01-30-2015 1:21 PM
Hello experts.
we had configured successfully X.509 certificate SSO on our Solman System.
We're using Secure Login Client 1.0 SP4 PL1.
In SAP we maintained the certificate data in transaction EXTID_DN.
User can log on successfully.
But when opening the Solman Website users get a popup asking them
to choose a appropiate certificate.
We tried to disable client certificate selection popup in IE in the security
settings for the trusted sites. But the popup still appears.
Is there a way to disable the popup or what steps we will have to perform to
get rid of the annoying popup ?
Thanks a lot for your advices!
0
Best regards,
Sebastian
01-30-2015 8:43 PM
02-02-2015 8:03 AM
If you have more than one certificate, that matches, you have to reduce this number.
You can do this by being more restrictive on the server (in your case, it seams the server accepts more than one CA) or by removing private certificates from your cert store (could be os or browser, depending on the browser.
Regards,
Patrick
02-02-2015 10:16 AM
Hi Patrick,
thanks a lot. sounds good to me. Can you please give me a hint where i can be be more restrictive on the ABAP Server side ?
We're using a certificate chain. And i would like to tell the server, that it only will accept certificates which matches exactly this chain. At least until Jenoptik SAP CA.
There is another certificate used by VPN access. Both certs using the same root CA. I guess that this will be the root cause. Is there any way to be more specific on server side ?
Best regards,
Sebastian
02-02-2015 10:24 AM
Hi Sebastian,
please make sure, that your server PSE only contains the certificate of the Jenoptik User CA.
see Procedure step 3.
Regards,
Patrick
02-02-2015 12:12 PM
Hi Patrick.
do you mean, i can remove all certs except CN=cipfa08.... ? But will SSL work properly then ?
Or do i have to adjust something more ?
SSL :
SNC:
Best regards,
Sebastian
02-02-2015 12:56 PM
Hi Seabstian,
I was talking about the SSL server PSE. The SNC PSE is not relevant for SSL based X.509 auth.
Could you please sepcify the trust chain for the VPN cert as well?
Regards,
Patrick
02-02-2015 2:25 PM
Hello Patrick.
ok. For sure. This is the VPN cert chain.
Best regards,
Sebastian
02-03-2015 8:56 AM
Hi Sebastian,
I'd guess the problem is with all intermediate CA having the same root. Therefor all keys get selected by the browser. I'm checking with some other ppl, whether there is anything that can be done to set the list of announced CAs to not include the root, in which case you will need to add the user CA intermediate to the list of trusted CA's in the SSL server PSE.
Regards,
Patrick
02-03-2015 9:37 AM
Hi Sebastian,
is there any reason, why you have the list of certificates the way it is?
The list to my understanding actually should be called trusted CAs and is used as the list of CAs to be announced in the SSL handshake. Can you delete all the keys in there and just add the Jenoptik User CA key?
In this case the server will only announce this one CA. Some browsers still will have an issue (like safari, who allows to select all keys anyhow), however for IE (which I guess is what you did use) it should work when not configured for manual certificate selection.
Regards,
Patrick
02-03-2015 10:01 AM
Hello Patrick.
i did the way like you propose. I removed all certs and imported only the SAP CA SSL.
I restarted ICM, but still the popup for selecting the client cert appears.
Best regards,
Sebastian
02-03-2015 12:40 PM
Hi Sebastian,
could you please try to execute the following:
OpenSSL s_client -connect <yourhostname:ssl-port> -prexit
and copy the lines after 'Acceptable client certificate CA names' until the delimter '---'.
Or using some other way provide me with the contents of the SSL handshake?
Thanks,
Patrick
BTW: does the list still contain the same entries or did the list change?
