cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WebSEAL -> EP SSO issue with SSL

Former Member

on ‎11-01-2005 1:03 PM

0 Kudos

Hi Guys

We are running a project where we are setting up SSO from the end-users desktop through WebSEAL to EP.

We got everything working without using ssl.

As soon as we added the SSL encryption it didn't work anymore.

First I will list some relevant information, and second I will describe which configurations was done in EP and WebSEAL.

      • Here are the version information for the two environments:

WebSEAL : Windows 2003 Standard sp1

TAM 5.1 v. 5.1.0.13

GSKit v. 7.0.3.9

EP : Windows Server 2003 Enterprise Edition

Service Pack 1

MS SQL Server 2000

EP6 SP13

WAS J2EE SP13

      • We have used the following guide downloaded from sdn.sap.com

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ad84a55a-0601-0010-749b-854...

      • WebSEAL log with errors:

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-08:59:22.891+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x0000023c

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:17:16.879+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x000009d8

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:17:32.465+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x00000460

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:18:07.510+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x000008e8

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:22:53.125+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x00000460

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:28:10.085+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x00000460

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:33:25.828+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x00000460

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:36:17.203+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x00000560

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

2005-10-28-09:37:24.906+02:00I----- 0x38AD54BA webseald WARNING wiv ssl SSLConnection.cpp 1115 0x000008b4

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 000001a4 GSK_ERROR_SOCKET_CLOSED.

      • WebSEAL jmt.conf

/ERP /irj/*

/ERPITS /scripts/wgate/*

/ERPITS /sap/*

      • webseald-intern.conf

As this config file is quite long I have not added it to this message.

If you think it is relevant, please send a mail to yjv@atp.dk and I will send it to you.

      • Configuration description

While setting up SSO from WebSEAL to EP we have used the above mentioned guide.

The only difference from the guide is, that we agreed on setting up the SSO without SSL initially, and then add SSL security when we had the SSO working without SSL.

We got SSO working without SSL and started setting up an SSL trust between WebSEAL and EP again following the above documentation. This is where we get stuck.

In the portal I have created a new key-pair and certificate which is valid until 2099 (below I have added the contents of the private key, the certificate and the WebSEAL certificate). I have exported the certificate and sent it to the WebSEAL administrator who has imported it in the WebSEAL key-database into trusted CAs. The WebSEAL administrator has also exported the WebSEAL certificate which I have imported into trusted CAs in the portal.

As described in the guide I have setup the portal to request the WebSEAL client certificate which is imported into trusted CAs. Furthermore I have setup the portal to use the newly created key-pair as the default credentials to be used during handshake.

Even though I have setup all this as described in the guide from SDN, it still doesn't work, and we get the above written errors in the WebSEAL log file.

We have checked that there IS connection between WebSEAL and EP by logging on to the WebSEAL server on os level and accessing EP through https which works fine.

The Portal’s private key called atppod01 contains:

PRIVATE KEY

[ creationDate ]: Wed Oct 26 14:26:56 CEST 2005

[ algorithm ]: RSA

[ format ]: PKCS#8

[ selfSigned ]:

[ DN ]: CN=atppod01.prod.atp.local,O=ATP,C=DK

[ issuerDN ]: CN=atppod01.prod.atp.local,O=ATP,C=DK

[ validNotBefore ]: Tue Oct 25 14:26:00 CEST 2005

[ validNotAfter ]: Mon Oct 26 14:26:00 CET 2099

[ signAlgorithm ]: md5WithRSAEncryption (1.2.840.113549.1.1.4)

[ fingerprint ]: 74:47:88:F2:A5:C5:00:4E:2C:4D:24:65:E3:30:2C:1B

[ subjectKeyIdentifier ]: D8:D1:CF:D3:71:96:84:3C:54:DF:C5:66:58:1E:B8:C3:5C:39:03:9C

[ publicKey ]:

[ algorithm ]: RSA

[ format ]: X.509

The Portal’s client certificate called atppod01-cert contains:

