02-05-2007 4:35 PM
Hi
I'd like to secure the user authentification of a BSP/BW application and only the user authentification.
I have setup SSL on a Web AS ABAP server (Netweaver 04s) as described in several articles/sap notes/ weblogs ...
I have used System Logon and enable Logon via HTTPS.
Everything seems to work except that in Firefox displays a warning message saying that the login page is encrypted but the data is transmitted "in clear". Does it mean that I actually did not encrypt the user/pass this way ? What is the way to achieve this goal ?
Thanks for your help
02-05-2007 5:21 PM
I would interpret this alert in the same way as you.
To clarify the issue I'd suggest to take a look into the (HTLM) source code of the logon page. Lookup for the "POST" statement - it should use "https" and not "http".
Regards, Wolfgang
02-05-2007 6:45 PM
Are you going through a proxy or web dispatcher first? You will have to do SSL for them too.
02-05-2007 10:49 PM
No proxy, no web dispatcher for the moment although the latter will become a part of the problem to be solved.
The Login page source code is generated by System Logon option (SICF - Create / Change Service/ Error Pages/System Logon) and I cannot change it manually.
I have used System Logon because it seems to be recommended by SAP from Netweaver 04 SP1 (SAP Security Guide) as more flexible than the basic authentification mechanism.
The problem I have is pretty basic and several web sites use HTTPS for authentification only (Yahoo Mail for example).
The question is : what is the right way to do it for a SAP BSP Application ?
Thank you
02-06-2007 7:39 AM
Hi Serge,
this can have a couple of reasons. Could you please post the exact text of the message ? If there are pictures in the page, they may be included using HTTP. On the other hand, as Wolfgang mentioned, the post operation may use HTTP instead of HTTPS, which can be checked by looking at the HTML source. If it reads:
<form action="https://...." ...>
everything is ok. If it reads
<form action="something URI" ...>
it is depedning on the initial URL (you said, this was https) or a
<base href="...">
statement. As I haven't seen any base statments in BSP so far, I would guess this would be ok as well (BTW: this is the way it is handled in the system I just looked at).
However it it reads
<form action="http://..." ...>
the logon data would be transmitted in plaintext.
02-06-2007 8:31 AM
Patrick,
The application is an example BSP application I use for testing purposes.
it is IT00 under /default_host/sap/bc/bsp/sap/it00 (SICF). My server is a Netweaver 04s ABAP Web AS.
The test is very easy to do if you have first configured SSL on your server as described here : /people/gregor.wolf3/blog/2005/10/11/setup-https-ssl-for-the-sneak-preview-sap-netweaver-04-abap-edition-on-windows)
1) Go to "Error Pages" Tab
2) Edit. Select System Logon. Press Configuration.
3) Define Service specific Settings
4) Select the options needed. In my case I have selected "Logon via HTTPS".
System Logon replaces Basic Authentification and has many options. You can even customize the look of the resulting page (see /people/sergio.ferrari2/blog/2007/04/06/bsphowto--customizing-the-design-of-system-logon-page-in-netweaver-04)
I thought it would allow to authenticate a user using HTTPS but I may have missed something here. So my question is still : Is there a SIMPLE way to use HTTPS only for user authentification in a BSP application without coding your own login page ?
Thank you.
02-06-2007 8:54 AM
Hi Serge,
what I did refer to was the following question from you:
<i>Everything seems to work except that in Firefox displays a warning message saying that the login page is encrypted but the data is transmitted "in clear". Does it mean that I actually did not encrypt the user/pass this way ? What is the way to achieve this goal ?</i>
Setting the option 'Logon via HTTPS' should transmit the logon data encrypted, if HTTPS is configured correctly. As per the error message, I would say, this is the case.
Regards,
Patrick
02-06-2007 9:18 AM
Patrick
Sorry. Here is the error message issued by Firefox is :
"Although the (logon) page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?"
I still have doubts. What do you think ?
Above all, I don't know this settings are available in Netweaver 04. My test servers are 04s only.
If HTTPS was not configured correctly, I think I won't even have the chance to see the login page displayed on my browser.
Best Regards
Serge
02-06-2007 9:33 AM
Hi Serge,
please tell me the following:
- what is the URL in addres bar of firefox
- rightclick into the page and select 'View Page Source'
search for '<form' and tell me what is behind 'action='
Thanks,
kind regards,
Patrick
<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>
02-06-2007 9:41 AM
Hi Patrick
Address : https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open
Source code
Sorry it's quite long.
