on 12-25-2015 8:44 AM
Dear colleagues,
I tried to configure X.509-Based Logon to Java AS through Web Dispatcher.
Source system received error "Not authorized". In dev_webdisp I found:
[Thr 140556505413376] Fri Dec 25 10:59:33 2015
[Thr 140556505413376] SSL NI-hdl 112: local=<ip_webdisp>:12290 peer=<ip_target_Java_AS>:50001
[Thr 140556505413376] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x7fd5d81ec750)==SSSLERR_SERVER_CERT_MISMATCH
in Web Dispatcher profile added:
icm/HTTPS/forward_ccert_as_header = true
wdisp/ssl_encrypt=1
wdisp/ssl_auth=2
wdisp/ssl_cred=$(SECUDIR)/SAPSSLC.pse
wdisp/ssl_ignore_host_mismatch=1
icm/HTTPS/trust_client_with_issuer = *
icm/HTTPS/trust_client_with_subject = *
Could you please help me to resolve this issue?
Thanks a lot,
Alexander
Hi,
Could you please reproduce this issue and attach the complete level 3 sap web dispatcher trace file (dev_webdisp) ?
Best regards,
Shi Feng
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Shi Feng,
External system tried to connect to SAP Netweaver PI 7.0 through SAP Web Dispatcher and authenticate by x.509 Certificate. I'am to use SSL Terminate on Web Dispatcher and re-encrypt. Client certificate forwarded as header. But Web service on Java AS not received certificate. Log attached to reply.
With best regards,
Alexander
Hello,
Add the parameters
icm/HTTPS/trust_client_with_issuer = *
icm/HTTPS/trust_client_with_subject = *
To the AS Java profiles as well. See the SAP KBA 2160678 for a more secure setup..
Regards,
Isaías
Hi,
dev_webdisp:
========================================
... ....
[Thr 140667272742656] ->> SapSSLGetPeerInfo(sssl_hdl=0x1ca2f40, &cert=0x7fefa6d2b988, &cert_len=0x7fefa6d2b990,
[Thr 140667272742656] &subject_dn=0x7fefa6d2b980, &issuer_dn=0x7fefa6d2b978, &cipher=0x7fefa6d2b970)
[Thr 140667272742656] <<- SapSSLGetPeerInfo(sssl_hdl=0x1ca2f40)==SAP_O_K
[Thr 140667272742656] out: subject = "CN=PSED_USER, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU"
[Thr 140667272742656] out: issuer = "CN=Komus WEB Service SED Root Certificate Authority, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU"
[Thr 140667272742656] out: cert_len = 649
[Thr 140667272742656] out: cipher = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 140667272742656] HttpModGetDefRules: Client certificate received: with len=649, subj="CN=PSED_USER, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU", issuer="CN=Komus WEB Service SED Root Certificate Authority, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU", cipher="TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 140667272742656] HttpModGetDefRules: determined the defactions: ADD_CERT_TO_HEADER COMPAT_HANDLING (148)
=> webdispatcher received the request with Client certificate correctly and add the certificate to header correctly...
[Thr 140667272742656] MatchTargetName("sapex.komus.net", "CN=sapex.komus.net") == EXACT match
[Thr 140667272742656] <<- SapSSLSessionStart(sssl_hdl=0x2584610)==SAP_O_K
[Thr 140667272742656] in/out: status = "resumed SSL session"
[Thr 140667272742656] Subject DN = "CN=sapex.komus.net, OU=DBT, O=Komus, L=Moscow, SP=Moscow, C=RU"
[Thr 140667272742656] Issuer DN = "CN=komus-lan-CA, DC=komus, DC=lan"
[Thr 140667272742656] IcmConnPoolNiWatchRemove: NI watch entry <ce>, number 0 removed.
[Thr 140667272742656] IcmConnPoolNewEntry: created new entry 0x7fefa003d4f0[0] for pool 0x7fefa0000a50 (nihdl=206, ssl=0x2584610)
[Thr 140667272742656] ICR: IcrAttachToServer('!J2EES' 2 2 0 1 port:50001/1/-1) 0-> 0
[Thr 140667272742656] HTTP request [5/21/1] dispatched to SID='KSD', destination='sapex_KSD_00'
[Thr 140667272742656] HTR: routing to destination 'sapex_KSD_00' (balanceable=0)
[Thr 140667272742656] server triggered
[Thr 140667272742656] Pool Entry 0x7fefa003d4f0:
[Thr 140667272742656] NI: 206, SSL: 0x2584610, allocated: 1, inuse: 1, desc: 0x7fefa0000b00
[Thr 140667272742656] local host: 172.30.1.64:13319
[Thr 140667272742656] remote host: 172.30.1.20:50001
=> the request was sent to backend AS java system(sapex_KSD_00) correctly
[Thr 140667272742656] HttpParseResponseHeader: Keep-Alive: 0
[Thr 140667272742656] HTTP response [5/21/1]:
[Thr 140667272742656] HTTP/1.1 401 Unauthorized
[Thr 140667272742656] connection: close
[Thr 140667272742656] pragma: no-cache
[Thr 140667272742656] cache-control: no-cache
[Thr 140667272742656] expires: 0
[Thr 140667272742656] content-type: text/html
[Thr 140667272742656] content-length: 1787
[Thr 140667272742656] server: SAP J2EE Engine/7.00
[Thr 140667272742656] date: Mon, 28 Dec 2015 08:19:39 GM
=> however, the response from backend AS java system is " HTTP/1.1 401 Unauthorized".
