11-25-2013 8:19 AM
hi SAP Expert,
Currently i was trying to setup the SSO using X.509 Certificate, but after perform the steps below, i still having this log "resumed SSL session, NO client cert" in my smicm logs trace level 3. any clue? thanks.
RZ10 :
icm/HTTPS/verify_client 1
ssf/name SAPSECULIB
sec/libsapsecu E:\usr\sap\CSB\SYS\exe\uc\NTAMD64\sapcrypto.dll
ssf/ssfapi_lib E:\usr\sap\CSB\SYS\exe\uc\NTAMD64\sapcrypto.dll
ssl/ssl_lib E:\usr\sap\CSB\SYS\exe\uc\NTAMD64\sapcrypto.dll
Strust :
server name : aws-sandbox-sap-crm-app.domain.com
SSL server Standart created with detail :
- owner : CN=sandbox-hcilink.domain.com, O=company, L=Port Washington, SP=New York, C=US
- certificate list : CN=sandbox-hcilink.domain.com, O=company, L=Port Washington, SP=New York, C=US
- issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
SM30 : VUSREXTID (DN)
external ID : CN=sandbox-hcilink.domain.com, O=company, L=Port Washington, SP=New York, C=US
user : yangha <- my SAP user id
issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entru
11-25-2013 4:41 PM
Hello Hariyono,
The message "resumed SSL session, NO client cert" means that your client and server does not trust each other, therefore client certificates are not being used for authentication.
There is more than one reason for such message... The most common is if your Server PSE uses a self-signed certificate and this certificate is not imported into your client PSE (which does not seems to be the case here)... It seems that your CA Root and Intermediate certificates are not imported into your
Client PSE. Please double check such settings...
You might have to restart your ICM after changing the STRUST configuration:
-> Transaction SMICM -> Administration -> ICM -> Exit Soft -> Global -> Yes
I hope this helps.
Best Regards,
Guilherme de Oliveira
11-26-2013 5:07 AM
hi Guilherme,
i check my certificate under SSL System Client SSL Client under strust and there is no self-sign stated over there, with this can i confirm that the Root and Intermediate certificate had already imported into the Client PSE?
11-25-2013 7:46 PM
Not all browsers support SSL resume, you might want to try with different browsers as well.
11-26-2013 1:13 AM
Hi,
Have you installed client certficate in your browser?
See the following link:
http://wiki.scn.sap.com/wiki/x/VYVXFQ
Thanks.
Jim
11-26-2013 5:01 AM
Not yet, initially we have purchase the certificate for our SSL Server Standard from entrust :
CSR sent to entrust and as return they sent ur the 1 root file, 1 chain file and another 1 .pfx file.
Is there any steps how to generate the client certificate? so that i can you this certificate and import it into my browser?
11-27-2013 12:52 PM
Hello Hariyono,
To improt the certificate response into your PSE, you can follow the wiki page:
http://wiki.sdn.sap.com/wiki/x/qoz_Eg
To import the CA Root certificate into your browser, it depends on the browser itself... In the IE, for example:
IE: Tools -> Internet Options -> Content -> Certificates -> Trusted Root Certification Authorities -> Import
I hope this clarifies.
Best Regards,
Guilherme de Oliveira