No proxy, no web dispatcher for the moment although the latter will become a part of the problem to be solved.

The Login page source code is generated by System Logon option (SICF - Create / Change Service/ Error Pages/System Logon) and I cannot change it manually.

I have used System Logon because it seems to be recommended by SAP from Netweaver 04 SP1 (SAP Security Guide) as more flexible than the basic authentification mechanism.

The problem I have is pretty basic and several web sites use HTTPS for authentification only (Yahoo Mail for example).

The question is : what is the right way to do it for a SAP BSP Application ?

Thank you

Patrick,

The application is an example BSP application I use for testing purposes.

it is IT00 under /default_host/sap/bc/bsp/sap/it00 (SICF). My server is a Netweaver 04s ABAP Web AS.

The test is very easy to do if you have first configured SSL on your server as described here : /people/gregor.wolf3/blog/2005/10/11/setup-https-ssl-for-the-sneak-preview-sap-netweaver-04-abap-edition-on-windows)

1) Go to "Error Pages" Tab

2) Edit. Select System Logon. Press Configuration.

3) Define Service specific Settings

4) Select the options needed. In my case I have selected "Logon via HTTPS".

System Logon replaces Basic Authentification and has many options. You can even customize the look of the resulting page (see /people/sergio.ferrari2/blog/2007/04/06/bsphowto--customizing-the-design-of-system-logon-page-in-netweaver-04)

I thought it would allow to authenticate a user using HTTPS but I may have missed something here. So my question is still : Is there a SIMPLE way to use HTTPS only for user authentification in a BSP application without coding your own login page ?

Thank you.

Hi Serge,

what I did refer to was the following question from you:

<i>Everything seems to work except that in Firefox displays a warning message saying that the login page is encrypted but the data is transmitted "in clear". Does it mean that I actually did not encrypt the user/pass this way ? What is the way to achieve this goal ?</i>

Setting the option 'Logon via HTTPS' should transmit the logon data encrypted, if HTTPS is configured correctly. As per the error message, I would say, this is the case.

Regards,

Patrick

Patrick

Sorry. Here is the error message issued by Firefox is :

"Although the (logon) page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?"

I still have doubts. What do you think ?

Above all, I don't know this settings are available in Netweaver 04. My test servers are 04s only.

If HTTPS was not configured correctly, I think I won't even have the chance to see the login page displayed on my browser.

Best Regards

Serge

Hi Serge,

please tell me the following:

- what is the URL in addres bar of firefox

- rightclick into the page and select 'View Page Source'

search for '<form' and tell me what is behind 'action='

Thanks,

kind regards,

Patrick

<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>

Hi Patrick

Address : https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open

Source code

Sorry it's quite long.

Regards

Serge

according to this info, the post should be made over SSL, because:

the Webpage is called using https:

https://pcyydsdv.pcy.edfgdf.fr/.

the form used is at /sap/bc/bsp/sap/it00/...

the Browser should combine this to

https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/.

this is at least, what the standards say.

If you are still in doubt, you may use <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/12/adc54044ed7b2de10000000a155106/frameset.htm">ICF Recorder</a> to look at the incoming requests or you can use the <a href="https://addons.mozilla.org/firefox/966/">Tamper Data</a> tool for firefox.

At the moment i have no clue why firefox makes that statement. To my understanding, it should not.

Kind regards,

Patrick

<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>

Hi Serge,

just double checked here on a NW2004s system. The post runs over https.

Regards,

Patrick

Thanks again Patrick for your assistance.

I still don't know how to get rid of this warning which I don't have when using Internet Explorer.

Did you get the same warning with Firefox when using System Logon and the "Logon via HTTPS" option ? What application did you use for testing ?

Hi Serge,

I did use the it00 example app and Mozilla 2.0.

There was no pop up in my case.

kind regards,

Patrick

<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>

Patrick,

I'd like to close this thread but on my side the problem is not solved yet. I don't know what I did wrong.

