cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP with SSL for sell-side users?

former_member188433
Participant

on ‎01-22-2012 5:55 PM

0 Kudos

Hi Experts - We installed Sourcing 7.0 SP2 on NWCE 7.11 SP7. We want to use an LDAP for our external (Sell-side) users. This LDAP is not the UME for the NWCE instance. We were able to configure the LDAP in Sourcing Directory Config and add users from Sourcing, but there was a problem with password update so we are now trying to configure the LDAP connection to use SSL. But we are seeing connection issues after converting the LDAP connection to SSL.

- I changed Sourcing Directory Config to use the LDAP SSL port and I selected the "Use SSL" checkbox.

- I imported the LDAP server's SSL cert and the CA cert into NWCE > NWA > Key Storage service.

- I restarted the NWCE.

After all of these steps, when I try to add a contact to a supplier in Sourcing I get the error message: "Connection Error".

I verified that I can access the LDAP via SSL using the same server/CA certs via a third-party LDAP tool on my workstation.

Are there any steps I am missing in NWCE or Sourcing? Any help would be appreciated. Best Regards - Jeff

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

vikram_shanmugasundaram
Advisor
Advisor
‎01-24-2012 3:14 PM
0 Kudos

Hi Jeff,

Not exactly sure where the issue is, but few things to checku2026

- You mentioned that you used the third party tool to verify the connection from your workstation. Were you able to do the same from the app server where Sourcing is running on?

- Are you able to successfully connect to the LDAP from Sourcing without SSL? You could use the Test Configuration button on the Directory Configuration. This would ensure all other non SSL related attributes are setup correctly.

- Is there multiple jvmu2019s on the server? If so I would make sure the jvm where the cert is imported is the same jvm Sourcing is using.

- Typically with LDAP related errors you would see an LDAP error code. I would try to find the error code and look it up online. It might shed some light on the details of the error.

Hope this helps.

Regards,

Vikram

Show replies
Show replies
former_member188433
Participant
‎01-24-2012 3:42 PM
0 Kudos

Hi Vikram - Thanks for your response.

- I haven't tested with a 3rd party tool from the app server yet - not sure what to use (wget maybe?). This is a Linux server. Any suggestions?

- I was able to connect successfully to the LDAP without SSL. The only issue then was with password maintenance. In Sourcing we saw "unable to generate password" errors and in eso.trc we saw OperationNotSupported error. This is why we are trying to use SSL.

- Probably there are multiple JVMs on the server. NW CE and Sourcing both use the SAP-supplied JVM 1.5. I am told that Sourcing 7.0 will refer to the same keystore as the NW CE. So up until now I have been using the NWA > Keystore service to import the certs from the LDAP server.

- We traced the traffic to and from the LDAP server. The SSL handshake starts but does not complete. We can see that Sourcing (the client) is contacting the LDAP and the LDAP server sends a response. It appears that a cipher suite is agreed upon, but after that the Sourcing server issues an "SSL: Encrypt Alert". The TLS error code is 46 (certificate_unknown).

Another interesting point: we only see the error in eso.trc and the error is described in a debug entry (not an actual error). Default.trc never shows any errors (although the log config appears correct).

Some forum posts indicate that the keytool command can be used, but these seem to be older posts. Any thoughts would be much appreciated.

Best Regards - Jeff

vikram_shanmugasundaram
Advisor
Advisor
‎01-29-2012 10:53 PM
0 Kudos

Hi Jeff,

I'm not sure what 3rd party tools are available. I would imagine a standalone java program could be written which can be run from outside of the sourcing application to test connection to LDAP on port 636. In the java program you could specify the location of the keystore where the certificate was installed.

Regarding importing the certs into the keystore, Iu2019ve used the keytool tool command in the past. NWA Keystore service probably does the same thing but I have not used it myself.

Regards,

Vikram

former_member188433
Participant
‎01-30-2012 12:30 AM
0 Kudos

Hi VIkram -

Our problem was solved once we found out where the SSL certificates needed to be stored. As it turns out, they must be stored in the default keystore (cacerts) of the JVM that is used by the NWCE. For us this was rather unusual, since we normally use the Netweaver NWA utilities. Apparently storing the certs using the NWA > Keystore Utility did not work.

Since this is our first NWCE project we do not know if this is typical for the CE environment or a special requirement of the Sourcing application.

Best Regards - Jeff

Ask a Question
Top Q&A Solution Author
View all