Solved: SAP SSO with X.509 automate process with RSUSREXT

xymanuel · ‎08-21-2014

Hi,

we trying to implement SAP SSO with x.509 certificates for HTTPS access (NWBC)

Environment is: Windows 7 clients, Internet explorer, Netweaver ABAP 7.31 on Win 2008 r2, Win PKI.

I've done the following steps:
1. Configured SAP to accept certificates.

2. Created certificate template "SAPSSO" in our PKI (Build from AD information, Subject name contains "Fully distinguished name", include e-mail, include User principal name in subject alternative name)

3. Started certmgr.msc on my client and requested a new certificate from the "SAPSSO" template.

The new cert is stored on my client in my certifcatelist in certmgr.msc (later this should be done with AD autoenrollment)

4. Activated the certmap service in SICF https://mysapserver/sap/bc/webdynpro/sap/certmap

5. Open the certmap service in my browser an link the certificate with my sap username.

6. Check entry in table USREXTID. The certmap service created an "DN" (distinguished name) entry for me.

EMAIL=firstename.lastname@company.com, CN=Firstname Lastname, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net

7. Import Master certificate in STRUST

From this point everything is working fine for my user.

Now i want to generate the entries of the USREXTID table with the RSUSREXT report.

The report generates the SAP Username as part of the DN.

For example i am able to build this DN with RSUSREXT:

EMAIL=firstename.lastname@company.com, CN=MYSAPUSERNAME, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net

But this DN does not match my DN in my certificate!

My problem is now, i do not have my username in the DN of my certificate. Because of this, i cannot generate the tableentries with this report.

In this KBA Andre FIscher is talking about implementing policy modules for the certificate template to be able to generate the Windows

sAMAccountName into the DN.

"Reading other attributes than common name or fully distinguished name from the AD is a little bit trickier and requires a custom policy module."

I accived to change the template, that the principalname=MYADUSERNAME is added as an subject alternative name in my certificate.

But i dont know how to fill the USREXTID table to match SANs in my certificate.

Does anyone has an solution for the AD certificate template to generate the AD account name in the DN?

Or does anyone know how to fill the USREXTID table that the principalname is matched?

(PS: SAP Username and AD name is the same for all of our users)

Kind regards

Manuel

mathias_essenpreis · ‎09-10-2014

Hi Manuel,

I understood

1. SAP Username and AD name is the same.

2. You alread managed to get the SAP Username into the subject alt. name of the certificate

Fine.

So I have another idea. Using the rule based certificate mapping you can completely get rid of having one entry per user and certificate in table USREXTID.

I assume this would simplify your scenario.

So you would

1. Switch on the new mapping

2. Go to transaction certrule and create a rule derives the login username out of the subject alternative name.

The new rule based management also supports non-unique mappings (e.g. AD name does not equal SAP user name). In this case you would create an explicit mapping. This would be similar to USREXTID behavior. Migration from USREXTID entries to the new rule based mapping is also provided (transaction certrule_mig).

More info is available in the documentation: Rule-Based Certificate Mapping - User Authentication and Single Sign-On - SAP Library

Regards,

Mathias

mathias_essenpreis · ‎09-10-2014

Hi Manuel,

I understood

1. SAP Username and AD name is the same.

2. You alread managed to get the SAP Username into the subject alt. name of the certificate

Fine.

So I have another idea. Using the rule based certificate mapping you can completely get rid of having one entry per user and certificate in table USREXTID.

I assume this would simplify your scenario.

So you would

1. Switch on the new mapping

2. Go to transaction certrule and create a rule derives the login username out of the subject alternative name.

The new rule based management also supports non-unique mappings (e.g. AD name does not equal SAP user name). In this case you would create an explicit mapping. This would be similar to USREXTID behavior. Migration from USREXTID entries to the new rule based mapping is also provided (transaction certrule_mig).

More info is available in the documentation: Rule-Based Certificate Mapping - User Authentication and Single Sign-On - SAP Library

Regards,

Mathias

xymanuel · ‎09-11-2014

Hi Mathias,

thats the solution for our NW 7.31 and greater systems. Thanks a lot.

It worked instantly. I created just one certrule and switched login/certificate_mapping_rulebased to 1 in RZ11. Me and my collegues were able to login after i filled the ALIAS field in SU01 with the value which is contained in the SAN field in the certificate of my user.

myadusername@ourcompanydomain.de (value of SAN and ALIAS).

Its a generic rule which matches all certs signed by our PKI. Works as expected.

I only have to create a short report, which fills the ALIAS field generically in our CUA system.

(I dont find a report like the rsusr300 to fill not only the SNC name).

Sadly i have no solution for our Solution Manager which is only released on 7.02 by SAP. .

Kind regards

Manuel Herr

mathias_essenpreis · ‎09-11-2014

Hi Manuel,

so you're one step further :-). I don't understand why you set the ALIAS? In the rule you can specify that the username is considered for logon. Or does that mean your SAP Username are not identical to one of the fields of the AD that can be set in a policy module? Can you make an example of a SAP username and it's corresponding ALIAS you want to map it to?

As always there are several ways to achieve this mapping. Coming back to the 7.02 system you still might have to use a custom certificate module in the AD. Here's the link to the microsoft documentation. Did you already know it?

Writing Custom Modules (Windows)

Another option you have is to develop the RSUSREXT BADI. More information is available in note 1362866 - BAdI enhancement for report RSUSREXT. 7.02 is also covered :-).

Regards,

Mathias

Basically I derived my information from the German book Single Sign-on mit SAP. Lösungen für die Praxis von Martijn de Boer, Mathias Essenpreis, Stefanie Ga....

