cancel
Showing results for 
Search instead for 
Did you mean: 
Read only

Login using client certificate

Former Member
0 Likes
1,857

Hello all,

I configured my portal solution to login using client certificates and SSL. On the login screen I am asked to prompt my user ID / password so a mapping between certificate and user ID can be established.

After having done, logging on to the portal for the second time doesn't work using the certificate - I am prompted to enter my uid/pwd again.

Does somebody have a hint on what I could have done wrong?

View Entire Topic
Former Member
0 Likes

I'm not giving up, eventhough I seem to be the only person having a problem with client certificates. According to http://help.sap.com/saphelp_nw04/helpdata/de/8a/8bc061dcf64638aa695f250ce7ca78/content.htm there is the need to define an additional login module "CertPersisterLoginModule" with the classname "com.sap.security.core.server.jaas.CertPersisterLoginModule". Unfortunately I was not able to find this class neither on the file system nor in the security.jar. Is it possible that this class is missing? That could be the reason for not being able to map the certificates to the portal users, since this class is doing that.

Andreas

Former Member
0 Likes

Hi guys,

This scenario describes the configuration steps needed to implement the automatic client cert-to-user mapping.

1. Adding CertPersisterLoginModule to the list of available login modules

a. Start Visual Administrator and go to Server->Services->Security Provider->Runtime(tab)->User Management(tab).

b. Press "Manage Security Stores"

c. Select "UME User Store" and press "Add Login Module"

d. Check "Use a specific editor for the login module options" and press OK.

e. In the popup window enter:

Class Name = com.sap.security.core.server.jaas.CertPersisterLoginModule
Display Name = CertPersisterLoginModule

f. Press OK. Now you have to see the newly created CertPersisterLoginModule in the Login Modules tab.

2. Configuring the application stack.

a. In the Visual Administrator go to Server->Services->Security Provider->Runtime(tab)->Policy Configurations(tab).

b. Select the application stack (or template) referring to the EP or the desired application. If you have created your own application stack, select it and apply the following modules:

EvaluateTicketLoginModule	SUFFICIENT	ume.configuration.active=true
ClientCertLoginModule           OPTIONAL	
CreateTicketLoginModule	        SUFFICIENT	ume.configuration.active=true
BasicPasswordLoginModule        REQUISITE	
CertPersisterLoginModule        OPTIONAL	ume.configuration.active=true
CreateTicketLoginModule         OPTIONAL	ume.configuration.active=true

3. Check the configuration:

a. Access the EP via https, e.g. https://myephost.mydomain.com:50001/irj. The first time you access this page you will be prompted for user ID and password. Next time you request that URL you have to go directly to the EP main page.

b. Access the EP via http, e.g. http://myephost.mydomain.com:50000/irj. The portal behavior must not be affected.

Best regards,

Tsvetomir

Former Member
0 Likes

Hi Tsvetomir

Thank you for your answer. I've gotten exactly the same answer from SAP, who have answered to my OSS Note. These steps can basically be found in the help and I've tried that... without success. The problem is still existing.

Thanks for any other tips.

Andreas

Former Member
0 Likes

Hi Andreas,

I have investigated similar issue. Meanwhile the customer upgraded J2EE to SP11 and the issue disappeared. Unfortunately I didn't find why the mapping didn't work.

Kind regards,

Tsvetomir

Former Member
0 Likes

Hi everyone

Sorry it took so long... I was very busy fixing other stuff these days.

The CertPersisterLoginModule works with SP12, so this upgrade pretty much seems to fix a lot.

If anyone still has problems in setting up authentication with client certificates, just let me know.

Andreas

Former Member
0 Likes

Hello All,

CertPersisterLoginModule should be available from SP10. It is there in SP11 onwards. J2EE with Client certificates works fine after that and all the help topics in this thread.

Any body who did it with IISProxy? I am trying hard but it looks like as soon as a certificate is passed to IIS Proxy it fails - It fails even to direct to HTTP site.

I need some help and I have many observations. So any body who can help?

Contact me [email protected]

Regards

Ash