Solved: NetWeaver AS Java as SAML Destination Site

Former Member · ‎04-04-2011

Hi Experts,

I am currently configuring my sandbox portal as a SAML Destination Site, however, I am encountering an issue with the exchange of information between the source and destination. I see the following warning in my Secuirty.log file:

Warning#1#com.sap.security.core.server.https.SecureConnectionFactory#Plain###Attempting to create outgoing ssl connection without trusted certificates#

Clearly there is an issue with the outgoing SSL connection, however, I have created the Private Key and Public Certificate as instructed by SAP and I used the service.sap.com/tca to self sign the certificate. Since this is just a sandbox system, I thought this would be sufficient. Does SSL require fully signed certificates even for sandbox systems when communicating with non-sap applications such as SAML?

When I use the link provided by my SAML Source, I am able to get to my target website, however, the authentication is not happening. The security logs are next to useless on this topic. Does anyone have a suggestion?

Thanks,

Justin

martin_voros · ‎04-05-2011

Hi,

you should be able to work only with self-signed certificate. In your case SAP is trying to connect to external system using SSL but it does not that certificate. You have to import certificate which was used to sign certificate of that external system into SAP. Could you describe a bit more your landscape. What certificates you have where.

Cheers

martin_voros · ‎04-05-2011

Hi,

you should be able to work only with self-signed certificate. In your case SAP is trying to connect to external system using SSL but it does not that certificate. You have to import certificate which was used to sign certificate of that external system into SAP. Could you describe a bit more your landscape. What certificates you have where.

Cheers

Former Member · ‎04-05-2011

Hello,

I have done the following certificate configuration:

1. Created SSL Private Key

2. Based on private key, created Public Cert

3. Self-signed Public Cert

4. Both Private Key and Public Cert reside in the service_ssl view in Key Storage service

5. Imported Non-SAP Source System Certificate into the TrustedCAs view in Key Storage service

6. Set the SSL Private Key as the Server Identity in SSL Provider service.

What am I missing here?

Thanks,

Justin Straub

martin_voros · ‎04-05-2011

Looks OK. I though that you forgot to perform step 5. But I am not sure if you don't have to associate that certificate with the service.

Cheers

Former Member · ‎04-05-2011

What do you mean by: "But I am not sure if you don't have to associate that certificate with the service."

Where would you make that association? The only place I see is during the definition of the ToSAMLResponder in the HTTP Destination. There is an option here to use an X509 certificate for authentication to the Source site, however, if I select the TrustedCAs keystore view, the second drop down box to select the certificate is empty. It does not include my source site certificate, or any other certificate there. The only option that seems to be available is if I again use the SSL view and my private SSL Key. I would have thought it should be the source site certifcate here like you mention. Any idea why it does not let me select it? I cannot find any helpful literature on the ToSAMLResponder definition step.

martin_voros · ‎04-07-2011

It should work without any association. Have you tried to set parameter PermitInsecureConnections to true and use HTTP instead of HTTPS? Just to check if the issue is really in HTTPS or there is something else.

Cheers