Regards
Serge
02-06-2007 9:53 AM
according to this info, the post should be made over SSL, because:
the Webpage is called using https:
https://pcyydsdv.pcy.edfgdf.fr/.
the form used is at /sap/bc/bsp/sap/it00/...
the Browser should combine this to
https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/.
this is at least, what the standards say.
If you are still in doubt, you may use <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/12/adc54044ed7b2de10000000a155106/frameset.htm">ICF Recorder</a> to look at the incoming requests or you can use the <a href="https://addons.mozilla.org/firefox/966/">Tamper Data</a> tool for firefox.
At the moment i have no clue why firefox makes that statement. To my understanding, it should not.
Kind regards,
Patrick
<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>
02-06-2007 3:25 PM
Hi Serge,
just double checked here on a NW2004s system. The post runs over https.
Regards,
Patrick
02-07-2007 11:01 PM
Thanks again Patrick for your assistance.
I still don't know how to get rid of this warning which I don't have when using Internet Explorer.
Did you get the same warning with Firefox when using System Logon and the "Logon via HTTPS" option ? What application did you use for testing ?
02-08-2007 7:30 AM
Hi Serge,
I did use the it00 example app and Mozilla 2.0.
There was no pop up in my case.
kind regards,
Patrick
<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>
02-08-2007 8:50 AM
Patrick,
I'd like to close this thread but on my side the problem is not solved yet. I don't know what I did wrong.
Again here is a list of the things I've done to allow user authentification through HTTPS on Web AS ABAP :
1) Configure SSL on the server :
a) Install SAP Cryptolib
b) Create SSL Server PSE (STRUST)
c) Send a certificate request to SAP (http://service.sap.com/ssltest)
d) Import the certificate response
e) Add the certificate to the certificate list
2) Configure ICM for HTTPS support (RZ10)
ssl/ssl_lib=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o
sec/libsapsecu=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o
ssf/ssfapi_lib=/usr/sap/<sid>SYS/exe/run/libsapcrypto.o
ssf/name = SAPSECULIB
icm/server_port_<xx> = PROT=HTTPS, PORT=1443
3) Verify the activation of HTTPS
SMICM -> Goto -> Services
4) Configure the IT00 application (SICF)
a) Logon Data
Procedure = Standard
Use All Logon procedures not checked
Security requirements = standard
Authentification = standard SAP user
b) Error Pages
System Logon -> Configuration
Define Service-specific settings
Actions during Logon : Logon via HTTPS
Thank you
Kind regards
Serge
02-08-2007 9:01 AM
Hi Serge,
that's the same I did, except that I did use port 443 instead of 1443. What Mozila did you use ? I'm still on 1.5.0.9.
regards,
Patrick
<i>please award points to the person(s) that helped solving your question and tell us what the solution was.</i>
02-08-2007 10:10 AM
Patrick
I've uninstalled Firefox 2.0 and installed 1.5.0.9. I still have the same issue
I even use port 443 instead of 1443. It makes me crazy
Here is a copy of my ICM parameters (SMICM -> Goto -> Parameters -> Display)
ICM Parameter
Services
icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
icm/server_port_1 = PROT=SMTP,PORT=0
icm/server_port_2 = PROT=HTTPS,PORT=443,EXTBIND=1
Hard limits
icm/max_services = 30
icm/listen_queue_len = 512
icm/req_queue_len = 500
icm/max_conn = 500
icm/max_sockets = 2048
Thread handling
icm/min_threads = 10
icm/max_threads = 50
icm/min_spare_threads = 3
Tracing and statistic
rdisp/TRACE = 1
icm/tracefile = dev_icm
icm/log_level = 0
icm/stat_level = 1
icm/security_log = LOGFILE=dev_icm_sec,MAXSIZEKB=500
icm/accept_remote_trace_level = 0
Monitoring
icm/ccms_monitoring = 1
icm/ccms_refresh_rate (sec.) = 30
Timeout handling
icm/keep_alive_timeout (sec.) = 60
icm/conn_timeout (msec.) = 5000
HTTP settings
icm/HTTP/max_request_size_KB = 102400
icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-10,PORT=50000,
SPORT=50003
icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=/usr/sap/ZT3/DVEBMGS00/dat
a/cache
icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=/usr/sap/ZT3/DVEBMG
S00/data/icmanroot/admin,AUTHFILE=/usr/sap/ZT3/SYS
icm/HTTP/auth_0 = PREFIX=/,FILTER=SAP
HTTP(S) error handling
is/HTTP/show_detailed_errors = 1
HTTPS (SSL) settings
icm/HTTPS/verify_client = 1
ssf/name = SAPSECULIB
ssf/ssfapi_lib = /usr/sap/ZT3/SYS/exe/run/libsapcrypto.o
sec/libsapsecu = /usr/sap/ZT3/SYS/exe/run/libsapcrypto.o
ssl/ssl_lib = /usr/sap/ZT3/SYS/exe/run/libsapcrypto.o
Context Quotas
icm/HTTP/context_quota = 90%
icm/HTTPS/context_quota = 90%
icm/SMTP/context_quota = 90%
Memory Pipe settings
mpi/total_size_MB = 80
mpi/buffer_size = 65536
J2EE settings
rdisp/j2ee_start = 0
is/HTTP/default_root_hdl = J2EE
Content Filter settings
csi/enable = TRUE
csi/SAP/csa_lib = /usr/sap/ZT3/SYS/exe/run/libsapcsa.o
Misc
icm/host_name_full = pcyydsdv.pcy.edfgdf.fr
icm/cancel_strategy = cancel requests without session (stateless)
rdisp/plugin_auto_logout = 1800
is/HTTP/virt_host_0 = :;
is/SMTP/virt_host_0 = :;
I might give up but it will be a pity cause I'm close.
