Skip to Content

The page requires a valid ssl client certificate (Mac OS / Safari)

Dear SCN Team,

i got an issue with using SCN on MAC OS with Safari.

If i don't have a valid SSL certificate provided by SAP (SMP), i am not able to logon SCN. Even if i have installed no certificate at all in my key store, i get the same error "The page requires a valid ssl client certificate".

This is a serious issue, because of i will loose my S-User due to company change and from that i will have a public SCN user (P-User) only with no SSL certificate at all.

Currently the SCN team is not able to copy any content from my old user to the new one (due to lack of functionality with the new SCN platform) and now i am not able to logon anymore with that P-user too.

Please check this SSL certificate behavior and provide a solution.

Thank you.

Safari Version: Version 5.1.7 (7534.57.2)

MAC OS: 10.7.4

Best Regards

Stefan

Add comment
10|10000 characters needed characters exceeded

7 Answers

  • Best Answer
    Posted on Sep 22, 2012 at 08:12 AM

    Hi Stefan,

    i found your thread, because i ran into the same problem.

    You may already have found your solution, but i like to add what i did now.

    The Apple-ID entry in the keystore of the Mac seems to be in relation with the problem. No idea why calling the scn.sap.com is catching this one.

    Because the date of the keystone-entry for the Apple-ID was the day when i started my "MacOS career" i had doubts to just delete it and see what happens. (Will there be any problems with the AppStore/OS-Updates afterwords?

    There was no helpful hint to the few similar threads in the web, therefore i just tried it.

    • Start MacOS-Keystore (="Schlüsselbundverwaltung" [german])
    • Category -> "All Objects"
    • Righ-Click on "com.apple.idms.appleid.prd.xxxxxxxxxxx" -> Export Entry -> choose location
      ( ...to feel better before deleting it) 😉
    • Right-Click -> Delete Entry

    Result:

    ➕Now i'm able to login to scn.sap.com again. (= normal behavior)

    ➕ I'm still able to start the AppStore, too.

    That's it so far. I anything comes up in the next days i'll update the thread.

    Best regards

    Christian

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 01, 2012 at 11:31 AM

    Hello Stefan,

    In the new SCN platform we strongly recommend against using multiple user accounts. This can cause problems as I can see in your user accounts (inconsistency between the SCN account and LDAP)

    Using the admin tool, I fixed the inconsistencies in your accounts and did some manual manipulation.

    Now your s-user is associated with brose email address and your p-user is associated with soocs email address.

    Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct?)

    You should be able to perform the following operations:

    Go to SCN: http://scn.sap.com/welcome

    Log in with your p-user (this time login with your p-number, not with your email address)

    Verify that your account is ok, with all the activities and points.

    Only if you still need your s-user account, perform the following:

    log out from your p-user

    Log in with your s-user (this time login with your s-number, not with your email address)

    During this login you will have to approve the email address (must be different from the email address of your p-user), then you will be required to agree to the SCN terms of use.

    Please update me if this was helpful.

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 02, 2012 at 09:48 AM

    The error "The page requires a valid ssl client certificate" I have seen only twice before now: once on Safari for Windows, and once on Chrome for iPad.

    In both cases, this is due to a bug in how SSL is handled by the browser.

    In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore". "Request" means that a certificate will be requested from the client, but it is not mandatory. "Require" means that a certificate is mandatory.

    We use the "Request" setting, precisely so that the absence of a certificate does not prevent users accessing the system via username/password.

    Unfortunately, it seems that there is some piece of SSL code on some Apple platforms that interprets "request" as "require" and will not let you in without a certificate.

    In the case of the other error "Digital certificate has expired", this is seems to be a case that the browser is presenting an outdated certificate to the server, and this is being rejected at SSL level - therefore, all certificates have not been removed from the browser in this case.

    I recommend that you get the latest O/S updates from Apple, and hopefully this fixes their SSL bug.

    Best regards,
    Darren Hague

    (SAP ID Service architect)

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Darren,

      thanks for your reply.

      If i remove the SSL (SMP) certificate i still have one in my keychain. This certificate has nothing to do with SAP - it is from Apple itself (com.apple.idms.appleid.prd). I will check the thread.

      Thanks.

      Best Regards

      Stefan

  • Posted on Oct 16, 2013 at 08:00 AM

    As Darren correctly mentioned, the real problem in Safari is this:

    This is due to a bug in how SSL is handled by the browser.

    In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore".

    "Request" means that a certificate will be requested from the client, but it is not mandatory.

    "Require" means that a certificate is mandatory.

    Safari actually handles this correctly but is missing a feature called "Ignore this request for this website".

    This is what happens:

    Safari receives a "certificate request" and as a result it will look into it's certificate store to see if it has any certificates. If it does, it will ask you to select a certificate. However none of the certificates is valid for the SAP site so you will need to click on "cancel". But if you don't have any certificates installed , then Safari won't ask you for a certificate and as a result you won't have a problem.

    That was the basics, but now the problems:.

    1. The first time you entered the SAP site you've likely selected a certificate.
      As a result this selection is stored in the keychain as an "Identity preference".
      Because the selected certificate is invalid, you must remove it from the keychain or else you will keep getting certificate error when you try to access the SAP site. (You can google on how to do this)

    2. You have a certificate and thus Safari prompts you to select one.
      You will have to click CANCEL on every request you will receive or else you'll run into the problem descibed above. It's very annoying because the SAP website will request for certificates many times while browsing their site. Sadly Apple is missing the feature: "Ignore this request for this website" which would fix this issue.

      If the only certificate you have is that of your Apple ID, then I guess you could safely remove it. (I did too and did not have any adverse effects.)
      However, If like me you have other certificates that cannot be removed; you are screwed.😢
      You will have to wait for Apple to build some kind of solution.

    I hope this summary is helpful to all of you MAC based Safari fans.
    This post was created in a MAC based Safari browser (v6.0.5)

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 16, 2013 at 08:31 AM

    PS:

    See the post below on the Apple Support community which I created in the hope for a solution:

    https://discussions.apple.com/thread/5451317

    If anyone as AppleCare the might call them and refer to this issue. 😉

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 18, 2013 at 01:04 PM

    Hi ,

    we have the same problem with our WebDispatcher Proxy and the Safari for Mac f

    Have someone found a solution ? We user Sap Webdispatcher 7.40 Patch 43.

    Regards

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Dec 10, 2013 at 06:29 AM

    Hi,

    I also facing the same issue during SAP CONNECT,

    but lucky that I also installed FireFox on my MAC OS X 10.9,

    and it's running OK.

    Add comment
    10|10000 characters needed characters exceeded