Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

X.509 Authentication and SSO

Go to solution
Former Member

‎08-24-2011 5:54 PM

0 Kudos

Hi,

I'm currently running ECC 6.0 EHP4 on NW 7.01. I'm attempting to setup SSO/Authentication using X.509 certificates.

I have been using the pages on SAP and I have completed everything that is required but I'm having no joy. I have read many threads on here but none seem to give me the details I require I was hoping someone could give me an example of what to do with the following:-

When getting a CA to sign my certificate request (Currently using SAP Test) What do I need to request?

When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"

SAP is the CA why does it say this?

I also have a question connected with the contents of USREXTID. I have maintained the entries in this table under the External ID Type = DN. Again if someone could give an example I would be very grateful.

Regards,

Andy.

1 ACCEPTED SOLUTION

Go to solution
martin_voros
Active Contributor

‎08-25-2011 12:12 AM

0 Kudos 
> When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"
> SAP is the CA why does it say this?

The reason for this message is that the certificate is signed by SAP but it seems like browser do not trust SAP. All browsers trust certificates only signed by certificates (CAs) that are imported into browser. For example if you go in IE to Internet Options -> Content -> Certificates then you can see all Trusted Root CAs and Intermediate CAs.

Off topic: If you see that list then it's a bit scary. The standard browser trusts lots of CAs. Currently, there is a discussion about solving this issue in community. For example check convergence.io.

Cheers

11 REPLIES 11

Go to solution
Former Member

‎08-24-2011 8:06 PM

0 Kudos

Did you install the cryptographic libraries as well? (so not the default seculib library)

Just to be sure: you are expecting this to work for webserices or BSP applications, right? (so not SAPGui SSO).

Cheers,

Julius

Go to solution
martin_voros
Active Contributor

‎08-25-2011 12:12 AM

0 Kudos 
> When importing the certificate in to my browser it says "This certificate cannot be verified up to a trusted certificate authority"
> SAP is the CA why does it say this?

The reason for this message is that the certificate is signed by SAP but it seems like browser do not trust SAP. All browsers trust certificates only signed by certificates (CAs) that are imported into browser. For example if you go in IE to Internet Options -> Content -> Certificates then you can see all Trusted Root CAs and Intermediate CAs.

Off topic: If you see that list then it's a bit scary. The standard browser trusts lots of CAs. Currently, there is a discussion about solving this issue in community. For example check convergence.io.

Cheers

Go to solution
Former Member

‎08-25-2011 9:44 AM

0 Kudos

Hi,

Thanks for the quick replies.

Julius, I have the SAP Cryptographic Library installed and I am trying to get this solution to work for access to SAP via Web Gui and BSP page for Web UI for CRM 7.0.

Martin, Thanks for the tip. I have now downloaded and installed to my browser the certificate which includes SAP in the list of trusted CA's. The certificate warning has now disappeared.

I have been following this thread

I'm at a similar situation where I get the message in my ICM trace saying No Client Certificate.

Regards,

Andy.

Go to solution
martin_voros
Active Contributor
In response to Former Member

‎08-25-2011 10:01 AM

0 Kudos

So it seems like browser does not send certificate. Have you tried different browser? Or investigate why the certificate is not sent?

Cheers

Go to solution
Former Member

‎08-25-2011 10:18 AM

0 Kudos

Hi,

I've checked the client certificate downloaded from STRUST and signed by SAP CA. In the details of this certificate is says:-

This certificate is intended for the following purpose(s):

- Ensures the identity of a remote computer

Is this correct fot the certificate to provide authentication to the SAP system?

Regards,

Andy.

Go to solution
Former Member
In response to Former Member

‎08-25-2011 10:24 AM

0 Kudos

Okay, so your browser can identify the server but who are you?

The server is expecting you to present a client certificate as well, but it appears you have not installed one and are mistaking the root certificate for this own authentication.

Key word: SAP Passport.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎08-25-2011 12:22 PM

0 Kudos

Hi,

You should use a tool like HTTPWATCH to see if you really send a client certificate from your browser.

You can also increase the trace level of the ICM and then have a look at the trace file.

Regards,

Olivier

Go to solution
Former Member

‎08-25-2011 12:31 PM

0 Kudos

Hi,

Thanks again for the info. I'm stuggling with the client certificate. Following the notes on help.sap.com:-

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm

This talks about systems as clients not users. I'm unsure when setting the certificate of the following:

1) Where to set the client PSE in STRUST. ssl CLIENT ssl cLIENT (Standard)?

2) What entries to put in Name, Org. Country etc...

3) What do I do with the response once signed by SAP and imported?

4) In table VUSREXTID I think I should be using DN. But what to put as external identifier. Would this be my windows user?

All help appreciated

Regards,

Andy.

Go to solution
Former Member
In response to Former Member

‎08-25-2011 12:38 PM

0 Kudos

The SAP application servers can also act as a client in the communication, as is the case with type H and type G connections in SM59. In this case the client server is authenticating itself against another server.

However for the fundamentals and SAP specific related administration tasks I would strongly suggest taking some training, otherwise it will just cause headaches and speculation about what is going on...

SAP Education course ADM960 is what you are looking for.

Cheers,

Julius

Go to solution
Former Member

‎08-25-2011 3:21 PM

0 Kudos

Hi,

Thanks for everyones help. I have now succesfully performed SSO using x.509 certificates on to my Web UI and Web Gui.

The solution in the end was to import the SAP Passport CA Certificate from www.service.sap.com/tcsrootcert in to the SSL Server Standard Certificate list in STRUST.

I have read many threads, notes and help pages on this subject and don't remember it being mentioned before.

My next issue will be to set up a process to allow users a similar process.

Thanks again.

Andy.

Go to solution
Former Member
In response to Former Member

‎08-25-2011 10:37 PM

0 Kudos 
My next issue will be to set up a process to allow users a similar process.

Yes, this is one of the aspects of PKI based SSO which is well worth considering.

For the SAP service portals it works okay because the folks are reasonably techie savie who go there looking for SAP notes and downloading software and reporting program errors.

For an end user, you must consider user friendliness otherwise you are doomed

Cheers,

Julius