X.509 Logon through Web Dispatcher

Dear colleagues,

I tried to configure X.509-Based Logon to Java AS through Web Dispatcher.

Source system received error "Not authorized". In dev_webdisp I found:

[Thr 140556505413376] Fri Dec 25 10:59:33 2015

[Thr 140556505413376] SSL NI-hdl 112: local=<ip_webdisp>:12290 peer=<ip_target_Java_AS>:50001

[Thr 140556505413376] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x7fd5d81ec750)==SSSLERR_SERVER_CERT_MISMATCH

in Web Dispatcher profile added:

icm/HTTPS/forward_ccert_as_header = true

wdisp/ssl_encrypt=1

wdisp/ssl_auth=2

wdisp/ssl_cred=$(SECUDIR)/SAPSSLC.pse

wdisp/ssl_ignore_host_mismatch=1

icm/HTTPS/trust_client_with_issuer = *

icm/HTTPS/trust_client_with_subject = *

Could you please help me to resolve this issue?

Thanks a lot,

Alexander

SAP Managed Tags:
SAP NetWeaver Application Server

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (2)

Hi,

Could you please reproduce this issue and attach the complete level 3 sap web dispatcher trace file (dev_webdisp) ?

Best regards,

Shi Feng

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Dear Shi Feng,

External system tried to connect to SAP Netweaver PI 7.0 through SAP Web Dispatcher and authenticate by x.509 Certificate. I'am to use SSL Terminate on Web Dispatcher and re-encrypt. Client certificate forwarded as header. But Web service on Java AS not received certificate. Log attached to reply.

With best regards,

Alexander

Hi Alexander

Did you import java certificates into client of webdispatcher? (SAPSSLC.pse)

After this did you run sapgenpse seclogin for the user (ex. sidadm)?

Thanks

Nick

Hello,

Add the parameters

icm/HTTPS/trust_client_with_issuer = *

icm/HTTPS/trust_client_with_subject = *

To the AS Java profiles as well. See the SAP KBA 2160678 for a more secure setup..

Regards,

Isaías

Hi,

dev_webdisp:

========================================

... ....

[Thr 140667272742656] ->> SapSSLGetPeerInfo(sssl_hdl=0x1ca2f40, &cert=0x7fefa6d2b988, &cert_len=0x7fefa6d2b990,

[Thr 140667272742656] &subject_dn=0x7fefa6d2b980, &issuer_dn=0x7fefa6d2b978, &cipher=0x7fefa6d2b970)

[Thr 140667272742656] <<- SapSSLGetPeerInfo(sssl_hdl=0x1ca2f40)==SAP_O_K

[Thr 140667272742656] out: subject = "CN=PSED_USER, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU"

[Thr 140667272742656] out: issuer = "CN=Komus WEB Service SED Root Certificate Authority, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU"

[Thr 140667272742656] out: cert_len = 649

[Thr 140667272742656] out: cipher = "TLS_RSA_WITH_AES128_CBC_SHA"

[Thr 140667272742656] HttpModGetDefRules: Client certificate received: with len=649, subj="CN=PSED_USER, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU", issuer="CN=Komus WEB Service SED Root Certificate Authority, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU", cipher="TLS_RSA_WITH_AES128_CBC_SHA"

[Thr 140667272742656] HttpModGetDefRules: determined the defactions: ADD_CERT_TO_HEADER COMPAT_HANDLING (148)

=> webdispatcher received the request with Client certificate correctly and add the certificate to header correctly...

[Thr 140667272742656] MatchTargetName("sapex.komus.net", "CN=sapex.komus.net") == EXACT match

[Thr 140667272742656] <<- SapSSLSessionStart(sssl_hdl=0x2584610)==SAP_O_K

[Thr 140667272742656] in/out: status = "resumed SSL session"

[Thr 140667272742656] Subject DN = "CN=sapex.komus.net, OU=DBT, O=Komus, L=Moscow, SP=Moscow, C=RU"

[Thr 140667272742656] Issuer DN = "CN=komus-lan-CA, DC=komus, DC=lan"

[Thr 140667272742656] IcmConnPoolNiWatchRemove: NI watch entry <ce>, number 0 removed.

[Thr 140667272742656] IcmConnPoolNewEntry: created new entry 0x7fefa003d4f0[0] for pool 0x7fefa0000a50 (nihdl=206, ssl=0x2584610)

[Thr 140667272742656] ICR: IcrAttachToServer('!J2EES' 2 2 0 1 port:50001/1/-1) 0-> 0

[Thr 140667272742656] HTTP request [5/21/1] dispatched to SID='KSD', destination='sapex_KSD_00'

[Thr 140667272742656] HTR: routing to destination 'sapex_KSD_00' (balanceable=0)

[Thr 140667272742656] server triggered

[Thr 140667272742656] Pool Entry 0x7fefa003d4f0:

[Thr 140667272742656] NI: 206, SSL: 0x2584610, allocated: 1, inuse: 1, desc: 0x7fefa0000b00