Again here is a list of the things I've done to allow user authentification through HTTPS on Web AS ABAP :

1) Configure SSL on the server :

a) Install SAP Cryptolib

b) Create SSL Server PSE (STRUST)

c) Send a certificate request to SAP (http://service.sap.com/ssltest)

d) Import the certificate response

e) Add the certificate to the certificate list

2) Configure ICM for HTTPS support (RZ10)

ssl/ssl_lib=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o

sec/libsapsecu=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o

ssf/ssfapi_lib=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o

ssf/name = SAPSECULIB

icm/server_port_<xx> = PROT=HTTPS, PORT=1443

3) Verify the activation of HTTPS

SMICM -> Goto -> Services

4) Configure the IT00 application (SICF)

a) Logon Data

Procedure = Standard

Use All Logon procedures not checked

Security requirements = standard

Authentification = standard SAP user

b) Error Pages

System Logon -> Configuration

Define Service-specific settings

Actions during Logon : Logon via HTTPS

Thank you

Kind regards

Serge

Hi Serge,

that's the same I did, except that I did use port 443 instead of 1443. What Mozila did you use ? I'm still on 1.5.0.9.

regards,

Patrick

<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>

I do not have the SMTP port open, but this is the only real difference (and I have some doubts, that this could be the reason).

Did you do a http trace or did you use tamper data to check what is happening ?

Regards,

Patrick

Patrick,

Here is a Tamper log of the request to IT00 :

12:55:37.826[291ms][total 301ms] Status: 200[OK]

POST https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open Load Flags[INHIBIT_PERSISTENT_CACHING LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[765] Mime Type[text/html]

Request Headers:

Host[pcyydsdv.pcy.edfgdf.fr]

User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9]

Accept[text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5]

Accept-Language[en-us,en;q=0.5]

Accept-Encoding[gzip,deflate]

Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]

Keep-Alive[300]

Connection[keep-alive]

Referer[https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open]

Cookie[sap-usercontext=sap-language=FR&sap-client=100]

Post Data:

sap-system-login-oninputprocessing[onLogin]

<b>sap-urlscheme[http]</b>

sap-system-login[onLogin]

sap-system-login-basic_auth[]

sap-client[100]

sap-accessibility[]

sap-system-login-cookie_disabled[]

sap-user[smadja]

sap-password[...]

sap-language[FR]

Response Headers:

Set-Cookie[MYSAPSSO2=AjExMDABAAxTTUFESkEgICAgICACAAMxMDADAAhaVDMgICAgIAQADDIwMDcwMjA4MTIwMgUABAAAAAgGAAFYCQABRgoADFNNQURKQSAgICAgIAsAA1pUMwwACFpUMyAgICAgDQAMMjAwNzAyMDgxMjAyDgAA%2fwKBMIICfQYJKoZIhvcNAQcCoIICbjCCAmoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAYYwggGCMIIBQgIBADAJBgcqhkjOOAQDMA4xDDAKBgNVBAMTA1pUMzAeFw05NzEwMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA1pUMzCB8TCBqAYHKoZIzjgEATCBnAJBAP%2f5NHN2y2abI%21kKFJStt%21ZEUcTVOz91DY6%21eP3H0syn75MU7%2fqAbsBCTKZl7Egcf9xoS0sZ0nO37pSoeTVNzwUCFQCK8B09W%21NPS6CUPRz0v0MMAG81qwJAa1Fw%21e9ZrQ2zGkzF%2flsfRO8IcNG4kLa23nP%2fxjsJOzLHRXc93ZMIp6gcmAQ0AbNSRtgA%21feqlnlr1Rf7%21ktvXANEAAJBAJ3dxO1lgagSp12ZLJvYfszkIwNsm8anwfwNZeLHgDguNzYJG797eqHRZ3BFMKnuTtb%21OI0SCLSPz%21KZaEhM0AkwCQYHKoZIzjgEAwMvADAsAhQfFOuI0mDltQeTVlaaYqYexUEEcAIUOVkFxWKzDOH1NhMn4aAAaYZxhhUxgcAwgb0CAQEwEzAOMQwwCgYDVQQDEwNaVDMCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDIwODEyMDIwMFowIwYJKoZIhvcNAQkEMRYEFNlsFxxVr5jBe2ONBmgbX5bNiDuYMAkGByqGSM44BAMELjAsAhQX56F7K04d8XHb6yAvAtOSdenzNwIUXJY1UzvsP4hvfE3vmPzqqEqGSr0%3d; path=/; domain=.pcy.edfgdf.fr]

Content-Type[text/html; charset=iso-8859-1]

Content-Length[765]

Pragma[no-cache]

Cache-Control[no-cache]

Server[SAP Web Application Server (1.0;700)]

Shouldn't be the sap-urlscheme parameter set to https ?