02-03-2015 2:35 PM
Hello Patrick.
of course 🙂
C:\OpenSSL-Win32\bin>openssl s_client -connect pfa.sap.jenoptik.corp:9443 -prexit
CONNECTED(000001E4)
---
Certificate chain
0 s:/CN=cipfa08.sap.jenoptik.corp
i:/CN=Jenoptik SAP CA - SSL
1 s:/CN=Jenoptik SAP CA - SSL
i:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA
2 s:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA
i:/CN=Jenoptik Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEXCIIzTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVK
ZW5vcHRpayBTQVAgQ0EgLSBTU0wwHhcNMTMwOTIwMDc1NDIzWhcNMjEwOTE5MTAw
MDAwWjAkMSIwIAYDVQQDExljaXBmYTA4LnNhcC5qZW5vcHRpay5jb3JwMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmWiwaGRJ1Bozyz0W1QkaIg5ZdBdF
fEsTQ6VzTJgRr9+3UEZaJ0wEvmBClwp60T4DvjkxnQPsuWRvMhU2dWy2Gn6ZufC+
Mu3l6c0M2y/0gqkahLc7zub/q1WkUdUZcnZC16jnTj7o86zoaAlzaNCxd3WBtjMu
WE2gcaAg6EzGvwDqyVYyUhZfCptdM+NclZJYEdoUV1+rVx34I7qowMksUOlprEeK
HQP0HNofbklMxG3EVFQWnkhD+Du4m/PbJ8jTgCvEwnY3gGRh3dW1MZauP/McJbCc
74wsnBXnjugIDURsBQwR0pWqgVZe5fLKMuaMLx4W1fWK5eZgQVQoppHAkwIDAQAB
o0kwRzAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIAYDVR0R
BBkwF4IVcGZhLnNhcC5qZW5vcHRpay5jb3JwMA0GCSqGSIb3DQEBBQUAA4IBAQAK
SX1uqnQtkUxg8OOzHjSU/4tWHm1bae077h6aC7NVNIr3WcuWbbbH4tTKdnbL/xDQ
/eD8tRtgVUqovcUh96sPmQbEXVZG+tw1nW/3vlz19slvOSY+omh3YCYHatbAz7wA
GyQeTSU7PsRJlbjd4iRsuu5XgaJ3JB+hIBEhMv//JJjkI2nY5gbo9MjzdeFbOw60
kMvnIMJY7lHT1Zcs5V4aMpFNTx2uMiULgfPxRnxQKhT7QmFhRQvyKpd1vBJwztPB
+4FTtd2TDHqPtcHGunfKK38NSSUZLq6WN0b0ZcsybryqeDOMrOVuJDkCV9w/JIsD
+LZlGBMloJswjVBt8INV
-----END CERTIFICATE-----
subject=/CN=cipfa08.sap.jenoptik.corp
issuer=/CN=Jenoptik SAP CA - SSL
---
Acceptable client certificate CA names
/CN=Jenoptik SAP CA - SSL
/CN=Jenoptik Certificate Authority
---
SSL handshake has read 2953 bytes and written 659 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: AA0B931EE6092A1CA335276533521A04FA7070C0EE13131070B3C985AAD175A5
Session-ID-ctx:
Master-Key: 8D3D90CE628C5DB26FDB5E8F705779A2288CE9B2665536C25F1BE348C8408BCC51C6117CF207391CD4222181F089C581
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1422972606
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
---
Certificate chain
0 s:/CN=cipfa08.sap.jenoptik.corp
i:/CN=Jenoptik SAP CA - SSL
1 s:/CN=Jenoptik SAP CA - SSL
i:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA
2 s:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA
i:/CN=Jenoptik Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEXCIIzTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVK
ZW5vcHRpayBTQVAgQ0EgLSBTU0wwHhcNMTMwOTIwMDc1NDIzWhcNMjEwOTE5MTAw
MDAwWjAkMSIwIAYDVQQDExljaXBmYTA4LnNhcC5qZW5vcHRpay5jb3JwMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmWiwaGRJ1Bozyz0W1QkaIg5ZdBdF
fEsTQ6VzTJgRr9+3UEZaJ0wEvmBClwp60T4DvjkxnQPsuWRvMhU2dWy2Gn6ZufC+
Mu3l6c0M2y/0gqkahLc7zub/q1WkUdUZcnZC16jnTj7o86zoaAlzaNCxd3WBtjMu
WE2gcaAg6EzGvwDqyVYyUhZfCptdM+NclZJYEdoUV1+rVx34I7qowMksUOlprEeK
HQP0HNofbklMxG3EVFQWnkhD+Du4m/PbJ8jTgCvEwnY3gGRh3dW1MZauP/McJbCc
74wsnBXnjugIDURsBQwR0pWqgVZe5fLKMuaMLx4W1fWK5eZgQVQoppHAkwIDAQAB
o0kwRzAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIAYDVR0R
BBkwF4IVcGZhLnNhcC5qZW5vcHRpay5jb3JwMA0GCSqGSIb3DQEBBQUAA4IBAQAK
SX1uqnQtkUxg8OOzHjSU/4tWHm1bae077h6aC7NVNIr3WcuWbbbH4tTKdnbL/xDQ
/eD8tRtgVUqovcUh96sPmQbEXVZG+tw1nW/3vlz19slvOSY+omh3YCYHatbAz7wA
