] status = "new SSL session, received client cert"

[Thr 4536] Client DN = "CN=S0000xxxxxx, OU=SAP Service Marketplace, O=SAP Trust Community, C=DE"

The DN is extracted fro mthe client certificate

[Thr 5424] <<- SapSSLGetPeerInfo(sssl_hdl=00000000002CAB40)==SAP_O_K

[Thr 5424] HttpLogHandler: cert issued for "S0000xxxxxx"

In view VUSREXTID, I have this mapping :

External ID type : DN

External ID : CN=S0000xxxxxx, OU=SAP Service Marketplace, O=SAP Trust Community, C=DE

Seq No : 000

User : OCHRETIE ( my abap user)

Activated : X

The result is :

In the ICM HTTP logs, I'm authentified with the CN from the certificate :

172.xx.xx.xx - S0000xxxxxx [30/Oct/2007:09:15:56 +0100] "GET /sap/bc/bsp/sap/it00/misc_echo.htm HTTP/1.1" 302 25

In the abap stack (STAD), I'm authentified with my abap user :

09:15:55 bt1fsapltb02_TLG misc_echo.htm T 0 OCHRETIE 377

Simple, no ?

It seems that you have a problem with your certificate...

Regards,

Olivier

former_member185943
Participant
0 Kudos

Thanks a lot, Olivier!

This is very valuable - now I know what to expect in trace. My server (seems to) requests the certificate just as yours does:

[Thr 3496]      in: args = "role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

... but doesn't get one:

[Thr 3496]          status = "new SSL session, NO client cert"

I tried both with IE and Firefox, imported all SAP TCS root certificates... With the same result. I even tried deleting all personal certificates from IE except one.

Maybe my server is set to ask client cert, but for some reason doesn't do that? Do you have an idea what else to try?

Could you give me your SSL-related profile parameters setting to compare?

Can you remember something special about SSL Server certificate requests / responses?

If you feel any bells ringing, please shout!

Thanks!

Regards,

Igor

Former Member
0 Kudos

Hi Igor,

I don't really understand your problem as my browser never had a problem to send the certificate.

Maybe that instead of a browser, you can try to use an abap system as the https client. This could make you understand is the problem is really on the browser side.

Here are my R/3 4.7 ICM SSL settings:

icm/server_port_1 = PROT=HTTPS,PORT=1422

icm/HTTPS/verify_client = 1

ssf/name = SAPSECULIB

ssf/ssfapi_lib = D:\usr\sap\TLG\SYS\exe\run\sapcrypto.dll

sec/libsapsecu = D:\usr\sap\TLG\SYS\exe\run\sapcrypto.dll

ssl/ssl_lib = D:\usr\sap\TLG\SYS\exe\run\sapcrypto.dll

In STRUST the SSL Server PSE is defined. The SSL server certificate is self signed (test system).

The CA certiifcate from the client certiifcate is entered in the certificate list.

After entering this CA certificate in the certificate list, did you restart the ICM ?

It is mandatory.

Regards,

Olivier

Former Member
0 Kudos

Igor,

Do you have a reverse proxy like the SAP Web Dispatcher or Apache between your browser and the ICM ?

If yes, it has to be configured to transmit the client certificate.

I would advice to try first without a reverse proxy.

Just a thought, as I'm currently dealing a lot with https and reverse proxies on my current project...

Olivier

former_member185943
Participant
0 Kudos

Hi, Olivier!

I didn't have the CA cert in my server's list - that was the problem. I imported it and now it works - Firefox even prompts me for certificate!

Thanks!

You deserved your harvest of points.

Regards,

Igor

Former Member
0 Kudos

Hi Igor,

I'm glad it worked out for you !

Regards,

Olivier

Answers (4)

Answers (4)

Former Member
0 Kudos

Just a simple question for all using x.509 and SSO: which 3rd party provider are you guys (and gals) using for SSO?

Former Member
0 Kudos

Just a follow-up - was able to solve the problem by reviewing profile parameter:

icm/server_port_2 = PROT=HTTPS,PORT=8405,TIMEOUT=900,VCLIENT=2

I had VCLIENT=0, and while the online help for 640 suggested that VCLIENT was not evaluated on 640, the 700 online help suggested that VCLIENT=0 would override

icm/HTTPS/verify_client = 2

Which was in fact the case...!

