X.509 Client Certificate Authentication Issue

Former Member · ‎01-06-2010

Hi All,

I'm trying to set up authentication via X.509 browser certificate but I seem to be missing something because I keep getting the message "Logon not possible; none of the active logon procedures is possible" in my browser. I:

- installed CryptoLib

- enabled SSL

- set several profile params

- created a client certificate via sapgenpse and imported that into my SSL server PSE as well as into trusted certificates of IE8

- created a user mapping in VUSREXTID with type DN and ID: CN=xxx, OU=yy, O=zzz, C=DE that matches my client certificate

<table>

This is taken from log file dev_w0

</th></tr>

H HTTPS> ab_HttpRequestHandler: create new session (role=2, action=1, handle=0, protocol=2)

H HTTP> Allocated server record (6DA8EB90)

H HTTP> EmMemoryMan HTTPSR(allocation 400 bytes)

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTP> EmMemoryMan HTTPCO(allocation 23808 bytes)

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTPS> <Me> Accept [handle = 1]

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTPS> [1] GetInfo

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H Host: IP address...

H Local host: BPSAP_BP6

H Service: 8443 (certificate available: 0)

H HTTPS> [1] ab_HttpAnalyzeRequestLine

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H Method: 1

H Version: 1001 (HTTP/1.1)

H chunked body = FALSE

H Server name: bpsap_bp6.server.com

H port number: 8443

H URI: /sap/bc/webdynpro/b/e_cust

H user agent: 2, version: 800 (MOZILLA=1, MSIE=2, SAPWEBAP=3, OPERA=4, MOZILLA_NEW=6)

H Handler: 1

H HTTPS> [1] ab_HttpAnalyzeRequestLine: ThPlgInfo

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTPS> [1] ab_HttpAnalyzeRequestLine: certificate available: 0)

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTPS> [1] UnGetInputBuffer Reset (ptr: 6DA93040)

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTPS> [1] ab_HttpAnalyzeRequestLine Close message: 0 (UnGetInputBuffer: 0)

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTPS> [1] HttpInitVirtServer Virtual host: 0 (protocol: 1)

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H HTTP> System_Call_Http: e

H {43B1FADE-02C9-F151-9C8B-000C29E1DC8D}

H ThExtDebuggingPossible: 0 (N)

H UserChecked: N

H CallerIP: IP address...

H Action: 1

H Protocol: 2

H Statistic: 0

H Trace: 1

H ContextID: SID:ANON:BPSAP_BP6_BP6_0...-ATT

H InstanceID: BPSAP_BP6_BP6_00

H KernelVersion: 1

H ABAPVersion: 1

H CPoolingActive: 0 (context type: 0)

H AcceptSSO2: 1

H VirtualServer: 0

H CertificateAvailable: 0

H AcceptRemoteTraceLevel: 0

H AcceptRemoteProfileLevel: 0

H AcceptRemoteRecorderLevel: 0

H SharedMemoryCacheOff: 0 (0)

</td></tr></table>

I'd really appreciate any sort of help.

Cheers,

Sebastian

Former Member · ‎01-07-2010

Hi,

Increase the ICM trace level and check this trace file from Tx SMICM.

This the place where you will get useful information to debug your problem.

By the way, If you had told us which system/relase you were using, we would not have to guess that you use an ABAP stack.

Regards,

Olivier

Former Member · ‎01-11-2010

Hi Olivier,

thanks for your reply and for reminding me about the system spec. I'm using an ERP ECC 6.0.

I configured what you suggested. The only thing that I've noticed in the ICM log is

[Thr 3728] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no

X.509 cert data will be removed from header [http_plg.c 670]

Not sure what to do with that though.

Cheers,

Sebastian

Former Member · ‎01-11-2010

Hi Sebastian,

It seems that you have a reverse proxy (Web dispatcher ?) in front of your ECC6 ICM and because you have not set the parameter icm/HTTPS/trust_client_with_issuer , the certificate is removed from the header.

No certificate = no authentication !

Regards,

Olivier

Former Member · ‎01-17-2010

Hi Olivier,

the system admin confirmed to me that there's no Web Dispatcher in place which makes me believe that the above message is somehow not related to my issue. I ran several additional test with different settings suggested in SDN or SAP Help but none of the log files really reveal any useful information.

You suggested to up the trace level and view the ICM log. If I knew what I should expect to see, maybe that would take me a step further.

Cheers,

Sebastian

Former Member · ‎01-17-2010

Have you tried the procedure described in [SAP Note 495911|https://service.sap.com/sap/support/notes/495911] using the security audit log (SM19)? Increase the login trace level (SM50) to find the error codes, the causes are described in SAP Note 320991.

Cheers,

Julius

Former Member · ‎01-18-2010

Hi Sebastian,

Did you check the value of the parameter icm/HTTPS/trust_client_with_issuer for your ICM ?

The problem is obviously that your client certificate is removed from the header.

You have now to understand why !

Are you really sure that you don't call the URL through a reverse proxy or a forward proxy ?

In corporate networks, there is usually a forward proxy defined in the browsers configuration for internet access.

Check if there is an exclusion list for the internal network.

Do you call the URL on the ICM hostname with the HTTP port displayed from transaction SMICM ?

Try to use also an HTTP trace utility from your browser. (I use httpwatch).

Regards,

Olivier

WolfgangJanzen · ‎01-26-2010

Another (common) reason: the "SSL Server" PSE does not contain the CA (certification authority) which has issued the client certificate; it does not occur in the trust anchor list ("Certificate list" / "private address book"). In that case the SSL client will not send his client certificate (during the SSL handshake) to the server.

-> check with STRUST

>H HTTPS> [1] ab_HttpAnalyzeRequestLine: certificate available: 0)

This indicates: there is no client certificate

Edited by: Wolfgang Janzen on Jan 26, 2010 2:35 PM

WolfgangJanzen · ‎01-26-2010


 created a client certificate via sapgenpse and imported that into my SSL server PSE as well as into trusted certificates of IE8

Well, in that case you only have the (public) certificate but not the corresponding private key in your browser.

However, you need the private key in order to authenticate.

If you just want to play, I propose to request a client certificate from some public CA, e.g. from [TC TrustCenter|https://www.trustcenter.de/products/tc_internet_id.htm] (kindly notice the usage policy) or [setup your system to operate as RA (Registration Authority) in order to utilize the SAP Trust Center Service solution|http://service.sap.com/_{form/sapnet?_SHORTKEY=01100035870000411810&_SCENARIO=01100035870000000202&] or simply use your [SAP Passport (used to logon to the SAP Service Marketplace)|http://service.sap.com/}form/sapnet?_SHORTKEY=01100035870000266783&_SCENARIO=01100035870000000202&]. In all those cases, you have to import the correponding [CA root certificate|http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000282729&_SCENARIO=01100035870000000202&] into the trust anchor list (aka "Certificate List" aka "Private Address Book") of your "SSL Server" PSE. Maybe you have to restart your ICM, afterwards (for PSE changes to take effect).

Edited by: Wolfgang Janzen on Jan 26, 2010 2:51 PM