Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Connect to sapstartsrv via sapcontrol -prot NI_HTTPS & SSO

Hello,

I try to setup a https based connection to the sapstartsrv service including a client certificate SSO. The server validation for SSL is successfully done at client side. The sapcontrol program validates the server certificate (based on self signed certificates issued by myself as this is just for test purpose)

I can see the request for the client certificate in the trace information of the sapstartsrv.log

[Thr 139637867071232] ->> SapSSLSessionInit(&sssl_hdl=7efff976be18, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))

[Thr 139637867071232] <<- SapSSLSessionInit()==SAP_O_K

[Thr 139637867071232]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

...

[Thr 139637867071232]   No Client Certificate

The sapcontrol program should now send a client certificate... but I run into a http 401

sapcontrol -prot NI_HTTPS -host <remotehost> -nr <instancenumber> -function GetVersionInfo -debug

FAIL: HTTP error, HTTP/1.1 401 Unauthorized


If it is done via -queryuser the sapcontrol shows up with the requested information. But I want to do the authorization based on the certificate without providing user / pwd.


service/sso_admin_user_0 ist defined in the profile of sapstartsrv (default.pfl) which enables the request for the client certificate.

Self signed client certificate was added to SAPSSLC.pse on the sapcontrol side. The access is done from a linux system to another linux system. I read notes 1439348 and 1642340 and the sapcontrol / sapstartsrv is on kernel 7.21 PL 201.


Any ideas or suggestions on this issue ? 


Kind regards, Hinrich


Tags:
Former Member
Not what you were looking for? View more on this topic or Ask a question