Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Login using client certificate

Former Member

on ‎2004 Nov 25 10:38 AM

0 Likes
1,836

Hello all,

I configured my portal solution to login using client certificates and SSL. On the login screen I am asked to prompt my user ID / password so a mapping between certificate and user ID can be established.

After having done, logging on to the portal for the second time doesn't work using the certificate - I am prompted to enter my uid/pwd again.

Does somebody have a hint on what I could have done wrong?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎2005 Apr 14 2:27 PM
0 Likes

I'm not giving up, eventhough I seem to be the only person having a problem with client certificates. According to http://help.sap.com/saphelp_nw04/helpdata/de/8a/8bc061dcf64638aa695f250ce7ca78/content.htm there is the need to define an additional login module "CertPersisterLoginModule" with the classname "com.sap.security.core.server.jaas.CertPersisterLoginModule". Unfortunately I was not able to find this class neither on the file system nor in the security.jar. Is it possible that this class is missing? That could be the reason for not being able to map the certificates to the portal users, since this class is doing that.

Andreas

Show replies
Show replies
Former Member
‎2005 May 28 1:12 PM
0 Likes

Hi guys,

This scenario describes the configuration steps needed to implement the automatic client cert-to-user mapping.

1. Adding CertPersisterLoginModule to the list of available login modules

a. Start Visual Administrator and go to Server->Services->Security Provider->Runtime(tab)->User Management(tab).

b. Press "Manage Security Stores"

c. Select "UME User Store" and press "Add Login Module"

d. Check "Use a specific editor for the login module options" and press OK.

e. In the popup window enter:

Class Name = com.sap.security.core.server.jaas.CertPersisterLoginModule
Display Name = CertPersisterLoginModule

f. Press OK. Now you have to see the newly created CertPersisterLoginModule in the Login Modules tab.

2. Configuring the application stack.

a. In the Visual Administrator go to Server->Services->Security Provider->Runtime(tab)->Policy Configurations(tab).

b. Select the application stack (or template) referring to the EP or the desired application. If you have created your own application stack, select it and apply the following modules:

EvaluateTicketLoginModule	SUFFICIENT	ume.configuration.active=true
ClientCertLoginModule           OPTIONAL	
CreateTicketLoginModule	        SUFFICIENT	ume.configuration.active=true
BasicPasswordLoginModule        REQUISITE	
CertPersisterLoginModule        OPTIONAL	ume.configuration.active=true
CreateTicketLoginModule         OPTIONAL	ume.configuration.active=true

3. Check the configuration:

a. Access the EP via https, e.g. https://myephost.mydomain.com:50001/irj. The first time you access this page you will be prompted for user ID and password. Next time you request that URL you have to go directly to the EP main page.

b. Access the EP via http, e.g. http://myephost.mydomain.com:50000/irj. The portal behavior must not be affected.

Best regards,

Tsvetomir

Former Member
‎2005 May 31 11:42 AM
0 Likes

Hi Tsvetomir

Thank you for your answer. I've gotten exactly the same answer from SAP, who have answered to my OSS Note. These steps can basically be found in the help and I've tried that... without success. The problem is still existing.

Thanks for any other tips.

Andreas

Former Member
‎2005 Jun 01 10:02 AM
0 Likes

Hi Andreas,

I have investigated similar issue. Meanwhile the customer upgraded J2EE to SP11 and the issue disappeared. Unfortunately I didn't find why the mapping didn't work.

Kind regards,

Tsvetomir

Former Member
‎2005 Jun 06 10:04 AM
0 Likes

Hi everyone

Sorry it took so long... I was very busy fixing other stuff these days.

The CertPersisterLoginModule works with SP12, so this upgrade pretty much seems to fix a lot.

If anyone still has problems in setting up authentication with client certificates, just let me know.

Andreas

Former Member
‎2005 Jun 23 5:24 PM
0 Likes

Hello All,

CertPersisterLoginModule should be available from SP10. It is there in SP11 onwards. J2EE with Client certificates works fine after that and all the help topics in this thread.

Any body who did it with IISProxy? I am trying hard but it looks like as soon as a certificate is passed to IIS Proxy it fails - It fails even to direct to HTTP site.

I need some help and I have many observations. So any body who can help?

Contact me ashutosh_agrawal_in@yahoo.com

Regards

Ash

Former Member
‎2005 Apr 13 10:21 AM
0 Likes

Hi again

Time is kinda running away and I still haven't been able to enable authentication with client certificates in ep. somehow the portal seems not to be able to map the certificates to the username. again, anybody has a clue how to configure it the right way?

Show replies
Show replies
Former Member
‎2005 Apr 05 2:48 PM
0 Likes

Hi to everyone in here

I just wanted to ask whether you have any answer for this, because I seem to have exactly the same problem with my SR1 Installation. While authorization with client certificates has worked just fine with SP2, this does not seem to be possible with SR1. After having chosen the appropriate certificate from the list, I'll get an "User authentication failed" error on the logon page. Like with a working installation I'll get the message "Your certificate will be mapped to your user ID", but this is not going to happen. Here the log:

-

[BEGIN] Exception -

javax.security.auth.login.LoginException: USER_AUTH_FAILED

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:317)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:178)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:545)

at java.security.AccessController.doPrivileged(Native Method)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:153)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:290)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:346)

at com.sap.portal.navigation.Gateway.service(Gateway.java:68)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:385)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:263)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:340)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:318)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:824)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:239)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:147)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:37)

at com.sap.engine.core.cluster.impl6.session.UnorderedChannel$MessageRunner.run(UnorderedChannel.java:71)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:162)

-

[ END ] Exception -

Needless to say that any help on this is very appreciated!

Andreas Adler

Show replies
Show replies
Former Member
‎2005 Feb 16 8:39 PM
0 Likes

I am having the same problem in NW SP09.

Client certificates are working on J2EE HTTPs ports for us in EP6-SP2 but the same is not working in NW SP09.

I have tested HTTPs. It works after providing userid and password. Something is wrong with client certificate parsing. Do we need to provide any values to the options (parameters) of login module?

Any help?

Regards

Ashutosh

Show replies
Show replies
Ask a Question