Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Which truststore for SAML Sender Vouches signatures in SOAP message

Former Member

‎08-05-2011 7:00 AM

0 Kudos

Hi Experts,

I try to consume a Web Service provided by SAP Portal 7.3 EHP 2, which is secured using SAML 2.0.

My intention is to send SAML assertion using the Sender Vouches confirmation method and looking at the sample message from the Wiki and my message side-by-side, I am confident that the message should be understandable for SAP (having the correct signatures etc.)

However, using the Security Troubleshooting Wizard, I collected some traces on the SAP Portal side and I can see that the certificate I use seems to untrusted.

The Exception thrown somewhere near the WSSAMLLoginModule is:

Caused by: javax.security.auth.login.LoginException: com.sap.exception.io.SAPIOException: [com.sap.ASJ.wssec.020359] An exception was thrown during the verify of the SAMLTokenHandler: The certificate Subject DN: ....... is not in the list of trusted certificates.

at com.sap.security.core.server.wssec.jaas.WSSAMLLoginModule.login(WSSAMLLoginModule.java:91)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)

... 52 more

I already imported the cert in almost all trust stores. Where do I specify the trusted certs?

Thanks.

Jens

2 REPLIES 2

Former Member

‎08-08-2011 3:19 PM

0 Kudos

Hi,

unexpectedly (for me), it was TicketStore.

My signature is now validated successfully, hence I can run into the next error...

mathias_essenpreis
Employee
Employee
In response to Former Member

‎10-29-2011 4:37 PM

0 Kudos

Hi Jens,

yes, it's keystore view TicketKeystore. The idea is that a logon ticket trust suffices to get the SAML 1.1 Sender Vouches trust as well.

The next thing you should take care of is to make sure that your SAP Portal system trusts the SAML issuer of your SAML assertion. This is to be configured in NetWeaver Administrator under Configuration Management Security > Trusted Systems. There you add the issuer string of your SAML Assertion into the Trusted Partners section.

Please follow paragraph "Configuring the Trusted Partners (Provider)" on this documentation link for details: http://help.sap.com/saphelp_nw73/helpdata/en/48/b264916b156ff4e10000000a42189b/frameset.htm

Another thing. Please see that for SOAP Web Services SAP (both AS ABAP and AS Java) for Sender-Vouches only SAML 1.1 is supported. Holder-of-key SAML assertions are supported with SAML 1.1 and SAML 2.0.

Regards,

Mathias