I would surmise the Basis 7.00 functionality was brought into Basis 6.40 at some point with a SP...

thanks

-JB

sohail_rana
Explorer
0 Kudos

I am trying to implement SSO thru Web Based Gui and using Digital Certificate for the user authentication. I have done the followings

1- I have configured my SAP ECC AS ABAP Server for SSO / HTTPS.

2- My server is signed with SAP AG test root Server certificate.

3- I am using x.509 free generator to generate Client certificate

4- I have mapped this client certificate in table USREXTID

5- I have also installed the above client certificate in my browser.

Now, when I am accessing the Server thru HTTPS web link, I am getting this Windows:

See the screenshot from the link.

http://www.zshare.net/image/812282264b4e0cc2/

Itu2019s accepted as SAP Service / TCS certificate is not a known CA for the world.

On clicking Continue, the System asks for the User ID and Password:

See the screenshot from the link.

http://www.zshare.net/image/81228268eda10f1c/

I believe it shouldnu2019t ask for the user ID and password I as have installed the digital certificate and have maintained it under VUSREXTID

Some part of my SMICM is below:

[Thr 5920] CONNECTION (id=2/11092):

used: 1, type: 1, role: 1, stateful: 0

NI_HDL: 52, protocol: HTTPS(2)

local host: 172.16.0.56:1443 ()

remote host: 172.19.65.2:52123 ()

status: NOP

connect time: 08.10.2010 08:52:32

MPI request: <0> MPI response: <0>

request_buf_size: 0 response_buf_size: 0

request_buf_used: 0 response_buf_used: 0

request_buf_offset: 0 response_buf_offset: 0

[Thr 5920] MPI:6 create pipe 0000000004A00AE0 1

[Thr 5920] MPI<1749>6#1 Open( ANONYMOUS 6 1 ) -> 6

[Thr 5920] MPI<1749>6#2 Open( ANONYMOUS 6 0 ) -> 6

[Thr 5920] MPI:9 create pipe 0000000004A00F60 1

[Thr 5920] MPI<174a>9#1 Open( ANONYMOUS 9 0 ) -> 9

[Thr 5920] MPI<174a>9#2 Open( ANONYMOUS 9 1 ) -> 9

[Thr 5920] <<- SapSSLSessionInit()==SAP_O_K

[Thr 5920] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

[Thr 5920] out: sssl_hdl = 0000000009E15130

[Thr 5920] NiIBlockMode: set blockmode for hdl 52 TRUE

[Thr 5920] SSL NI-sock: local=172.16.0.56:1443 peer=172.19.65.2:52123

[Thr 5920] <<- SapSSLSetNiHdl(sssl_hdl=0000000009E15130, ni_hdl=52)==SAP_O_K

[Thr 5920] <<- SapSSLSessionStart(sssl_hdl=0000000009E15130)==SAP_O_K

[Thr 5920] status = "new SSL session, NO client cert"

[Thr 5920] IcmPlCheckRetVal: Next status: READ_REQUEST(1)

[Thr 5920] IcmReadFromConn(id=2/11092): request new MPI (0/0)

[Thr 5920] MPI<1749>6#3 GetOutbuf -1 1771d0 65536 (0) -> 0000000004B77240 0

[Thr 5920] <<- SapSSLReadPending(sssl_hdl=0000000009E15130)==SAP_O_K

[Thr 5920] out: pendlen = 0

[Thr 5920] <<- SapSSLRead(sssl_hdl=0000000009E15130)==SAP_O_K

[Thr 5920] result = "max=65463, received=430"

[Thr 5920] IcmReadFromConn(id=2/11092): read 430 bytes(timeout 500)

[Thr 5920] BINDUMP of content denied

[Thr 5920] PlugInHandleNetData(rqid=2/11092/1): role: 1, status: 1

#content-length: 0/0, buf_len: 430, buf_offset: 0, buf_status: 0

former_member185943
Participant
0 Kudos

Olivier,

Thanks for replying!

Igor

Former Member
0 Kudos

Hi,

Suffering from similar situation as described in this thread.

On one hand, I'm encouraged that I've been following pretty much all the same steps described in this thread, but disheartened that Igor's ultimate fix (importing CA cert) hasn't helped us here -

There was one big 'eureka' moment in this thread however - thanks Olivier for putting up an icm trace on a working system -

Whereas y'all are seeing

[Thr 3120] ->> SapSSLSessionInit(&sssl_hdl=010521B8, role=0 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 2216] No Client Certificate

[Thr 2216] status = "new SSL session, NO client cert".

