cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Server not Prompting for Client Certificate

Former Member

on ‎11-18-2015 10:50 AM

0 Kudos

We have an SICF node (with HTTP Class Handler) setup and want to do the client authentication using certificates. The Login Procedure is C (Required with SSL Certificate). However, when we call the service the browser is not prompted for a certificate and we get a 403 error:

The termination occurred in system ESA with error code 403 and for the reason Forbidden. 
This service requires a client certificate for the logon procedure.

We have parameter icm/HTTPS/verify_client set to 1

SMICM Trace Log:

[Thr 5264] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5264]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5264]     out: sssl_hdl = 00000000246FB0E0
[Thr 5264] NiIBlockMode: set blockmode for hdl 406 TRUE
[Thr 5264]   SSL NI-sock: local=194.11.93.51:443  peer=10.60.182.87:65143
[Thr 5264] <<- SapSSLSetNiHdl(sssl_hdl=00000000246FB0E0, ni_hdl=406)==SAP_O_K
[Thr 5264] <<- SapSSLSessionStart(sssl_hdl=00000000246FB0E0)==SAP_O_K
[Thr 5264]          status = "resumed SSL session, NO client cert"

This seems to indicate that no certificate was sent but our understanding is the server must request it and the client (IE) will prompt the user. Also tried in FF and Chrome - no certificate prompt appears.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

isaias_freitas
Advisor
Advisor
‎11-18-2015 4:44 PM
0 Kudos

Hello,

IE would not prompt for a certificate, as far as I know.

FF would, but only if you have certificates installed on it.

Unlike Chrome (which uses the Windows certificate base, same as IE), FF has its own certificate base.

Since the parameter "icm/HTTPS/verify_client = 1" is set, the ICM is requesting for a client certificate as you can see at the trace:



[Thr 5264] <<- SapSSLSessionInit()==SAP_O_K


[Thr 5264]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"

Is the client certificate properly installed at the user's computer?

In addition, the root CA (Certification Authority) certificate of the CA that signed the users' certificates has to be imported at the "server PSE" of the instance.

Regards,

Isaías

Show replies
Show replies
Ask a Question