cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"No Certificate Available" while performing Principal Propagation in SAP HANA

former_member510186
Explorer

on ‎09-20-2018 1:21 PM

0 Kudos

Hi All,

I am trying to do PrincipalPropagation in SAP Cloud Platform, where SAP HANA is used as a back-end system. I have selected X509 for Authentication. Also have installed the SAP Cloud Connector, did all the configurations, created all the required certificates for that. In Cloud-To-OnPremise, have mapped the On-Prem system, and checked for its availability. In PrincipalPropagation have synced and trusted accounts.sap.com, trial and services:dispatcher.

In the SAP Cloud Platform, using HTML5 applications, deployed the application and set the destinations for that. But once I run the application url in chrome, along with its destination/package/xsodata_name, Im getting the below error,

"No Certificate Available"

"No successful authentication possible"

How can I resolve this issue. What certificate need to be added for this.

Can someone please help me out in this regard.

Thanks in Advance,

Medini H K

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member213660
Participant
‎01-30-2019 9:37 PM

HI Medini

Can you please provide us some screenshots of the configurations you did on your backend?
Also, it will be good to take a look to the cloud connector logs "ljs_trace". You can increase them to Debug level and reproduce the issue.

There is this blog post (using an ABAP as backend) but you can use it to guide yourself in the configurations on SAP Cloud Platform and also the cloud connector.

In the backend, what you need to ensure is to accept a certificate as form of authentication, trust the same and be able to map the subject of the same to a valid user in the backend.

There is also another option for SSO you can use, that is the SAPAssertionSSO. You can find more details about it here: https://blogs.sap.com/2018/10/17/how-to-guide-single-sign-on-with-sapassertionsso-between-scp-and-ab...

Thanks,
Augusto

Show replies
Show replies
former_member404043
Discoverer
‎01-30-2019 1:21 PM
0 Kudos

Hi Ivan & Medini,

We have exactly the same problem. Is it possible to configure HANA to correctly read the SSL_CLIENT_CERT?

Best regards,
Daniel

Show replies
Show replies
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎09-20-2018 5:43 PM
0 Kudos

Hi Medini,

Have you seen this blog:

https://blogs.sap.com/2016/03/21/principal-propagation-between-html5-and-sap-hana-xs-on-sap-hana-clo...

I believe the only diference here is that the destination to your XS odata service points to an on-premise system. Whereas the blog uses a cloud XS system. Other than that, it should work just about the same. I presume you are using the principal propagation explained for an ABAP system (where you have to map X.509 certificates created on cloud connector to ABAP users). In your case, you need to configure your HANA system to accept the SAML token (which already contains the user id from the cloud - no mapping would be required since the IdP users will need to be created in the HANA anyway).

Best regards,
Ivan

Show replies
Show replies
former_member510186
Explorer
‎09-21-2018 7:15 AM
0 Kudos

Hi Ivan,

Thanks for the reply.

I have my HANA system On-Premise, which is not exposed externally, that's why I'm using SAP Cloud Connector. Is there any way to do that with X.509 in SAP HANA. If so please let me know.

Thanks in Advance,

Medini H K

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎09-21-2018 5:26 PM
0 Kudos

Hi Medini,

The blog I've sent you will propagate the identity from the user authenticated in SCP into a HANA database via App2AppSSO. Which in theory is only valid for cloud-cloud application principal propagation - so my bad if it doesn't work for on-premise systems - sorry. You may give it a try - the documentation may not always reflect the real world.

Clearly I've sent you the wrong link. Here is the correct blog I mean to send to you.

SAP Assertion SSO Authentication is the authentication you should be using - it basically sends a SAP Logon Ticket to the backend (which most SAP systems are able to accept).

The detailed explanation about your current setup option with X.509 Certificates:
=============================================================

In essence you have to interpret the 'Subject' name and find the user ID there. Usually the cloud users will not have the same IDs as the ones from HANA (it all depends on your architecture and systems involved). I am assuming you are using the SAP ID Service. But you could be using another IdP with LDAP users for instance.

If the users are have in fact different IDs you need to be able to map the cloud ID to an existing user in the HANA DB. I am not aware of such X.509 mapping functionality in HANA.

According to the documentation, the Principal Propagation feature is used primarily for ABAP systems - since they do not accept a lot of SSO options (mainly SAP Logon Tickets, SAML, X.509 certificates). In the 'ABAP world' systems have a transaction to manage certificate2user mapping - which AFAIK there isn't such feature in HANA.

In addition to that SCC will forward the certificate to the backend system using the following header variable SSL_CLIENT_CERT. That might be the reason your HANA box doesn't find the certificate - it hasn't been prepared to look for it in one of the header variables.

SCC is capable of creating X.509 on the fly based on the user it finds in the SAML token. However, the certificate is not sent to HANA in an expected way - only ABAP systems are really prepared to do read it.

Best regards,
Ivan

Ask a Question