Portal SSO using x.509 certs

Former Member · ‎05-20-2011

Experts,

SAP: NW Portal 7.01 SP7

Kernel: 701_REL #112 64-BIT UNICODE

OS: AIX 6.1 64-BIT

We are trying to do SSO based on X.509 client certificates

We want users to be able to open IE browser to portal HTTPs port, and be automatically logged in.

Our users are authenticated using LDAP instead of UME. AKA config in UME is set to:

Data Sources = Microsoft ADS Read-Only (Flat Hierarchy) + Database

I have enabled SSL on the portal this way:

portal is listening on the HTTPs port.

I have a signed cert by our CA in the key store.

The CA is listed in the TRUSTED CA area.

SSL provider is pointed to the correct cert. CLient authentication is set to "Request client certificat".

the CA is listed in the "Trusted certificate authority".

I also enabled ume.logon.allow_cert = true in the configtool (restarted instance)

Now, when I log in to https port for /irj/portal, it pops up my client cert, but then I get this message:

Your certificate will be mapped to your user ID.

I can still log in manually, but that's not the point. I read SAP help link:

http://help.sap.com/saphelp_nw70/helpdata/en/62/881e3e3986f701e10000000a114084/frameset.htm

I already have these prereqs:

Users possess valid X.509 client certificates

The useru2019s client certificates are imported into their client systemu2019s Web browsers

The J2EE Engine is configured to support HTTPS connections and SSL

I'm fuzzy on these areas:

Configure the ClientCertLoginModule

Adjust the login module stacks and configure the login modules for those applications that accept client certificates

I read about them in SAP help links but it's not clear.

I made sure the certificates have not been revoked by the issuing CA

users are accessing J2EE Engine directly (NO intermediary)

I have these settings in DEFAULT profile:

ssl/ssl_lib = /usr/sap/EPD/SCS01/sec/libsapcrypto.o

sec/libsapsecu = /usr/sap/EPP/SCS01/sec/libsapcrypto.o

ssf/ssfapi_lib = /usr/sap/EPP/SCS01/sec/libsapcrypto.o

ssf/name = SAPSECULIB

icm/HTTPS/verify_client = 1

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

Not sure I need them....

Do need to change the authschemems.xml?

What am I missing?

p330068 · ‎05-23-2011

Hi Nick,

Please check blog might help /people/dennis.kleymeonov/blog/2005/09/15/connecting-sap-systems-to-enterprise-portal-with-sso

Best Regards

Arun Jaiswal

Former Member · ‎05-29-2011

Arun,

I'm trying to connect users to the portal. Not portal to other sap systems. I have that part working.

nick

Former Member · ‎05-23-2011

Hi Nick,

Try the following and see if the warning goes away -

1. Log into the Visual Administrator and under server->services go to the SSL Provider Service.

2. Under the Runtime tab (default), you would find your dispatchers enlisted. You would also find the active sockets against each dispatcher.

3. Choose on the active socket (or Port) on which you have activated the SSL.

4. You would find three tabs under the Active Sockets screen. Click on the Client Authentication tab.

5. Click on "Request Client Certificate" under the client authentication tab.

Try logging into the portal again and see if the warning goes away. For more details check this link

[http://help.sap.com/saphelp_nw70ehp1/helpdata/en/14/29236de1864c6e8d46e77192adaa95/frameset.htm]

Hope it helps,

Prathamesh

Former Member · ‎05-29-2011

Hey Prathamesh,

I pretty much documented in my original post exactly what you wrote. I've already done what you suggested.

nick

benjamin_houttuin · ‎05-23-2011

Hi Nick,

What is it that you want to realize:

1. ensure that users who attempt to log on to this server via HTTPS can only do so by producing a valid certificate.

2. SSO by using x509 client certificates

3. or both?

What goes wrong exactly... or what would you like to get solved...

It's not really clear to me at this point.

Cheers,

Benjamin

Former Member · ‎05-29-2011

Hey Ben,

Sorry its been a week since i posted this. I got pulled away on other stuff.

To answer your question, BOTH !

What goes wrong? Well, the X509 user cert isn't being automatically stored in the "certificates" tab. So they aren't getting in..

I get CERT_AUTH_FAILED at the login screen after my prompt in the browser that I have a client cert.

CERT_AUTH_FAILED and "Cannot authenticate the user"

doLogon failed

[EXCEPTION]

com.sap.security.core.logon.imp.UMELoginException: CERT_AUTH_FAILED

Guest | LOGIN.ERROR | null | | Login Method=[default], UserID=[null], IP Address=[XXXXXX], Reason=[Cannot authenticate the user.]

To me , the main areas that I may have missed are

1. Attribute Mapping for Client Certificates

http://help.sap.com/saphelp_nw70/helpdata/en/b8/8312409ab58f5ce10000000a155106/frameset.htm

**I did edit the data source configuration file. BUT we are using a READONLY=TRUE for LDAP in the dataSourceConfiguration_ads_readonly_db.xml

SHould I edit that at all??

2. Setting SAP to use these login modules in loginModuleStacks (how?)

??adding these login modules to login module stacks??

**I did edit the "ticket" template and added all the entries documented

here:

http://help.sap.com/saphelp_nw70/helpdata/en/44/200cb204a75cfbe10000000a155369/frameset.htm

**BUT, when I load my own cert in manually in the UME, it DOES work!!!

So my big issue is how to configure automatic mapping of client

certificates to user IDs during user logon

Or must I add them all manually? That seems difficult.

Finally, I now get this error if I try to edit ANY userID in the UME:

Could not modify login IDs from UME (I got nullpointerexception)

Caused by: com.sap.security.api.UMRuntimeException: Populate of com.sap.security.core.usermanagement,certificatehash failed for principal UACC.CORP_LDAP.myuserID!

at com.sap.security.core.imp.AbstractPrincipal.getPrincipalDatabagValues(AbstractPrincipal.java:1828)

at com.sap.security.core.imp.AbstractPrincipal.getAttributeType(AbstractPrincipal.java:600)

at com.sap.security.core.imp.UserAccountWrapper.getAttributeType(UserAccountWrapper.java:567)

at com.sap.security.core.jmx.impl.JmxSearchHelper.getJmxAttributes(JmxSearchHelper.java:1196)

at com.sap.security.core.jmx.impl.JmxSearchHelper.getJmxAttributeListWithAllAttributes(JmxSearchHelper.java:974)

at com.sap.security.core.jmx.impl.JmxSearchHelper.getAllEntityDetails(JmxSearchHelper.java:1659)

at com.sap.security.core.jmx.impl.JmxServer.getAllEntityDetails(JmxServer.java:218)

benjamin_houttuin · ‎05-30-2011

Hi Nick,

Reading your reply it seems to me that: "1. ensure that users who attempt to log on to this server via HTTPS can only do so by producing a valid certificate." is not an issue any more as you do not state any issues on that...

Regarding the rest... There are multiple points you should check:

1. Do all configuration in the Ticket Login Stack this is the major Login Stack that is used for Portal etc.

2. I think that having the LDAP config on READONLY=TRUE might cause the issue that the certificates are not written to the store... i'm not sure on this 100% so check that...

3. The error you get is related to what is stated in:

http://help.sap.com/saphelp_nw70/helpdata/en/b8/8312409ab58f5ce10000000a155106/frameset.htm

The certificatehashattribute must be mapped to null, as directory servers cannot handle hashed certificates. This prevents the hash value from being stored.

You must map the logical attributes javax.servlet.request.X509Certificate and certificate to the same physical attribute on your directory server.

Cheers,

B