cancel
Showing results for 
Search instead for 
Did you mean: 

Role Mapping Issue with Web Dispatcher

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Experts,

We are trying to setup SMP and Web Dispatcher with X509 certificate validation. Without Web Dispatcher X509 is working perfect, how ever with Web Dispatcher I have the following error:

"Authentication failed. SSL_CLIENT_CERT header is specified but the user is not granted "Impersonator" role."

I am also looking at the Online Help Guide and added the Certificates to All the 4 Roles:

- admin

- default

- Notification

- X509 - security profile created for the app

I am pretty sure that the Certificate path is perfect as we are currently on SMP 3.0 SP10 and we have options to add the certificates directly and map them without the need for editing the role mapping files manually.

I still have the same error. My question is with Web Dispatcher with Manage PSE I have a different Certificate with SAPSSLC and My public certificate is different on SAPSSLS. When I call the WebDispatcher URL I see SAPSSLS certificate which is public.

Should I change the SAPSSLC certificate similar to SAPSSLS and try or is there any other issue with regards to the error. Any suggestions.

Looping in and

Regards,

Nagesh

Accepted Solutions (0)

Answers (1)

Answers (1)

kirankola
Advisor
Advisor
0 Kudos

Hi Nagesh,

Try in debug mode for more details. Change the Impersonator cert  name to SAP WebDisp host certificate and give it a try..

Regards,

Kiran

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi

Thank you for the reply. Here is what I have mapped to the Impersonator role of the security profile:

I also have an OSS Ticket raised. Please suggest what could be the reason. Debug mode i have the following error:

.AbstractSMPApplicationSettingsHandler:doInternalFilter########704#####401:Unauthorized#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099114#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.core.CertificateValidationLoginModule:login########704#####login#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099115#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.provider.OptionMapHelper:getDateOption########704#####key=certificateEffectiveValidationDate,  date=null#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099116#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:initValidator########704#####Initializing CertPathValidator#

#2.0#2016-05-24 03:28:35 PM#INFO#Registration###Security#1464092915099117#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:initValidator########704#####Certificate store containing trusted CA certificates is not specified. Using the default JVM trust store.#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099118#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:initValidator########704#####Using trust store type jks#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099119#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:initValidator########704#####Using trust store ./configuration/smp_keystore.jks#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099120#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:initValidator########704#####Setting revocation enabled flag to false#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099121#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:isValidCertificateChain########704#####validate certificate path#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099122#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:initCRLs########704#####init CRLs#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099123#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.internal.CertificateValidationImpl:updateCRLs########704#####update CRLs#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099124#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.core.CertificateValidationLoginModule:login########704#####storing cert chain of length 1 in shared context#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099125#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.core.UserRoleAuthorizer:checkRole########704#####UserRoleAuthorizer.checkRole(roleName=user:CN=*.XXXXXXXX, O=XXXXXXXX, L=XXXXXXXX, C=XXXXXXXX,subject.getName()=WDS#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099126#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.core.RoleCheckAuthorizer:checkRole########704#####RoleCheckAuthorizer.checkRole(user:CN=*.XXXXXXXX, O=XXXXXXXX, L=XXXXXXXX, C=XXXXXXXX)#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099127#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.core.UserRoleAuthorizer:checkRole########704#####UserRoleAuthorizer.checkRole(roleName=user:CN=XXXXXXXXXXXXX,subject.getName()=WDS#

#2.0#2016-05-24 03:28:35 PM#DEBUG#Registration###Security#1464092915099099#9ac061b4-1adc-4e03-aaaa-2a6846ad6dea#com.x509.xxxx#com.sybase.security.core.XMLFileRoleMapper$RoleMapperConfig:<init>########704#####Reading role Mappings from F:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI\X509 Rule Based-role-mapping.xml#

Regards,

Nagesh