I am seeing

[Thr 1086949728] ->> SapSSLSessionInit(&sssl_hdl=0x2aaeea7ae8, role=0 (SERVER), auth_type=0 (NO_CLIENT_CERT))

[Thr 2216] No Client Certificate

[Thr 2216] status = "new SSL session, NO client cert".

Odd that auth_type=0 consistently through all my troubleshooting machinations, even though I've set

icm/HTTPS/verify_client = 1

and tried also

icm/HTTPS/verify_client = 2

Any ideas here? Guess it's time to track down the latest icman patch for 640 kernel...

thanks

-Justin Burmeister

Former Member
0 Kudos

Hi Justin,

Did you check the value of icm/HTTPS/verify_client with RZ11 and RSPARAM ?

Regards,

Olivier

former_member203322
Participant
0 Kudos

Hello,

I have a similar issue and am going crazy...

I would like to have SSL reencryption between the webdisp and an EP 7 but I don't know why the portal wants to map the webdispatcher certificate to the first user which logs into the system (then all users who have a x509 client certificate installed on their browser will log in as the first user)

Basically the ssl termination at the webdispatcher works fine but with ssl encryption between the webdisp and the portal the client certificate is lost somewhere

I followed these links

http://help.sap.com/saphelp_nw70/helpdata/EN/62/881e3e3986f701e10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/EN/bc/2ee9a2d023d64eac961745ea2cb503/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/EN/14/29236de1864c6e8d46e77192adaa95/content.htm

http://help.sap.com/saphelp_nw70/helpdata/EN/43/c38e0001581bbce10000000a1553f7/content.htm

http://help.sap.com/saphelp_nw70/helpdata/EN/44/200cb204a75cfbe10000000a155369/content.htm

http://help.sap.com/saphelp_nw70/helpdata/EN/ea/301e3e6217b40be10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/EN/76/6d4fa247d0d647b5bd40745400d873/frameset.htm

do you have any idea ?

many thanks and regards,

Michele

sohail_rana
Explorer
0 Kudos

Further to my above post, when I thoroughly checked my SMICM logs with Olivier CHRETIEN logs, i found the followings differences .

in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

in my trace "role=2 (SERVER)u201D

while the value from Olivier CHRETIEN log is

"role=0 (SERVER)u201D

Does it make any difference?

Secondly when I a m trying to access WEB Gui with IE 8, my trace says like that

SapSSLSessionStart(sssl_hdl=0000000009E15130)==SSSLERR_CONN_CLOSED

And when I tried to access the site with firefox I am getting the following!

<<- SapSSLSessionInit()==SAP_O_K

in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

out: sssl_hdl = 0000000009E15130

NiIBlockMode: set blockmode for hdl 49 TRUE

SSL NI-sock: local=172.16.0.56:1443 peer=172.19.65.2:52385

<<- SapSSLSetNiHdl(sssl_hdl=0000000009E15130, ni_hdl=49)==SAP_O_K

<<- SapSSLSessionStart(sssl_hdl=0000000009E15130)==SAP_O_K

status = "new SSL session, NO client cert"

I believe its strange behavior between the two browsers, Firefox has been able to transmit my client certificate and IE not, but even with the Firefox my issue still persist, and system ask for the user ID and Password .

Former Member
0 Kudos

Hi, Igor

I have the same problem and i can't resolve it. Could You help me.

I have NW2004s ABAP and want configure SSL and X.509.

And now i want to ask some questions.

1. You said that You imported certificates into Your browser from service.sap.com.

Did You import S-user certificate ?

2. Distinguished Name as found in the user's certificate.

CN=S-User, OU=SAP Service and etc ....

3.Do i need configure SSL Server and SSL Client PSE

Former Member
0 Kudos

Hi,

>>1. You said that You imported certificates into Your browser from >>service.sap.com.

>>Did You import S-user certificate ?

Yes I did that : I use it to connect to service.sap.com, SDN, and I configured my test R/3 system to accept it for authentication. It means I did a mapping betwwen my S user and my abap user.

>>2. Distinguished Name as found in the user's certificate.

>>CN=S-User, OU=SAP Service and etc ....

Yes, that is the look of the Client certificate from service.sap.com.

>>3.Do i need configure SSL Server and SSL Client PSE

If you want to try client certificate authentication, you need to configure the ICM as an SSL server and so to create an SSL server PSE in STRUST.

There is no need for a SSL client PSE.

Regards,

Olivier