=> so, the issue is not at SAP Web Dispatcher side
=> the root cause is at Java AS sapex_KSD_00 side
please see Isaias Freitas's reply, refer to SAP KBA 2160678, add the parameters to the AS Java profiles.
if issue still occurs, please also get level 3 ICM trace of backend system.
Best regards,
Shi Feng
Dear Feng Shi
I tried to switch ICM log to level 3 but nothing found there.
I used diagtool and there found:
15:32:32:267 | Warning | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | Obsolete options passed to ClientCertLoginModule. Please fix policy configurations. |
15:32:32:268 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~module.ClientCertLoginModule.initialize | Options of the class com.sap.engine.services.security.server.jaas.ClientCertLoginModule after removing obsoletes: {} |
15:32:32:268 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | Rule 0: GetUserFrom -> WholeCert OID -> null AttributeName -> null FilterSubject -> [] FilterIssuer -> [] logonWithAlias -> false |
15:32:32:268 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~module.ClientCertLoginModule.initialize | Exiting method |
15:32:32:268 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~loginmodule.ClientCertLoginModule.login | Entering method |
15:32:32:268 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | Certificates provided by the callback: |
15:32:32:268 | Info | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | No certificate provided. |
15:32:32:269 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~loginmodule.ClientCertLoginModule.login | Exiting method |
15:32:32:269 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~es.security.authentication.logincontext | Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1. |
15:32:32:269 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~engine.services.security.authentication | Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176) |
15:32:32:269 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~es.security.authentication.logincontext | Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1. |
15:32:32:270 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~engine.services.security.authentication | Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:246) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176) |
15:32:32:270 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~es.security.authentication.logincontext | LOGIN.FAILED User: N/A Authentication Stack: sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoapLogin Module Flag Initialize Login Commit Abort Details 1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok false false #1 CertAuth = #2 issuer = #3 SerialNumber = #4 subject = |
With best regards,
Alexander
Hi Alexander.
Could you check this SCN link AS Java 7.20+ - x.509 client cert authentication with SSL termination at SAP Web Dispatcher - SAP Ne...
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for responce.
But in my case, Java AS not received certificates as header.
From diagtool:
15:32:32:267 | Warning | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | Obsolete options passed to ClientCertLoginModule. Please fix policy configurations. |
15:32:32:268 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~module.ClientCertLoginModule.initialize | Options of the class com.sap.engine.services.security.server.jaas.ClientCertLoginModule after removing obsoletes: {} |
15:32:32:268 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | Rule 0: GetUserFrom -> WholeCert OID -> null AttributeName -> null FilterSubject -> [] FilterIssuer -> [] logonWithAlias -> false |
15:32:32:268 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~module.ClientCertLoginModule.initialize | Exiting method |
15:32:32:268 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~loginmodule.ClientCertLoginModule.login | Entering method |
15:32:32:268 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | Certificates provided by the callback: |
15:32:32:268 | Info | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~ation.loginmodule.ClientCertLoginModule | No certificate provided. |
15:32:32:269 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~loginmodule.ClientCertLoginModule.login | Exiting method |
15:32:32:269 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~es.security.authentication.logincontext | Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1. |
15:32:32:269 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~engine.services.security.authentication | Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176) |
15:32:32:269 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~es.security.authentication.logincontext | Unsuccessful login: no login module succeeded. The size of the used authentication stack sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoap is 1. |
15:32:32:270 | Path | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~engine.services.security.authentication | Exception : No login module succeeded. java.lang.Exception at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175) at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263) at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:137) at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:188) at java.security.AccessController.doPrivileged(AccessController.java:246) at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:246) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.doLogin(SessionServletContext.java:743) at com.sap.engine.services.servlets_jsp.server.runtime.context.SessionServletContext.checkUser(SessionServletContext.java:315) at com.sap.engine.services.servlets_jsp.server.runtime.context.ApplicationContext.checkMap(ApplicationContext.java:521) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.checkRequest(HttpHandlerImpl.java:68) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:968) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(AccessController.java:219) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176) |
15:32:32:270 | Debug | J2EE_GUEST | SAPEngine_Application_Thread[impl:3]_20 | ~es.security.authentication.logincontext | LOGIN.FAILED User: N/A Authentication Stack: sap.com/Sed2Elite_OWS-ear*Sed2Elite_OWS_Sed2Elite_OWS_SecureSoapLogin Module Flag Initialize Login Commit Abort Details 1. com.sap.engine.services.security.server.jaas.ClientCertLoginModule SUFFICIENT ok false false #1 CertAuth = #2 issuer = #3 SerialNumber = #4 subject = |
With best regards,
Alexander
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.