Thank you.
02-08-2007 10:33 AM
I do not have the SMTP port open, but this is the only real difference (and I have some doubts, that this could be the reason).
Did you do a http trace or did you use tamper data to check what is happening ?
Regards,
Patrick
02-08-2007 12:06 PM
Patrick,
Here is a Tamper log of the request to IT00 :
12:55:37.826[291ms][total 301ms] Status: 200[OK]
POST https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open Load Flags[INHIBIT_PERSISTENT_CACHING LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[765] Mime Type[text/html]
Request Headers:
Host[pcyydsdv.pcy.edfgdf.fr]
User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9]
Accept[text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5]
Accept-Language[en-us,en;q=0.5]
Accept-Encoding[gzip,deflate]
Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive[300]
Connection[keep-alive]
Referer[https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open]
Cookie[sap-usercontext=sap-language=FR&sap-client=100]
Post Data:
sap-system-login-oninputprocessing[onLogin]
<b>sap-urlscheme[http]</b>
sap-system-login[onLogin]
sap-system-login-basic_auth[]
sap-client[100]
sap-accessibility[]
sap-system-login-cookie_disabled[]
sap-user[smadja]
sap-password[...]
sap-language[FR]
Response Headers:
Set-Cookie[MYSAPSSO2=AjExMDABAAxTTUFESkEgICAgICACAAMxMDADAAhaVDMgICAgIAQADDIwMDcwMjA4MTIwMgUABAAAAAgGAAFYCQABRgoADFNNQURKQSAgICAgIAsAA1pUMwwACFpUMyAgICAgDQAMMjAwNzAyMDgxMjAyDgAA%2fwKBMIICfQYJKoZIhvcNAQcCoIICbjCCAmoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAYYwggGCMIIBQgIBADAJBgcqhkjOOAQDMA4xDDAKBgNVBAMTA1pUMzAeFw05NzEwMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA1pUMzCB8TCBqAYHKoZIzjgEATCBnAJBAP%2f5NHN2y2abI%21kKFJStt%21ZEUcTVOz91DY6%21eP3H0syn75MU7%2fqAbsBCTKZl7Egcf9xoS0sZ0nO37pSoeTVNzwUCFQCK8B09W%21NPS6CUPRz0v0MMAG81qwJAa1Fw%21e9ZrQ2zGkzF%2flsfRO8IcNG4kLa23nP%2fxjsJOzLHRXc93ZMIp6gcmAQ0AbNSRtgA%21feqlnlr1Rf7%21ktvXANEAAJBAJ3dxO1lgagSp12ZLJvYfszkIwNsm8anwfwNZeLHgDguNzYJG797eqHRZ3BFMKnuTtb%21OI0SCLSPz%21KZaEhM0AkwCQYHKoZIzjgEAwMvADAsAhQfFOuI0mDltQeTVlaaYqYexUEEcAIUOVkFxWKzDOH1NhMn4aAAaYZxhhUxgcAwgb0CAQEwEzAOMQwwCgYDVQQDEwNaVDMCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDIwODEyMDIwMFowIwYJKoZIhvcNAQkEMRYEFNlsFxxVr5jBe2ONBmgbX5bNiDuYMAkGByqGSM44BAMELjAsAhQX56F7K04d8XHb6yAvAtOSdenzNwIUXJY1UzvsP4hvfE3vmPzqqEqGSr0%3d; path=/; domain=.pcy.edfgdf.fr]
Content-Type[text/html; charset=iso-8859-1]
Content-Length[765]
Pragma[no-cache]
Cache-Control[no-cache]
Server[SAP Web Application Server (1.0;700)]
Shouldn't be the sap-urlscheme parameter set to https ?
