02-01-2008 4:05 PM
I've successfully setup SSL in NetWeaver 7.0 SP14 using a certificate signed by my own CA. But now I want to setup SSO via a client certificate in the user's browser.
1. via NW configtool set com.sap.security.core.ume.service property "ume.logon.allow_cert" to "true" - restarted SAP.
2. created certificate authority via openssl and added the certificate to the NW TrustedCA's via Visual Admin -> Security Provider
3. in NW Visual Admin ->Security Provider, created public/private key pair named "ssl-credentials" (replacing the original "ssl-credentials"), created a CSR, had CSR signed by CA and imported back into NW as a CRT (still named "ssl-credentials")
4. in NW Visual Admin -> SSL Provider, configured SSL (port 50001) to accept client certificates from the CA in step 2. Configured SSL Server Identity to use "ssl-credentials".
5. as a user, created public/private key pair, had them signed by the CA and imported them into Internet Explorer 7.0.
6. as user, browsed to xMII (https://tdsap1:50001/xMII/Menu.jsp) and logged in.
I want to enable SSO via the client certificate, so I took these additional steps.
7. in NW Visual Admin -> SSL Provider, configured SSL port (50001) to request client certificates.
8. in NW Administrator -> Identity Management, I modify the Administrator
user account and upload my client certificate to this account.
9. in NW Visual Admin -> Security Provider, setup components "sap.com/xappsxmiiearear*XMII" and "sap.com/xappsxmiiearear*XMIIVirtual" with the following login modules:
1. ClientCertLoginModule, SUFFICIENT, {CertAuth=, subject=, issuer=,
SerialNumber=}
2. EvaluateTicketLoginModule, SUFFICIENT, {ume.configuration.active=true}
3. BasicPasswordLoginModule, REQUISITE, {}
4. CreateTicketLoginModule, Optional, {ume.configuration.active=true}
10. Close all IE browsers.
11. open IE 7, browse to https://tdsap1:50001/XMII/Menu.jsp
12. IE prompts me to select a certificate. I choose my client certificate.
Date : 02/01/2008
Time : 10:09:21:351
Message : Guest | LOGIN.ERROR | null | | Login Method=[default],
UserID=[null], IP Address=[192.168.163.1], Reason=[No login module
succeeded.]
Severity : Warning
Category : /System/Security/Audit
Location : com.sap.security.core.util.SecurityAudit
Application : sap.com/com.sap.security.core.admin
Thread : SAPEngine_Application_Thread[impl:3]_16
Datasource :
8610550:/usr/sap/TD1/JC00/j2ee/cluster/server0/log/system/security.log
Message ID : 000C2932B5E300560000005500004C890004451A28B6683A
Source Name : /System/Security/Audit
Argument Objs :
Arguments :
Dsr Component : n/a
Dsr Transaction : aaa13570d0d711dc8658000c2932b5e3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : com.sap.security.core.util.SecurityAudit
Resource Bundlename :
Session : 0
Source : /System/Security/Audit
ThreadObject : SAPEngine_Application_Thread[impl:3]_16
Transaction :
User : Guest
13. add Login Module
CertPersisterLoginModule, OPTIONAL, {}
to both "sap.com/xappsxmiiearear*XMII" and "sap.com/xappsxmiiearear*XMIIVirtual"
14. remove certificate associated to Administrator
15. close all IE browsers
16. open IE and browse to https://tdsap1:50001/XMII/Menu.jsp. IE prompts for client certificate. I chose my certificate and click OK.
17. IE shows me the standard login screen with the "Certificate Login" link.
18. I click "Certificate Login"
19. I see another login screen with the text:
Your certificate will be mapped to your user ID
User ID and Password Logon Page
20. I log in as Administrator
21. Login is successful, but when I look at the Administrator user in
Identity Management, no certificate is associated to the user.
Additional login attempts do not automatically log in - I'm prompted for
username/password every time.