CERTIFICATE

[ creationDate ]: Wed Oct 26 14:26:56 CEST 2005

[ DN ]: CN=atppod01.prod.atp.local,O=ATP,C=DK

[ issuerDN ]: CN=atppod01.prod.atp.local,O=ATP,C=DK

[ validNotBefore ]: Tue Oct 25 14:26:00 CEST 2005

[ validNotAfter ]: Mon Oct 26 14:26:00 CET 2099

[ signAlgorithm ]: md5WithRSAEncryption (1.2.840.113549.1.1.4)

[ fingerprint ]: 74:47:88:F2:A5:C5:00:4E:2C:4D:24:65:E3:30:2C:1B

[ subjectKeyIdentifier ]: D8:D1:CF:D3:71:96:84:3C:54:DF:C5:66:58:1E:B8:C3:5C:39:03:9C

[ publicKey ]:

[ algorithm ]: RSA

[ format ]: X.509

The imported WebSEAL certificate contains:

CERTIFICATE

[ creationDate ]: Wed Oct 26 13:17:58 CEST 2005

[ DN ]: CN=VSRVXTAMI1.prod.atp.local,O=atp,C=DK

[ issuerDN ]: CN=VSRVXTAMI1.prod.atp.local,O=atp,C=DK

[ validNotBefore ]: Tue Oct 25 11:25:49 CEST 2005

[ validNotAfter ]: Thu Oct 26 11:25:49 CEST 2006

[ signAlgorithm ]: md5WithRSAEncryption (1.2.840.113549.1.1.4)

[ fingerprint ]: 2D:82:E2:02:C7:F6:82:04:36:84:A5:67:2E:8E:BA:77

[ subjectKeyIdentifier ]: <none>

[ publicKey ]:

[ algorithm ]: RSA

[ format ]: X.509

Does anybody have any ideas?

Cheers,

Jacob Vennervald

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎06-20-2008 7:18 AM
0 Kudos

Hi,

We are implementing the exact same project.. for Configuring TAM with SAP EP.. and we are using the same Guideu2026

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ad84a55a-0601-0010-749b-854...

We did the configuration part required to be done on EP, but while doing the steps on Webseal, we came across the following issues:

- We are not able to import the EP Certificate into webseal iKeyman. We are geeting an error saying,Error occured while processing X509 certificates

- We have to make changes in webseald.conf file, but we are not sure, how to make the required entries in the file.

- We have to create a junction for the portal, but again we got an error here.

Show replies
Show replies
Former Member
‎06-23-2008 3:35 PM
0 Kudos

I'm sorry. I'm not that heavy on the WebSEAL side.

I think you need to consult a WebSEAL expert.

Or maybe you could try to elaborate a bit.

/Jacob

Former Member
‎04-03-2007 12:46 PM
0 Kudos

HI,

I am also facing the same problem what you got. I am getting the same error in dispatcher. But we are not using webseal.when I open the url I see the SSL is expired.

current security SSL certificate is not valid for my dev and production portal.NOw we are using EP 7.0 SP9 . Can you please tell me how to create security SSL certificate and I want it to be shown as valid when i clik on the trusted CA. and how can i import this certificate in Visual admin .pls tell me the steps how to import and wat are the prerequistes to import and how to test the ssl is working fine with portal or not.

Thanks i advance

Show replies
Show replies
ravi_raman2
Active Contributor
‎06-14-2007 9:55 PM
0 Kudos

Multiple options exist when using the above combinations or anything..

You can use the jdk to generate a keyRequest, that you can send to either your own Java Pki store to request credentials or you can create a certificate request and use that certificate. Only thing to know here is to create a keystore, and add that certificate to the RootCA trusted list.....thats it.

Regards

Ravi

Former Member
‎12-21-2005 6:05 AM
0 Kudos

Hi Jacob,

We are implementing the exact same project (same versions of SAP, EP and webSEAL) and have encountered the same problem with 'Bad Certificate' showing up in the portal log. Have you resolved your issue? If so, how? We would really appreciate your help!!

Regards,

Joy

Show replies
Show replies
Former Member
‎12-21-2005 8:42 AM
0 Kudos

Hi Joy

Yes, we got it working.

First of all, your need to make sure, your WebSEAL is accessing the correct SSL port on EP/WAS.