Thank you.
Kind regards
Serge
02-08-2007 12:19 PM
the post is done via HTTPS (so this data is secure).
The sap-urlscheme is HTTP as you requested only the logon to be HTTPS, not the subsequent pages.
Does firefox already bring his pop up now or only later ?
Regards,
Patrick
02-08-2007 12:44 PM
Patrick
Actually later.
Here is the Tamper log of the last HTTPS request. The Popup appears right after POSTing this request.
13:33:12.448[281ms][total 301ms] Status: 200[OK]
POST https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open Load Flags[INHIBIT_PERSISTENT_CACHING LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[765] Mime Type[text/html]
Request Headers:
Host[pcyydsdv.pcy.edfgdf.fr]
User-Agent[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9]
Accept[text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5]
Accept-Language[en-us,en;q=0.5]
Accept-Encoding[gzip,deflate]
Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive[300]
Connection[keep-alive]
Referer[https://pcyydsdv.pcy.edfgdf.fr/sap/bc/bsp/sap/it00/default.htm?sap-sessioncmd=open]
Cookie[sap-usercontext=sap-language=FR&sap-client=100]
Post Data:
sap-system-login-oninputprocessing[onLogin]
sap-urlscheme[http]
sap-system-login[onLogin]
sap-system-login-basic_auth[]
sap-client[100]
sap-accessibility[]
sap-system-login-cookie_disabled[]
sap-user[smadja]
sap-password[<i>changed</i>]
sap-language[FR]
Response Headers:
Set-Cookie[MYSAPSSO2=AjExMDABAAxTTUFESkEgICAgICACAAMxMDADAAhaVDMgICAgIAQADDIwMDcwMjA4MTIzOQUABAAAAAgGAAFYCQABRgoADFNNQURKQSAgICAgIAsAA1pUMwwACFpUMyAgICAgDQAMMjAwNzAyMDgxMjM5DgAA%2fwKBMIICfQYJKoZIhvcNAQcCoIICbjCCAmoCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCAYYwggGCMIIBQgIBADAJBgcqhkjOOAQDMA4xDDAKBgNVBAMTA1pUMzAeFw05NzEwMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBaMA4xDDAKBgNVBAMTA1pUMzCB8TCBqAYHKoZIzjgEATCBnAJBAP%2f5NHN2y2abI%21kKFJStt%21ZEUcTVOz91DY6%21eP3H0syn75MU7%2fqAbsBCTKZl7Egcf9xoS0sZ0nO37pSoeTVNzwUCFQCK8B09W%21NPS6CUPRz0v0MMAG81qwJAa1Fw%21e9ZrQ2zGkzF%2flsfRO8IcNG4kLa23nP%2fxjsJOzLHRXc93ZMIp6gcmAQ0AbNSRtgA%21feqlnlr1Rf7%21ktvXANEAAJBAJ3dxO1lgagSp12ZLJvYfszkIwNsm8anwfwNZeLHgDguNzYJG797eqHRZ3BFMKnuTtb%21OI0SCLSPz%21KZaEhM0AkwCQYHKoZIzjgEAwMvADAsAhQfFOuI0mDltQeTVlaaYqYexUEEcAIUOVkFxWKzDOH1NhMn4aAAaYZxhhUxgcAwgb0CAQEwEzAOMQwwCgYDVQQDEwNaVDMCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDIwODEyMzkzNVowIwYJKoZIhvcNAQkEMRYEFKKWK64tWF6H4TLi3beQN%2fEqt9QeMAkGByqGSM44BAMELjAsAhRJJqlHRaUgEJ2gZqk7GUNooQZWLgIUQ67WbaPryrJwociqofKPTg2NDUk%3d; path=/; domain=.pcy.edfgdf.fr]
Content-Type[text/html; charset=iso-8859-1]
Content-Length[765]
Pragma[no-cache]
Cache-Control[no-cache]
Server[SAP Web Application Server (1.0;700)]
Regards
Serge
02-08-2007 12:50 PM
Btw. My name and password appear in clear !!! Do you have the same behavior ?
(I modified the password before pasting the tamper log in this forum.
Thank you
Serge
02-08-2007 12:59 PM
Aynthing else would have been en error
If you tamper data you access the data BEFORE it is encrypted.
SSL encrpyts everthing (not only the pass). Thus using a network sniffer, you would have been able to see nothing using the firefox plugin however, you can see everything, btw this is the same for traces on the server. This is even documented as a warning there !
Regards,
Patrick