-
Stack Trace 1
-
Date : 02/01/2008
Time : 10:09:21:351
Message : doLogon failed
[EXCEPTION]
com.sap.security.core.logon.imp.UMELoginException
at
com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949)
at
com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)
at
com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at
com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at
com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at
com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at
com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at
com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Severity : Error
Category :
Location :
com.sap.engine.services.security.authentication.logonapplication.doLogonApplication : sap.com/com.sap.security.core.admin
Thread : SAPEngine_Application_Thread[impl:3]_16
Datasource :
8610550:/usr/sap/TD1/JC00/j2ee/cluster/server0/log/defaultTrace.trc
Message ID : 000C2932B5E300560000005600004C890004451A28B66EDF
Source Name :
com.sap.engine.services.security.authentication.logonapplication
Argument Objs : com.sap.security.core.logon.imp.UMELoginException
at
com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949)
at
com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)
at
com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at
com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at
com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at
com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at
com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at
com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
,
Arguments : com.sap.security.core.logon.imp.UMELoginException
at
com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949)
at
com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)
at
com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)
at
com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)
at
com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)
at
com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at
com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at
com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
,
Dsr Component : n/a
Dsr Transaction : aaa13570d0d711dc8658000c2932b5e3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 1
Relatives :
Resource Bundlename :
Session : 0
Source : com.sap.engine.services.security.authentication.logonapplication
ThreadObject : SAPEngine_Application_Thread[impl:3]_16
Transaction :
User : Guest
-
Stack Trace 2
-
Date : 02/01/2008
Time : 9:38:08:098
Message : Exception occured in SAPMLogonCertServlet
[EXCEPTION]
java.lang.NullPointerException
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doPost(SAPMLogonCertServlet.java:62)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doGet(SAPMLogonCertServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at
com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at
com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Severity : Error
Category :
Location :
com.sap.engine.services.security.authentication.logonapplication.certLogon
Application : sap.com/com.sap.security.core.admin
Thread : SAPEngine_Application_Thread[impl:3]_7
Datasource :
8610550:/usr/sap/TD1/JC00/j2ee/cluster/server0/log/defaultTrace.trc
Message ID : 000C2932B5E3006E0000003A00004C8900044519B90ED7F8
Source Name :
com.sap.engine.services.security.authentication.logonapplication
Argument Objs : java.lang.NullPointerException
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doPost(SAPMLogonCertServlet.java:62)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doGet(SAPMLogonCertServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at
com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at
com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
,
Arguments : java.lang.NullPointerException
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doPost(SAPMLogonCertServlet.java:62)
at
com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doGet(SAPMLogonCertServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at
com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at
com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at
com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at
com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at
com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
,
Dsr Component : n/a
Dsr Transaction : 4e157c20d0d311dca273000c2932b5e3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 1
Relatives :
Resource Bundlename :
Session : 0
Source : com.sap.engine.services.security.authentication.logonapplication
ThreadObject : SAPEngine_Application_Thread[impl:3]_7
Transaction :
User : Guest
-tim
04-16-2009 12:18 PM
Did you find a solution? I'm having a smilar problem (I think)
Exception occured in SAPMLogonCertServlet
[EXCEPTION]
java.lang.NullPointerException
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)
at com.sapportals.portal.ume.component.logon.SAPMLogonCertComponent.doContent(SAPMLogonCertComponent.java:59)
with this 2 messages above..
Exception ID:01:12_16/04/09_0007_8921150
[EXCEPTION]
com.sapportals.portal.prt.component.PortalComponentException: Error in service call of Resource
Component : com.sap.portal.runtime.logon.certlogon
Component class : com.sapportals.portal.ume.component.logon.SAPMLogonCertComponent
User : Guest
...SOME MORE...
... 43 more
Caused by: java.lang.NullPointerException
at java.net.URLDecoder.decode(URLDecoder.java:118)
at java.net.URLDecoder.decode(URLDecoder.java:82)
at com.sap.security.core.sapmimp.logon.LogonBean.getLogonURL(LogonBean.java:122)
at _sapportalsjsp_umLogonCertPage.subDoContent(_sapportalsjsp_umLogonCertPage.java:655)
at _sapportalsjsp_umLogonCertPage.doContent(_sapportalsjsp_umLogonCertPage.java:55)
... 47 more
04-17-2009 10:43 AM
I am sorry, but this post is unreadable. I think you're on the right way, but there are some details wrong. Is your SAP username part of the certificate. If no, can you change the lay out of the certificate so that it does? In that case, it is not necessary to upload your complete certificate and you can use those "rule.xxx" parameters to extract the SAP username from the certificate.
04-17-2009 12:44 PM
Hi
First of all, THANKS FOR REPLYING!!!
I'm realy stuck with this matter and can't seem to find a way out..
These were some logs:
- The first box was the first error thrown,
- The second box the second thrown
- SOME MORE: There were lots of classes passing through but I left them out
- to come finally to the caused by one..
I'm a Belgian citizen and we're having electronic identity cards. We're trying to set up login with these cards.. (to give you some more information)
I think my UserID in the certificate is 'Christof Houben' and the portal userID is 'christofh'. So they aren't the same. I didn't upload a certificate yet, just tried once to check were to problem is located. But couldn't figure that one out.. I'm trying to get automatic user mapping (with X.509 certificates), so this won't be the way to solve my case..
Further, I got some more questions:
- Which login modules are necessary. Because I found out the ClientCertLoginModule and CertPersisterLoginModule are necessary. But in every example there are also ticket modules. E.g. http://help.sap.com/saphelp_nw04s/helpdata/en/44/200cb204a75cfbe10000000a155369/frameset.htm
- And which options have to be there for every module?
Thanks in advance!
Christof