Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

NW 7.0 SP14 - trying to enable client certificate SSO - getting stack dumps

Former Member
0 Kudos

I've successfully setup SSL in NetWeaver 7.0 SP14 using a certificate signed by my own CA. But now I want to setup SSO via a client certificate in the user's browser.

Steps to Reproduce

1. via NW configtool set com.sap.security.core.ume.service property "ume.logon.allow_cert" to "true" - restarted SAP.

2. created certificate authority via openssl and added the certificate to the NW TrustedCA's via Visual Admin -> Security Provider

3. in NW Visual Admin ->Security Provider, created public/private key pair named "ssl-credentials" (replacing the original "ssl-credentials"), created a CSR, had CSR signed by CA and imported back into NW as a CRT (still named "ssl-credentials")

4. in NW Visual Admin -> SSL Provider, configured SSL (port 50001) to accept client certificates from the CA in step 2. Configured SSL Server Identity to use "ssl-credentials".

5. as a user, created public/private key pair, had them signed by the CA and imported them into Internet Explorer 7.0.

6. as user, browsed to xMII (https://tdsap1:50001/xMII/Menu.jsp) and logged in.

--> RESULT: user logged in successfully and there were no security warnings from the browser. Ok so far.

I want to enable SSO via the client certificate, so I took these additional steps.

7. in NW Visual Admin -> SSL Provider, configured SSL port (50001) to request client certificates.

8. in NW Administrator -> Identity Management, I modify the Administrator

user account and upload my client certificate to this account.

9. in NW Visual Admin -> Security Provider, setup components "sap.com/xappsxmiiearear*XMII" and "sap.com/xappsxmiiearear*XMIIVirtual" with the following login modules:

1. ClientCertLoginModule, SUFFICIENT, {CertAuth=, subject=, issuer=,

SerialNumber=}

2. EvaluateTicketLoginModule, SUFFICIENT, {ume.configuration.active=true}

3. BasicPasswordLoginModule, REQUISITE, {}

4. CreateTicketLoginModule, Optional, {ume.configuration.active=true}

--> QUESTION: help.sap.com does not have any references to the ClientCertLoginModule parameters {CertAuth=, subject=, issuer=, SerialNumber=} shown above; it only has "Rule<n>.XYZ" parameters. Why are mine different?

10. Close all IE browsers.

11. open IE 7, browse to https://tdsap1:50001/XMII/Menu.jsp

12. IE prompts me to select a certificate. I choose my client certificate.

--> RESULT: Stack Trace #1 (below) is sent to the NW defaultTrace.trc and the following is in the security.log:

Date : 02/01/2008

Time : 10:09:21:351

Message : Guest | LOGIN.ERROR | null | | Login Method=[default],

UserID=[null], IP Address=[192.168.163.1], Reason=[No login module

succeeded.]

Severity : Warning

Category : /System/Security/Audit

Location : com.sap.security.core.util.SecurityAudit

Application : sap.com/com.sap.security.core.admin

Thread : SAPEngine_Application_Thread[impl:3]_16

Datasource :

8610550:/usr/sap/TD1/JC00/j2ee/cluster/server0/log/system/security.log

Message ID : 000C2932B5E300560000005500004C890004451A28B6683A

Source Name : /System/Security/Audit

Argument Objs :

Arguments :

Dsr Component : n/a

Dsr Transaction : aaa13570d0d711dc8658000c2932b5e3

Dsr User :

Indent : 0

Level : 0

Message Code :

Message Type : 0

Relatives : com.sap.security.core.util.SecurityAudit

Resource Bundlename :

Session : 0

Source : /System/Security/Audit

ThreadObject : SAPEngine_Application_Thread[impl:3]_16

Transaction :

User : Guest

13. add Login Module

CertPersisterLoginModule, OPTIONAL, {}

to both "sap.com/xappsxmiiearear*XMII" and "sap.com/xappsxmiiearear*XMIIVirtual"

14. remove certificate associated to Administrator

15. close all IE browsers

16. open IE and browse to https://tdsap1:50001/XMII/Menu.jsp. IE prompts for client certificate. I chose my certificate and click OK.

