08-24-2011 5:54 PM
Hi,
I'm currently running ECC 6.0 EHP4 on NW 7.01. I'm attempting to setup SSO/Authentication using X.509 certificates.
I have been using the pages on SAP and I have completed everything that is required but I'm having no joy. I have read many threads on here but none seem to give me the details I require I was hoping someone could give me an example of what to do with the following:-
When getting a CA to sign my certificate request (Currently using SAP Test) What do I need to request?
When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"
SAP is the CA why does it say this?
I also have a question connected with the contents of USREXTID. I have maintained the entries in this table under the External ID Type = DN. Again if someone could give an example I would be very grateful.
Regards,
Andy.
08-25-2011 12:12 AM
> When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"
> SAP is the CA why does it say this?
The reason for this message is that the certificate is signed by SAP but it seems like browser do not trust SAP. All browsers trust certificates only signed by certificates (CAs) that are imported into browser. For example if you go in IE to Internet Options -> Content -> Certificates then you can see all Trusted Root CAs and Intermediate CAs.
Off topic: If you see that list then it's a bit scary. The standard browser trusts lots of CAs. Currently, there is a discussion about solving this issue in community. For example check convergence.io.
Cheers
08-24-2011 8:06 PM
Did you install the cryptographic libraries as well? (so not the default seculib library)
Just to be sure: you are expecting this to work for webserices or BSP applications, right? (so not SAPGui SSO).
Cheers,
Julius
08-25-2011 12:12 AM
> When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"
> SAP is the CA why does it say this?
The reason for this message is that the certificate is signed by SAP but it seems like browser do not trust SAP. All browsers trust certificates only signed by certificates (CAs) that are imported into browser. For example if you go in IE to Internet Options -> Content -> Certificates then you can see all Trusted Root CAs and Intermediate CAs.
Off topic: If you see that list then it's a bit scary. The standard browser trusts lots of CAs. Currently, there is a discussion about solving this issue in community. For example check convergence.io.
Cheers
08-25-2011 9:44 AM
Hi,
Thanks for the quick replies.
Julius, I have the SAP Cryptographic Library installed and I am trying to get this solution to work for access to SAP via Web Gui and BSP page for Web UI for CRM 7.0.
Martin, Thanks for the tip. I have now downloaded and installed to my browser the certificate which includes SAP in the list of trusted CA's. The certificate warning has now disappeared.
I have been following this thread
I'm at a similar situation where I get the message in my ICM trace saying No Client Certificate.
Regards,
Andy.
08-25-2011 10:01 AM
So it seems like browser does not send certificate. Have you tried different browser? Or investigate why the certificate is not sent?
Cheers
08-25-2011 10:18 AM
Hi,
I've checked the client certificate downloaded from STRUST and signed by SAP CA. In the details of this certificate is says:-
This certificate is intended for the following purpose(s):
- Ensures the identity of a remote computer
Is this correct fot the certificate to provide authentication to the SAP system?
Regards,
Andy.
08-25-2011 10:24 AM
Okay, so your browser can identify the server but who are you?
The server is expecting you to present a client certificate as well, but it appears you have not installed one and are mistaking the root certificate for this own authentication.
Key word: SAP Passport.
Cheers,
Julius
08-25-2011 12:22 PM
Hi,
You should use a tool like HTTPWATCH to see if you really send a client certificate from your browser.
You can also increase the trace level of the ICM and then have a look at the trace file.
Regards,
Olivier
08-25-2011 12:31 PM
Hi,
Thanks again for the info. I'm stuggling with the client certificate. Following the notes on help.sap.com:-
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm
This talks about systems as clients not users. I'm unsure when setting the certificate of the following:
1) Where to set the client PSE in STRUST. ssl CLIENT ssl cLIENT (Standard)?
2) What entries to put in Name, Org. Country etc...
3) What do I do with the response once signed by SAP and imported?
4) In table VUSREXTID I think I should be using DN. But what to put as external identifier. Would this be my windows user?
All help appreciated
Regards,
Andy.
08-25-2011 12:38 PM
The SAP application servers can also act as a client in the communication, as is the case with type H and type G connections in SM59. In this case the client server is authenticating itself against another server.
However for the fundamentals and SAP specific related administration tasks I would strongly suggest taking some training, otherwise it will just cause headaches and speculation about what is going on...
SAP Education course ADM960 is what you are looking for.
Cheers,
Julius
08-25-2011 3:21 PM
Hi,
Thanks for everyones help. I have now succesfully performed SSO using x.509 certificates on to my Web UI and Web Gui.
The solution in the end was to import the SAP Passport CA Certificate from www.service.sap.com/tcsrootcert in to the SSL Server Standard Certificate list in STRUST.
I have read many threads, notes and help pages on this subject and don't remember it being mentioned before.
My next issue will be to set up a process to allow users a similar process.
Thanks again.
Andy.
08-25-2011 10:37 PM
My next issue will be to set up a process to allow users a similar process.
Yes, this is one of the aspects of PKI based SSO which is well worth considering.
For the SAP service portals it works okay because the folks are reasonably techie savie who go there looking for SAP notes and downloading software and reporting program errors.
For an end user, you must consider user friendliness otherwise you are doomed
Cheers,
Julius