The WAS J2EE needs a key and certificate called ssl_credentials. If you don't have one called this create one containing the correct information. If you do have an ssl_credentials key/cert pair check the information on it and create a new one if it has run out or if it has a wrong hostname on it.

Export the ssl_credentials certificate as a base 64 encoded file. Import this in the WebSEAL's key storage under trusted CAs.

As with the ssl_credentials certificate, make sure the WebSEAL certificate is valid, export it and import it into WAS J2EE key storage under Trusted CAs.

Go to the WAS J2EE SSL provider and make sure the Server Identity is set to the certificate you exported to WebSEAL.

Make sure the WAS is setup to request the WebSEAL certificate.

Of course you need to make sure the other things mentioned in the guide are setup correctly. Use also the guide to get detailed information on how to do the things mentioned above.

This is basically, what we did.

If it still doesn't work, try to lable the certificates the same way in EP and in WebSEAL.

Hope this helps.

Regards,

Jacob

Former Member
‎12-22-2005 4:09 AM
0 Kudos

Hi Jacob,

Thanks very much for your help. We have now got it working.

Regards,

Joy

Former Member
‎11-04-2005 8:05 AM
0 Kudos

Hi Again

Here is what I get in the dispatcher log.

This error is repeated lots of times:

#1.5#000BCD8283C3002D0000000500000810000404A5A687D0AE#1131009416936#com.sap.engine.core.manipulator.TCPRunnableConnection##com.sap.engine.core.manipulator.TCPRunnableConnection.init()#######OrderedChannel for http service##0#0#Error#1#/System/Network#Java###Cannot get input and output streams from socket. ConnectionsManipulator is not initialized.

[EXCEPTION]

#1#iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: certificate unknown at iaik.security.ssl.r.f(Unknown Source) at iaik.security.ssl.f.c(Unknown Source) at iaik.security.ssl.f.a(Unknown Source) at iaik.security.ssl.r.d(Unknown Source) at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source) at iaik.security.ssl.SSLSocket.startHandshake(Unknown Source) at com.sap.engine.services.ssl.factory.SSLSocket.startHandshake(SSLSocket.java:133) at com.sap.engine.services.ssl.factory.SSLSocket.getInputStream(SSLSocket.java:247) at com.sap.engine.core.manipulator.TCPRunnableConnection.init(TCPRunnableConnection.java:316) at com.sap.engine.core.manipulator.TCPRunnableConnection.run(TCPRunnableConnection.java:498) at com.sap.engine.frame.core.thread.Task.run(Task.java:60) at com.sap.engine.core.thread.impl6.SingleThread.execute(SingleThread.java:73) at com.sap.engine.core.thread.impl6.SingleThread.run(SingleThread.java:137) # #1.5#000BCD8283C300470000000100000810000404A5A6889A6C#1131009416983#com.sap.engine.core.manipulator.TCPRunnableConnection##com.sap.engine.core.manipulator.TCPRunnableConnection.init()#######SAPEngine_System_Thread[impl:6]_5##0#0#Error#1#/System/Network#Java###Cannot get input and output streams from socket. ConnectionsManipulator is not initialized. [EXCEPTION] #1#iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: certificate unknown

at iaik.security.ssl.r.f(Unknown Source)

at iaik.security.ssl.f.c(Unknown Source)

at iaik.security.ssl.f.a(Unknown Source)

at iaik.security.ssl.r.d(Unknown Source)

at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)

at iaik.security.ssl.SSLSocket.startHandshake(Unknown Source)

at com.sap.engine.services.ssl.factory.SSLSocket.startHandshake(SSLSocket.java:133)

at com.sap.engine.services.ssl.factory.SSLSocket.getInputStream(SSLSocket.java:247)

at com.sap.engine.core.manipulator.TCPRunnableConnection.init(TCPRunnableConnection.java:316)

at com.sap.engine.core.manipulator.TCPRunnableConnection.run(TCPRunnableConnection.java:498)

at com.sap.engine.frame.core.thread.Task.run(Task.java:60)

at com.sap.engine.core.thread.impl6.SingleThread.execute(SingleThread.java:73)

at com.sap.engine.core.thread.impl6.SingleThread.run(SingleThread.java:137)

Cheers,

Jacob Vennervald

Show replies
Show replies
Ask a Question