17. IE shows me the standard login screen with the "Certificate Login" link.

18. I click "Certificate Login"

--> RESULT: Stack Trace 2 (below) appears in the defaultTrace.trc log.

19. I see another login screen with the text:

Your certificate will be mapped to your user ID

User ID and Password Logon Page

20. I log in as Administrator

21. Login is successful, but when I look at the Administrator user in

Identity Management, no certificate is associated to the user.

Additional login attempts do not automatically log in - I'm prompted for

username/password every time.

-


Stack Trace 1

-


Date : 02/01/2008

Time : 10:09:21:351

Message : doLogon failed

[EXCEPTION]

com.sap.security.core.logon.imp.UMELoginException

at

com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949)

at

com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)

at

com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

at

com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

at

com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

at

com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at

com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at

com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at

com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

Severity : Error

Category :

Location :

com.sap.engine.services.security.authentication.logonapplication.doLogonApplication : sap.com/com.sap.security.core.admin

Thread : SAPEngine_Application_Thread[impl:3]_16

Datasource :

8610550:/usr/sap/TD1/JC00/j2ee/cluster/server0/log/defaultTrace.trc

Message ID : 000C2932B5E300560000005600004C890004451A28B66EDF

Source Name :

com.sap.engine.services.security.authentication.logonapplication

Argument Objs : com.sap.security.core.logon.imp.UMELoginException

at

com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949)

at

com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)

at

com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

at

com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

at

com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

at

com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at

com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at

com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at

com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

,

Arguments : com.sap.security.core.logon.imp.UMELoginException

at

com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:949)

at

com.sap.security.core.logonadmin.ServletAccessToLogic.logon(ServletAccessToLogic.java:208)

at

com.sap.security.core.sapmimp.logon.SAPMLogonLogic.doLogon(SAPMLogonLogic.java:914)

at

com.sap.security.core.sapmimp.logon.SAPMLogonLogic.executeRequest(SAPMLogonLogic.java:227)

at

com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doPost(SAPMLogonServlet.java:60)

at

com.sap.security.core.sapmimp.logon.SAPMLogonServlet.doGet(SAPMLogonServlet.java:78)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at

com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at

com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at

com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

,

Dsr Component : n/a

Dsr Transaction : aaa13570d0d711dc8658000c2932b5e3

Dsr User :

Indent : 0

Level : 0

Message Code :

Message Type : 1

Relatives :

Resource Bundlename :

Session : 0

Source : com.sap.engine.services.security.authentication.logonapplication

ThreadObject : SAPEngine_Application_Thread[impl:3]_16

Transaction :

User : Guest

-


Stack Trace 2

-


Date : 02/01/2008

Time : 9:38:08:098

Message : Exception occured in SAPMLogonCertServlet

[EXCEPTION]

java.lang.NullPointerException

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doPost(SAPMLogonCertServlet.java:62)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doGet(SAPMLogonCertServlet.java:80)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at

com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at

com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at

com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

Severity : Error

Category :

Location :

com.sap.engine.services.security.authentication.logonapplication.certLogon

Application : sap.com/com.sap.security.core.admin

Thread : SAPEngine_Application_Thread[impl:3]_7

Datasource :

8610550:/usr/sap/TD1/JC00/j2ee/cluster/server0/log/defaultTrace.trc

Message ID : 000C2932B5E3006E0000003A00004C8900044519B90ED7F8

Source Name :

com.sap.engine.services.security.authentication.logonapplication

Argument Objs : java.lang.NullPointerException

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doPost(SAPMLogonCertServlet.java:62)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doGet(SAPMLogonCertServlet.java:80)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at

com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at

com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at

com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

,

Arguments : java.lang.NullPointerException

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doPost(SAPMLogonCertServlet.java:62)

at

com.sap.security.core.sapmimp.logon.SAPMLogonCertServlet.doGet(SAPMLogonCertServlet.java:80)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at

com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)

at

com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at

com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at

com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at

com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at

com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)

