cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does SMP 3.0 support wildcard certificates?

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert

on ‎11-18-2014 2:52 PM

0 Kudos

Folks,

I have successfully imported a wildcard certificate and corresponding root/intermediate certificates into the keystore for an Odata service.

The endpoint resides at *.sapdemocloud.com, so my "smp_keystore.jks" should look like this:

The wildcard certificate imported looks like this:

After creating a hybrid app configuration on my local SMP 3.0 I am not able to ping the OData service residing on this site which uses wildcard certificates.

The log file tells me that SSL failed to validate the certificate:



2014 11 18 11:37:31#0-200#DEBUG#org.apache.tomcat.util.net.jsse.JSSESupport##anonymous#http-bio-8083-exec-9###Error trying to obtain a certificate from the client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated


        at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)


        at org.apache.tomcat.util.net.jsse.JSSESupport.getX509Certificates(JSSESupport.java:99)


        at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:156)


        at org.apache.coyote.http11.Http11Processor.actionInternal(Http11Processor.java:256)


        at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:848)


        at org.apache.coyote.Request.action(Request.java:346)


        at org.apache.catalina.connector.Request.getAttribute(Request.java:956)


        at org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:284)


        at javax.servlet.ServletRequestWrapper.getAttribute(ServletRequestWrapper.java:120)


        .......


        at org.apache.cxf.transport.https.SSLUtils.propogateSecureSession(SSLUtils.java:555)


        at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:374)


        at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:87)


        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:464)


        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:149)


        at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)


        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)


        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:120)


        at javax.servlet.http.HttpServlet.service(HttpServlet.java:758)

I have created a different hybrid app with the backend Odata just like explained here: and the ping works.

Basically the same steps to create both apps were taken. The only difference is the fact that the second one uses wildcard certificates.

Which leads me into thinking that SMP 3.0 doesn't handle this type of certificate.

I am using SMP 3.0 SPS04 PL02:


Any ideas?

BR,

Ivan

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎11-18-2014 4:21 PM
0 Kudos

Hi Ivan,

I had the same issue with an Agentry app in SMP3.0 SP3. (not tested again on SP4)

So, I think you are right and it looks like SMP3 is not supporting wildcard certificates at this point.

Cheers

Show replies
Show replies
bill_froelich
Product and Topic Expert
Product and Topic Expert
‎11-18-2014 5:51 PM
0 Kudos

Agentry does not currently support wildcard certificates on any of the Agentry versions.  It is a wishlist item so I suggest opening a request for support.

--Bill

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎11-18-2014 5:57 PM
0 Kudos

Hi Bill,

My question is more related to OData as you can see on my original question.

Does SMP 3.0 support wildcard certificates for OData/Hybrid Apps?

BR,

Ivan

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎11-18-2014 7:13 PM
0 Kudos

I am not sure for OData / Hybrid apps.  I do know that for Agentry apps and the Management cockpit that the certificate the server presents is the smp_crt alias certificate.  If you are trying to swap in a different certificate when you import you should delete the smp_crt cert and replace with your new certificate.

Not sure if that will solve your problem or not but something to consider.

--Bill

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎11-18-2014 7:34 PM
0 Kudos

Well,

What you are saying would help if the SMP server should present a server certificate to a connecting device. In this case the SMP server "acts" as an SSL_Client to the SAP backend (OData). In that case, I would suspect only the backend server certificates should be imported into the truststore. That's what is mentioned on the Kapsel Part I document. This is something I have tested and works, but not for the wildcard.

Thanks for the info anyway.

BR,

Ivan

Ask a Question