cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Webservice with client authentication based on certificates

Go to solution
Former Member

on ‎12-08-2009 8:19 AM

0 Kudos

Hello,

I created a webservice on an IIS and want to consume it with server and clientauthentification based on certificates. When I regist my servercertificate on TA "STRUST" the serverauthentification works fine. Unfortunately I searched weeks for a solution for the clientauthentification but it still don't want to work.

Have somebody a clue? Generally have I regist the clientcertificate in STRUST, too? Aktually, my 6.20 system (without PI&J2EE) support server AND clientauthentification?

I woud be very happy when somebody provide me with a tipp.

Greetz,

zeraphine

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-08-2009 11:21 AM
0 Kudos

Hi,

If you do not use PI/XI, how do you plan to reach the target secured system ? Using a HTTP destination ?

Rgds

Chris

Show replies
Show replies
Former Member
‎12-08-2009 11:34 AM
0 Kudos

Exactly!

I created a HTTPS destination with TA sm59 and an own SSL client identity. In this identity I had regist my server certificate - and the external webservice call works perfectly. A very nice blog to this topic I found [here|http://www.sdn.sap.com/irj/scn/weblogs;jsessionid=(J2EE3417200)ID0822464650DB11823509448710748571End?blog=/pub/wlg/11800].

Now I want that my client (sap) should also authenticate on the webservice, too. Where and how must I configure this on the SAP system?

Former Member
‎12-08-2009 11:57 AM
0 Kudos

Zeraphine,

What does "should also authenticate on the webservice" mean ? You want to add another level of authentication to your call (ie, user/pwd) ? Or do you want the ws to be able to authenticate when connecting to SAP ?

Chris

Former Member
‎12-08-2009 12:23 PM
0 Kudos

Hallo chris,

sry, I didn't explained it good. Like you guess I want to add another level of authentication/security to my webservice on my IIS.

First of all the client (SAP) calls the webservice and the IIS authenticates itself with a valid certificate. This step works fine 😃

My problem is how to configure the sap system, when the IIS requires for a website a valid client-authentification, too.

That means not only the server has to prove his identity but also the client has to do this.

This szenario works with a browser as client fine, so the IIS config shouldn't be the problem.

I hope I explain it this time better

greetz,

zeraphine

Former Member
‎12-09-2009 8:13 AM
0 Kudos

Dear Zeraphine,

I do not know for 6.20, but in 6.40 I have a "security" tab in which you can specify the SSL client certificate you will use during SSL handshake. It means SAP will present this cert if target server requests for it ... Then target server will check client's identity using the presented client cert's root CAs ...

Is your SSL client cert self-signed ? If so, maybe IIS needs a specific setting to allow this ? If you have a root CAs chain for your cert, make sure they are known from IIS

Rgds

Chris

Former Member
‎12-09-2009 2:15 PM
0 Kudos

Hello Christophe,

thanks for your answer. this "security" tab is in the sm59 HTTP destination, isn't it? There I define which SSL client identity my HTTP destination should take. The server-certification process works with this perfectly, unfortunately I still stuck on the part how to implement the client-certification process.

My steps (without the IIS configs):

1. I create a new client identity (i.e. HTTPS)

2. I import the servercertificate an add it to the certificate-list

3. I add a new HTTP destination and assign SSL client "HTTPS" to it

4. Test: the serverauthentification works

5. So that the client is able to authenticate itself, too I extract the valid (an in my browser working) client certificate into pfx

6. gererate a PSE from this pfx

7. import the PSE into my HTTPS

Moreover I try some more..

8. Add my root CA to the database

9. Add the client-certificate to my database

10. Generate an "certification answer" for my own SSL client identity from my CA an paste it into the Import screen

I still get it not running... ;(

As a matter of course I reboot before every HTTPS destination Test my ICM (TA SMICM).

I have no idea what else can I do .. I searched in OSS and here in this board but didn't find any solution yet.

If so, maybe IIS needs a specific setting to allow this ?

The IIS allow the certificate when it comes from a browser. It shouldn't be makes a different for him to accept the same certificate from another client (in this case SAP) or should it?

Former Member
‎12-10-2009 2:14 PM
0 Kudos

Zeraphine,

I'm no SSL expert, but I do remember that client certificate based authentication needs to be requested by the target server ! Do you have such setting in IIS (I remember seeing this in another web server, there was 3 level of client authentication schemes : anonymous / user+pwd / client cert) ...

If IIS tells SAP (during SSL handshake) that it requires a client cert for authent, SAP should present the client you've selected in the security tab of the HTTP destination ...

Then IIS will validate the SAP client cert according to its CA root chain

Hope this helps

Chris

PS : look at this website : http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html under section "Configure the Web Site to Require a Client Certificate and use Basic Authentication", it explains how to configure IIS so it requests for client certs for authentication ...

Edited by: Christophe PFERTZEL on Dec 10, 2009 4:38 PM

Answers (2)

Answers (2)

henrique_pinto
Active Contributor
‎12-08-2009 11:31 AM
0 Kudos

AFAIK, there is no out-of-the-box webservice integration in WAS 6.20 and below.

Starting from NW 7.0 SP14+ (and NW 7.1), you could even directly consume webservices through the new webservice runtime, configuring the endpoints through SOAMANAGER tx code (or alternativelly WSCONFIG and WSADMIN tx codes).

But for your backend version, I'm afraid you'll need PI.

Best,

Henrique.

Show replies
Show replies
Former Member
‎12-08-2009 10:27 AM
0 Kudos

Hi zeraphine,

Please follow this steps to implement your client certificate in your PI

1. Logon your NWA of PI

2. Choose Configuration Management-> Certificates & Keys

3. Select PartnerCert under keystore Views

4. Click on Import Entry under Key Storage View Details

After this, you need same certificate to your XIISUSER / PIISUSER Certificates list also

1. Choose Operation Management->Identify Management

2. Search for XIISUSER / PIISUSER

3. Select the user

4. Under Details of User XIISUSER/PIISUSER

5. Choose 'Certificates'

6. Choose 'Modify'

7. Choose 'Browse' to import the certificate

8. Save

You may retry with your message processing.

I hope this resolves your issue.

Regards

Sekhar

Show replies
Show replies
Former Member
‎12-08-2009 11:01 AM
0 Kudos

Thank you for your fast answer, sekhar.

Unfortunately we don't use PI/XI.

Did you have an other idea?

Ask a Question