,

Dsr Component : n/a

Dsr Transaction : 4e157c20d0d311dca273000c2932b5e3

Dsr User :

Indent : 0

Level : 0

Message Code :

Message Type : 1

Relatives :

Resource Bundlename :

Session : 0

Source : com.sap.engine.services.security.authentication.logonapplication

ThreadObject : SAPEngine_Application_Thread[impl:3]_7

Transaction :

User : Guest

-tim

3 REPLIES 3

Former Member
0 Kudos

Did you find a solution? I'm having a smilar problem (I think)


Exception occured in SAPMLogonCertServlet 
[EXCEPTION]
 java.lang.NullPointerException 
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doLogon(SAPMLogonCertLogic.java:325) 
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.doCertLogon(SAPMLogonCertLogic.java:292) 
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.certLogon(SAPMLogonCertLogic.java:278) 
at com.sap.security.core.sapmimp.logon.SAPMLogonCertLogic.executeRequest(SAPMLogonCertLogic.java:115) 
at com.sapportals.portal.ume.component.logon.SAPMLogonCertComponent.doContent(SAPMLogonCertComponent.java:59) 

with this 2 messages above..


Exception ID:01:12_16/04/09_0007_8921150 
[EXCEPTION]
 com.sapportals.portal.prt.component.PortalComponentException: Error in service call of Resource 
Component : com.sap.portal.runtime.logon.certlogon 
Component class : com.sapportals.portal.ume.component.logon.SAPMLogonCertComponent 
User : Guest

...SOME MORE...


... 43 more 
Caused by: java.lang.NullPointerException 
at java.net.URLDecoder.decode(URLDecoder.java:118) 
at java.net.URLDecoder.decode(URLDecoder.java:82) 
at com.sap.security.core.sapmimp.logon.LogonBean.getLogonURL(LogonBean.java:122) 
at _sapportalsjsp_umLogonCertPage.subDoContent(_sapportalsjsp_umLogonCertPage.java:655) 
at _sapportalsjsp_umLogonCertPage.doContent(_sapportalsjsp_umLogonCertPage.java:55) 
... 47 more 

Former Member
0 Kudos

I am sorry, but this post is unreadable. I think you're on the right way, but there are some details wrong. Is your SAP username part of the certificate. If no, can you change the lay out of the certificate so that it does? In that case, it is not necessary to upload your complete certificate and you can use those "rule.xxx" parameters to extract the SAP username from the certificate.

0 Kudos

Hi

First of all, THANKS FOR REPLYING!!!

I'm realy stuck with this matter and can't seem to find a way out..

These were some logs:

- The first box was the first error thrown,

- The second box the second thrown

- SOME MORE: There were lots of classes passing through but I left them out

- to come finally to the caused by one..

I'm a Belgian citizen and we're having electronic identity cards. We're trying to set up login with these cards.. (to give you some more information)

I think my UserID in the certificate is 'Christof Houben' and the portal userID is 'christofh'. So they aren't the same. I didn't upload a certificate yet, just tried once to check were to problem is located. But couldn't figure that one out.. I'm trying to get automatic user mapping (with X.509 certificates), so this won't be the way to solve my case..

Further, I got some more questions:

- Which login modules are necessary. Because I found out the ClientCertLoginModule and CertPersisterLoginModule are necessary. But in every example there are also ticket modules. E.g. http://help.sap.com/saphelp_nw04s/helpdata/en/44/200cb204a75cfbe10000000a155369/frameset.htm

- And which options have to be there for every module?

Thanks in advance!

Christof