Skip to Content
author's profile photo Former Member
Former Member

X.509 Authentication and SSO

Hi,

I'm currently running ECC 6.0 EHP4 on NW 7.01. I'm attempting to setup SSO/Authentication using X.509 certificates.

I have been using the pages on SAP and I have completed everything that is required but I'm having no joy. I have read many threads on here but none seem to give me the details I require I was hoping someone could give me an example of what to do with the following:-

When getting a CA to sign my certificate request (Currently using SAP Test) What do I need to request?

When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"

SAP is the CA why does it say this?

I also have a question connected with the contents of USREXTID. I have maintained the entries in this table under the External ID Type = DN. Again if someone could give an example I would be very grateful.

Regards,

Andy.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

6 Answers

  • Best Answer
    Posted on Aug 24, 2011 at 11:12 PM

    > When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"

    > SAP is the CA why does it say this?

    The reason for this message is that the certificate is signed by SAP but it seems like browser do not trust SAP. All browsers trust certificates only signed by certificates (CAs) that are imported into browser. For example if you go in IE to Internet Options -> Content -> Certificates then you can see all Trusted Root CAs and Intermediate CAs.

    Off topic: If you see that list then it's a bit scary. The standard browser trusts lots of CAs. Currently, there is a discussion about solving this issue in community. For example check convergence.io.

    Cheers

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 24, 2011 at 07:06 PM

    Did you install the cryptographic libraries as well? (so not the default seculib library)

    Just to be sure: you are expecting this to work for webserices or BSP applications, right? (so not SAPGui SSO).

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 25, 2011 at 08:44 AM

    Hi,

    Thanks for the quick replies.

    Julius, I have the SAP Cryptographic Library installed and I am trying to get this solution to work for access to SAP via Web Gui and BSP page for Web UI for CRM 7.0.

    Martin, Thanks for the tip. I have now downloaded and installed to my browser the certificate which includes SAP in the list of trusted CA's. The certificate warning has now disappeared.

    I have been following this thread SSL and X.509: browser doesn't prompt for a certificate

    I'm at a similar situation where I get the message in my ICM trace saying No Client Certificate.

    Regards,

    Andy.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 25, 2011 at 09:18 AM

    Hi,

    I've checked the client certificate downloaded from STRUST and signed by SAP CA. In the details of this certificate is says:-

    This certificate is intended for the following purpose(s):

    - Ensures the identity of a remote computer

    Is this correct fot the certificate to provide authentication to the SAP system?

    Regards,

    Andy.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 25, 2011 at 11:31 AM

    Hi,

    Thanks again for the info. I'm stuggling with the client certificate. Following the notes on help.sap.com:-

    http://help.sap.com/saphelp_nw70ehp1/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm

    This talks about systems as clients not users. I'm unsure when setting the certificate of the following:

    1) Where to set the client PSE in STRUST. ssl CLIENT ssl cLIENT (Standard)?

    2) What entries to put in Name, Org. Country etc...

    3) What do I do with the response once signed by SAP and imported?

    4) In table VUSREXTID I think I should be using DN. But what to put as external identifier. Would this be my windows user?

    All help appreciated

    Regards,

    Andy.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      The SAP application servers can also act as a client in the communication, as is the case with type H and type G connections in SM59. In this case the client server is authenticating itself against another server.

      However for the fundamentals and SAP specific related administration tasks I would strongly suggest taking some training, otherwise it will just cause headaches and speculation about what is going on...

      SAP Education course ADM960 is what you are looking for.

      Cheers,

      Julius

  • author's profile photo Former Member
    Former Member
    Posted on Aug 25, 2011 at 02:21 PM

    Hi,

    Thanks for everyones help. I have now succesfully performed SSO using x.509 certificates on to my Web UI and Web Gui.

    The solution in the end was to import the SAP Passport CA Certificate from www.service.sap.com/tcsrootcert in to the SSL Server Standard Certificate list in STRUST.

    I have read many threads, notes and help pages on this subject and don't remember it being mentioned before.

    My next issue will be to set up a process to allow users a similar process.

    Thanks again.

    Andy.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      My next issue will be to set up a process to allow users a similar process.

      Yes, this is one of the aspects of PKI based SSO which is well worth considering.

      For the SAP service portals it works okay because the folks are reasonably techie savie who go there looking for SAP notes and downloading software and reporting program errors.

      For an end user, you must consider user friendliness otherwise you are doomed 😉

      Cheers,

      Julius

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.