Chapter 4 describes your scenario in detail and it's even fully available in the book preview. So you might want to have a look at this as well.

xymanuel · ‎09-11-2014

Hi Mathias,

i set the alias, because the mapping fail otherwise. I will be glad, if you can tell me how i do it better

For example my certificate contains this SAN herrma1@ourdomain.com.

herrma1 is also my SAP account and my windows account name.

In Transaction CERTRULE i create a rule which matches the SAN to the ALIAS

My Certificate matches if the ALIAS is filled

If i do this rule and try to match to the SAP Username:

There is no match, because my SAP username is not herrma1@domain.com,

it is only herrma1.

I'm not able to create a ceritificate which contains only my AD Username as part of the UPN.

I have the book you mentiond in front of me . There is nothing told about the certrule transaction.

Nevertheless i'm not a c# / c++ programmer to build a custom module which generates other fields in the certificates. For exacmple the UPN only with my username, not as AD standard username@domain.com.

For the older releases i would need my username in the CN to get a match with the EXTID_DN.

But this also needs a custom module.

Thx for the discussion

Manuel

mathias_essenpreis · ‎09-15-2014

Hi Manuel,

so following the central approach you would need some server functionality that

1. takes username@domain.com and

2. stripes the @domain.com

One add. question to that. Do you have the SAP Username available as AD field by chance? I know of customers using sapUserName as LDAP attribute.

Of course there's still the option with the report in the AS ABAP (better would be the RSUSREXTID BADI). But I assume having a central solution would be better.

Now we could argue that for the old systems you need to have a usrextid mapping anyhow. But if this mapping would be consitently you could make use of standard RSUSREXT without having the necessity to code.

So I think we already have solution. But a central solution is better. Let me think a little bit about how to achieve a central mapping.

Regards,

Mathias

xymanuel · ‎09-15-2014

Hi Mathias,

we have a LDAP connection to our Lotus Notes Domino Directory. There i have a field which contains the username. But i don't get the point? What could be the advantage of that?

My SAP Username is already the same like the usernames in Lotus Domino LDAP or Windows AD LDAP. (We created a connection to the domino directory, because it contains more information than the AD). I'm not 100% sure if our Windows AD already contains the schema extension for SAP (i think it is extended but will not be filled).

Regards

Manuel

Former Member · ‎06-25-2015

Hello Manuell,,

We are in the process of implementing a Web Service SSO between .net based web service and SAP ECC based on the SAP TECHED presented solution "SIM208 SSO for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory"

The users have x.509 certificate are stored in the users personal store on each computer the user logs on.

We have modified the .net application to read the user x.509 cert from his personal certs and send to the SAP. Since we already imported this x.509 on SAP ECC , The expectation is that when the user trigger the web service from the browser , the server send the response asking who are you, then the .net application present the certificate stored in the user PC and then the communication established.

Based on the above scenario, I have the following questions:

1. I have received the cert from network folks which has the below details which I am planning to import on to ECC STRUST.

CN = My Company Root Certificate Authority

DC = mycompany

DC = org

When I create certrule in ECC? if I have to map the Active directory user to SAP user , is that above given details in certs are enough ?

Thanks

Krish

xymanuel · ‎06-26-2015

Hello Krish,

if this is the root certificate, which is used to sign the user certificates,

it should be enough.

If you import the root cert in the strust, you tell the SAP system to trust user certificates, which are signed by this root cert.

The mapping must be done in transaction certrule.

The user certificate must contain the username in the DN. This must be the same name as the user has in SAP.

Does this answer you question?

Regards

Manuel

Former Member · ‎06-29-2015

Hi Manuel,

Appreciate your time and quick response. Right now the AD infrastructure set to issue certificate to users and issued cert stored in Personal certificates folder and subject looks as below:

E = jsmith@mycompany.com

CN = John Smith

OU = Users

OU = USA

OU = HQ

DC = mycompany

DC = com

so as per your previous reply, I need to add one more entry DC = USERNAME, is that correct understanding?

When the .net code triggers, which cert the .net code has to read and from what location? is that the CA certified SAP certificate installed on IIS server or user personal certificate issued by AD infrastructure stored in his personal certificates folder?

Thanks

Krishna

Former Member · ‎09-15-2014

Hello Manuell,

The SAP Single Sign-on (Secure Login Server and Secure Login Client) can be also a solution to this problem.
He can:

1. Authenticate with SPNEGO (automatic) or direct against a Active Directory(username/password)
2. use the username (without the domain part) to generate a X.509 certificate

3. use this certificate in following authentication requests against ABAP/Portal.

Customers with inhomogenious user names take this approach because the user mapping configuration is done over the Active Directory.
Alternative if the user name of the Active Ditrectory users does not match a pattern, a entry in the users Active Directory entry can be used to generate another username from a LDAP attribute (LDAP User Mapping feature).

There are many flexible ways to generate user names here (padding etc).

Take a look into the documentation (chapter 5.6.1 following 😞 http://scn.sap.com/docs/DOC-40145

best regards

Alexander Gimbel

xymanuel · ‎09-15-2014

Hello Alexander,

i also would say that the client is a solution for our problem. It will solve the topic of mixed authentication methods between DIAG/SNC (Windows Kerberos DLL) and HTTP/S (Certificates) protocols. And i guess it will be the easier to implement way.

The major difference is, that the client needs licenses. . If i can provide a SSO solution, which costs "nothing" i would prevere it before a solution which costs ~100k€ for the whole company.

We have a good experiance with the SSO Solution for the SAP GUI (SNC with Kerberos), but no solution for HTTP/S traffic.

Regards

Manuel