Solved: SSO with X509 Certificates not working

Former Member · ‎05-09-2014

Hello gentlemen.

By following this guide

I´m configuring the single sign on with X.509 certificates, to log on ABAP systems.

I´m using OpenSSL to generate the certificates (CA, Server, User), so, not using Secure Login Server.

Already have imported the certificates in strust, and the other steps described in the guide.

When i try to logon via sap logon, i´m receiving the error below.

Is any configuration to do in sap logon? Install something, like the package SAPSSO.msi, that is installed to use SSO with Kerberos?

Obs: I just configure the entry in sap logon, with the snc. In the error below, please note the bold text. In my entry there´s not the @IT... part.

SNC entry in sap logon:

p:CN=ET1, OU=IT

Tks!

SAP GUI for Windows 730

---------------------------

GSS-API(maj): Miscellaneous Failure

GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreac

target="p:CN=ET1, OU=IT@IT.COM.BR"

Time Thu May 08 16:46:28 2014

Component SNC (Secure Network Communication)

Release 730

Version 6

Module sncxxall.c

Line 3352

Method SncPEstablishContext

Return Code -4

System Call gss_init_sec_context

Counter 1

guilherme_deoliveira · ‎05-09-2014

Hello Marcos,

Additionally to the documentation Samuli sent you (and these steps indeed must be done), such error means that your SNC SAPCryptolib PSE's certificate is not signed/trusted by any known CA and, therefore, by your client.

You can either use a signed certificate into your PSE or to export your PSE's certificate and import it into your client machine too.

Best Regards,
Guilherme de Oliveira

Former Member · ‎05-09-2014

Updating...

I uninstall the package sapsso.msi from the client machine, and reinstall the sap secure login client.

Still receiving a error, but now is comprehensible.

Note that the @IT... is not showing anymore.

---------------------------

SAP GUI for Windows 730

---------------------------

GSS-API(maj): Miscellaneous failure

GSS-API(min): A2210223:Server does not trust my certificate path

target="p:CN=ET1, OU=IT"

Former Member · ‎05-09-2014

The CN used in SAP Logon must match the instance profile parameter snc/identity/as of AS ABAP. You didn't mention anything about generating and importing the client certificates and creating mappings for users. Those steps need to be done as well, see the application help for details.

Former Member · ‎05-09-2014

Hi Samuli.

Yes, the CN used in SAP Logon is the same.

The question now is setup the certificates again in strust.

But i think that the problem was the incompatible package sapsso.msi in the client machine.

guilherme_deoliveira · ‎05-09-2014

Hello Marcos,

Additionally to the documentation Samuli sent you (and these steps indeed must be done), such error means that your SNC SAPCryptolib PSE's certificate is not signed/trusted by any known CA and, therefore, by your client.

You can either use a signed certificate into your PSE or to export your PSE's certificate and import it into your client machine too.

Best Regards,
Guilherme de Oliveira

Former Member · ‎05-12-2014

Hi Guilherme.

Thanks, i´m adjusting strust now.