GyQeTSU7PsRJlbjd4iRsuu5XgaJ3JB+hIBEhMv//JJjkI2nY5gbo9MjzdeFbOw60
kMvnIMJY7lHT1Zcs5V4aMpFNTx2uMiULgfPxRnxQKhT7QmFhRQvyKpd1vBJwztPB
+4FTtd2TDHqPtcHGunfKK38NSSUZLq6WN0b0ZcsybryqeDOMrOVuJDkCV9w/JIsD
+LZlGBMloJswjVBt8INV
-----END CERTIFICATE-----
subject=/CN=cipfa08.sap.jenoptik.corp
issuer=/CN=Jenoptik SAP CA - SSL
---
Acceptable client certificate CA names
/CN=Jenoptik SAP CA - SSL
/CN=Jenoptik Certificate Authority
---
SSL handshake has read 2990 bytes and written 696 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: AA0B931EE6092A1CA335276533521A04FA7070C0EE13131070B3C985AAD175A5
Session-ID-ctx:
Master-Key: 8D3D90CE628C5DB26FDB5E8F705779A2288CE9B2665536C25F1BE348C8408BCC51C6117CF207391CD4222181F089C581
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1422972606
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
BR,
Sebastian
02-04-2015 7:40 AM
Hi Sebastian,
the issue is the ABAP system announcing the certificate chain instead of only the single cert. As all your CAs are belonging to the same root CA, the browser will select all installed keys signed (directly or indirectly) by one of these CAs. I just try to fiddle out, if there is anything you can do other than using a seperate CA which is not an intermediate of your current root CA.
BTW: you still have some other intermediate used instead of the user CA, is this by intention?
You did use the Jenoptik SAP CA - SSL however your private certificate was signed by Jenoptik SAP CA - USER.
Actually if the system would behave differently and only announce the single CA, you would have no matching certificate as you have no certificate that was signed by Jenoptik SAP CA - SSL only by
- Jenoptik SAP CA - USER and
- VPN Auth CA.
Are you able to log in with this certificate?
Regards,
Patrick
02-04-2015 9:12 AM
Hello Patrick.
thanks a lot for your help, so far 🙂
ok. i put in the SAP CA USER Cert in the Certlist, restarted the ICM. But i still
have to select the cert.
Any ideas what to try else ?
And yes, i'm able to login with this certificate.
Best regards,
Sebastian
02-04-2015 12:41 PM
Hi Sebastian,
I'm sorry, but this can not be changed at the moment due to the layout of your PKI.
After some more digging I learned, that the SAP system trusts and announces in the SSL Handshake the root CA of the server certificate and all the certificates in the certificate list of the server PSE. You can see this in the below snippet from the output of the openssl cmd you executed.
Acceptable client certificate CA names
/CN=Jenoptik SAP CA - SSL
/CN=Jenoptik Certificate Authority
As your user CA and your VPN CA have the same root as the server CA, the browser will select them both as valid certificates.
The only way to get around this is splitting the PKI into a server PKI and a user PKI. This way the server would not be announcing the root of the user PKI and the browser would just select the certificate from the user CA.
SAP development is preparing a change to this behaviour, however I have no clue as to when there will be an update containing this change.
Kind regards,
Patrick
08-31-2016 4:29 PM
Hi,
it is possible as of SAP_BASIS 750 in combination with CCL >= 8.4.38 to switch on/off for each PSE the implicit trust of the own root. The issuer certificate chain will be shown together with the switch.
Kind regards,
Uwe
08-18-2021 4:26 PM