Thank you.

Kind regards

Serge

the post is done via HTTPS (so this data is secure).

The sap-urlscheme is HTTP as you requested only the logon to be HTTPS, not the subsequent pages.

Does firefox already bring his pop up now or only later ?

Regards,

Patrick

Patrick

Actually later.

Here is the Tamper log of the last HTTPS request. The Popup appears right after POSTing this request.

13:33:12.448[281ms][total 301ms] Status: 200[OK]

POST https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open Load Flags[INHIBIT_PERSISTENT_CACHING LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[765] Mime Type[text/html]

Request Headers:

Host[pcyydsdv.pcy.edfgdf.fr]

User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9]

Accept[text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5]

Accept-Language[en-us,en;q=0.5]

Accept-Encoding[gzip,deflate]

Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]

Keep-Alive[300]

Connection[keep-alive]

Referer[https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open]

Cookie[sap-usercontext=sap-language=FR&sap-client=100]

Post Data:

sap-system-login-oninputprocessing[onLogin]

sap-urlscheme[http]

sap-system-login[onLogin]

sap-system-login-basic_auth[]

sap-client[100]

sap-accessibility[]

sap-system-login-cookie_disabled[]

sap-user[smadja]

sap-password[<i>changed</i>]

sap-language[FR]

Response Headers:

Set-Cookie[MYSAPSSO2=AjExMDABAAxTTUFESkEgICAgICACAAMxMDADAAhaVDMgICAgIAQADDIwMDcwMjA4MTIzOQUABAAAAAgGAAFYCQABRgoADFNNQURKQSAgICAgIAsAA1pUMwwACFpUMyAgICAgDQAMMjAwNzAyMDgxMjM5DgAA%2fwKBMIICfQYJKoZIhvcNAQcCoIICbjCCAmoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAYYwggGCMIIBQgIBADAJBgcqhkjOOAQDMA4xDDAKBgNVBAMTA1pUMzAeFw05NzEwMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA1pUMzCB8TCBqAYHKoZIzjgEATCBnAJBAP%2f5NHN2y2abI%21kKFJStt%21ZEUcTVOz91DY6%21eP3H0syn75MU7%2fqAbsBCTKZl7Egcf9xoS0sZ0nO37pSoeTVNzwUCFQCK8B09W%21NPS6CUPRz0v0MMAG81qwJAa1Fw%21e9ZrQ2zGkzF%2flsfRO8IcNG4kLa23nP%2fxjsJOzLHRXc93ZMIp6gcmAQ0AbNSRtgA%21feqlnlr1Rf7%21ktvXANEAAJBAJ3dxO1lgagSp12ZLJvYfszkIwNsm8anwfwNZeLHgDguNzYJG797eqHRZ3BFMKnuTtb%21OI0SCLSPz%21KZaEhM0AkwCQYHKoZIzjgEAwMvADAsAhQfFOuI0mDltQeTVlaaYqYexUEEcAIUOVkFxWKzDOH1NhMn4aAAaYZxhhUxgcAwgb0CAQEwEzAOMQwwCgYDVQQDEwNaVDMCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDIwODEyMzkzNVowIwYJKoZIhvcNAQkEMRYEFKKWK64tWF6H4TLi3beQN%2fEqt9QeMAkGByqGSM44BAMELjAsAhRJJqlHRaUgEJ2gZqk7GUNooQZWLgIUQ67WbaPryrJwociqofKPTg2NDUk%3d; path=/; domain=.pcy.edfgdf.fr]

Content-Type[text/html; charset=iso-8859-1]

Content-Length[765]

Pragma[no-cache]

Cache-Control[no-cache]

Server[SAP Web Application Server (1.0;700)]

Regards

Serge

Btw. My name and password appear in clear !!! Do you have the same behavior ?

(I modified the password before pasting the tamper log in this forum.

Thank you

Serge

Aynthing else would have been en error

If you tamper data you access the data BEFORE it is encrypted.

SSL encrpyts everthing (not only the pass). Thus using a network sniffer, you would have been able to see nothing using the firefox plugin however, you can see everything, btw this is the same for traces on the server. This is even documented as a warning there !

Regards,

Patrick