[Thr 140667272742656] local host: 172.30.1.64:13319

[Thr 140667272742656] remote host: 172.30.1.20:50001

=> the request was sent to backend AS java system(sapex_KSD_00) correctly

[Thr 140667272742656] HttpParseResponseHeader: Keep-Alive: 0

[Thr 140667272742656] HTTP response [5/21/1]:

[Thr 140667272742656] HTTP/1.1 401 Unauthorized

[Thr 140667272742656] connection: close

[Thr 140667272742656] pragma: no-cache

[Thr 140667272742656] cache-control: no-cache

[Thr 140667272742656] expires: 0

[Thr 140667272742656] content-type: text/html

[Thr 140667272742656] content-length: 1787

[Thr 140667272742656] server: SAP J2EE Engine/7.00

[Thr 140667272742656] date: Mon, 28 Dec 2015 08:19:39 GM

=> however, the response from backend AS java system is " HTTP/1.1 401 Unauthorized".

=> so, the issue is not at SAP Web Dispatcher side

=> the root cause is at Java AS sapex_KSD_00 side

please see Isaias Freitas's reply, refer to SAP KBA 2160678, add the parameters to the AS Java profiles.

if issue still occurs, please also get level 3 ICM trace of backend system.

Best regards,

Shi Feng

Dear Feng Shi

I tried to switch ICM log to level 3 but nothing found there.

I used diagtool and there found:

15:32:32:267	Warning	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	Obsolete options passed to ClientCertLoginModule. Please fix policy configurations.
15:32:32:268	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~module.ClientCertLoginModule.initialize	Options of the class com.sap.engine.services.security.server.jaas.ClientCertLoginModule after removing obsoletes: {}
15:32:32:268	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	Rule 0: GetUserFrom -> WholeCert OID -> null AttributeName -> null FilterSubject -> [] FilterIssuer -> [] logonWithAlias -> false
15:32:32:268	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~module.ClientCertLoginModule.initialize	Exiting method
15:32:32:268	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~loginmodule.ClientCertLoginModule.login	Entering method
15:32:32:268	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	Certificates provided by the callback:
15:32:32:268	Info	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	No certificate provided.
15:32:32:269	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~loginmodule.ClientCertLoginModule.login	Exiting method
15:32:32:269	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~es.security.authentication.logincontext	Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1.
15:32:32:269	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~engine.services.security.authentication	Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
15:32:32:269	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~es.security.authentication.logincontext	Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1.
15:32:32:270	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~engine.services.security.authentication	Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:246) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
15:32:32:270	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~es.security.authentication.logincontext	LOGIN.FAILED User: N/A Authentication Stack: sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap Login Module Flag Initialize Login Commit Abort Details 1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok false false #1 CertAuth = #2 issuer = #3 SerialNumber = #4 subject =

With best regards,

Alexander

Hi Alexander,

Did you do as per Isaias Freitas's reply, refer to SAP KBA 2160678, add the parameters to the AS Java profiles ?

if yes, please reproduce this issue and provide the level 3 of both SAP Web Dispatcher and AS Java ICM trace .

Best regards,

Shi Feng

Hi Alexander.

Could you check this SCN link AS Java 7.20+ - x.509 client cert authentication with SSL termination at SAP Web Dispatcher - SAP Ne...

Regards

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Dear ,

Thank you for responce.

But in my case, Java AS not received certificates as header.

From diagtool:

15:32:32:267	Warning	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	Obsolete options passed to ClientCertLoginModule. Please fix policy configurations.
15:32:32:268	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~module.ClientCertLoginModule.initialize	Options of the class com.sap.engine.services.security.server.jaas.ClientCertLoginModule after removing obsoletes: {}
15:32:32:268	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	Rule 0: GetUserFrom -> WholeCert OID -> null AttributeName -> null FilterSubject -> [] FilterIssuer -> [] logonWithAlias -> false
15:32:32:268	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~module.ClientCertLoginModule.initialize	Exiting method
15:32:32:268	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~loginmodule.ClientCertLoginModule.login	Entering method
15:32:32:268	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	Certificates provided by the callback:
15:32:32:268	Info	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~ation.loginmodule.ClientCertLoginModule	No certificate provided.
15:32:32:269	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~loginmodule.ClientCertLoginModule.login	Exiting method
15:32:32:269	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~es.security.authentication.logincontext	Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1.
15:32:32:269	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~engine.services.security.authentication	Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
15:32:32:269	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~es.security.authentication.logincontext	Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1.
15:32:32:270	Path	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~engine.services.security.authentication	Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:246) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
15:32:32:270	Debug	J2EE_GUEST	SAPEngine_Application_Thread[impl:3]_20	~es.security.authentication.logincontext	LOGIN.FAILED User: N/A Authentication Stack: sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap Login Module Flag Initialize Login Commit Abort Details 1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok false false #1 CertAuth = #2 issuer = #3 SerialNumber = #4 subject =

With best regards,

Alexander

Dear Alexander

Could you refer the SAP KBA 1851929

Regards

Ask a Question

Top Q&A Solution Author

User

Count