2012 Oct 08 1:25 PM
I followed the SAP documentation to setup authentication using x.509 certificates
http://help.sap.com/saphelp_nw04s/helpdata/en/b1/07dd3aeedb7445e10000000a114084/frameset.htm
which worked....
The user certificate imported into SAP (table USREXTID) has subsequently expired.
A new user certificate was acquired and imported into the users
browser, but NOT into SAP.
The issue is that, without having to update SAP, the user can
successfully authenticate to SAP again using the new certificate.
Therefore SAP is not distinguishing between the old expired certificate
and the new certificate.
This creates a huge security issue. If the device containing the
certificate is lost (for example) the certificate would be revoked.
However once the user has a new device and is issued with a new
certificate the old device would also be able to successfully logon to
SAP.
The steps in short are;
1. Issue certificate to user
2. Load into USREXTID using SM31
3. Expire/revoke the certificate
4. Issue user with new certificate
5. test logon - logon SUCCEEDS, the logon should FAIL (because the new
certificate is not loaded into USREXTID)
We need to be able to ensure that only the current, valid certificate
allows access to SAP. Can this be achieved?
The way that this is currently working means that we would have to
change the users DN every time a new certificate is issued, surely this can't be the case?
2012 Oct 08 10:40 PM
Hi,
Here I assume that you have records in table USREXTID with type DN. The way how it works is that if a user presents a certificate that is trusted by system (signed by trusted certificate) than the system tries to map distinguished name (DN) stored in certificate to SAP account. If this is successful then user gets authenticated against the system. So you can have multiple certificates issued for same ID. It's basically same as having two passports. Standard way of preventing usage of stolen certificate (passport) in this scenario is to have a list of revoked certificates (CRL). I don't think that this is supported by ABAP AS.
What you could try to do is to use records in table USREXTID with type HX. In this case a link is created for SAP account and hash value of one particular certificate. So you can easily revoke stolen certificate by changing hash value in this table. The issue is that it will require significantly more maintainable. I've never tested this but it should work,.
Cheers
2012 Oct 09 8:40 AM
Hi,
the old expired certificate will already be rejected during the SSL Handshake when it is sent to the server because the SSL implementation checks the validity of the SSL client certificate. (Validity/Trust/CRL)
Then there is a second step where the (accepted) client certificate is mapped to a user. There only the mapping is checked.
Try to connect wich the old vertificate. It should fail 😉
AS ABAP is able to check CRLs as of 7.03
Best regards
Matthias