cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Gateway, X.509 and Fiori on Android

Go to solution
martin_E
Active Contributor

on ‎02-16-2016 9:56 PM

0 Kudos

I have a problem where user certificates have been correctly loaded on to an Android device, but when invoking the Fiori client application on Android device, we are getting a "No certificates found" dialog error.

I found SAP Note 2132513 - Fiori client not finding a certificate on Android device which describes my situation exactly. One solution is to ignore the error, which pushes the user to the login screen. This is unacceptable because the business wants / needs SSO capability.


The other solution is to disable X509 challenges from the gateway server. This concerns me because it implies that SSO using X509 is not possible with Fiori on Android, which doesn't sound right (FWIW, we are not getting the issue on our Windows or IOS devices)


Is it related to the Fiori App using the AuthProxy plugin incorrectly ?,

Could someone enlighten me as to what I am missing ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

martin_E
Active Contributor
‎03-02-2016 12:12 PM
0 Kudos

An overdue update;

The correct answer was to disable X.509 challenges from the gateway server.

The default setting for the SAP Profile parameter

icm/HTTPS/verify_client

was telling the SAP Gateway system to request an X.509 certificate from the client. This was interfering with the SAML certificate process. To prevent this,we needed to stop it from sending X.509 certificates by setting

icm/HTTPS/verify_client=0

in the SAP profile (transaction RZ10), saving the Profile (transaction RZ10) and restarting the server. Unfortunately,it's not a dynamic parameter, and it's not (despite the name) an ICM parameter so just restarting the ICM via transaction SMICM didn't work.

This doesn't prevent traffic from being encrypted as HTTP and it does not reduce authentication security (which is now correctly handled by SAML). Obviously, we tested all our use case and device types after making the change before moving the change up the landscape.

and FWIW, Fiori doesn't do SSO using X.509, it uses a SAML provider - either SAP's Single Sign On servers, or as in our case, a third-party product.

Thanks

Show replies
Show replies

Answers (0)

Ask a Question