Solved: Principal propagation using Cloud Connector and Se...

florian2636 · ‎2023 Apr 20

Hi,

I am currently facing an issue in setting up a SLS based CA for Principal Propagation from the Cloud Connector.

I followed the general guides here:

The logs on the Cloud Connector show currently this:

"Failed to create X509Certificate on SLS https://yyyy. yyyy.com:50202 for CN=test@test.net: Chain generated by Secure Login Server is empty"

I would be glad to get some help on this one.

Best Regards,

Florian

Here is some trace content from SLS which seems strange... especially the subjectName.

CLIENT: 1723 [172.16.50.33 : 42002], REQUEST:
POST /SecureLoginServer/slc3/doLogin?profile=84932e9d-1111-1111-1111-1111118150b HTTP/1.1
content-length: 32
content-type: application/x-www-form-urlencoded
host: yyyy.yyyyy:50202
connection: Keep-Alive
user-agent: Apache-HttpClient/4.5.14 (Java/17.0.6)
cookie: saplb_*=(J2EE27615320)27615350; JSESSIONID=wUJYaMGFf2fYs8KP2kOGGW_BpsCdhwF2YKyyyyyy; JSESSIONMARKID=kzkXtQyeWjuEtb0tyIBlzyyyyyyy
accept-encoding: gzip,deflate

subjectName=CN%3Dtest%40test.net

Then the error shown in the trace is this...

Illegal PKCS10
[EXCEPTION]
com.sap.securelogin.certificatemgt.core.InvalidPKCS10Exception: PKCS#10 Subject in certificate request rejected.CN=test@test.net does not match
CN=TEST@TEST.NET

Here is some content of the trace on the Cloud Connector.

2023-04-20 21:26:22,352 +0200#TRACE#com.sap.scc.ui#https-jsse-nio2-8443-exec-3#          #execute incoming request /admin with action 'ping'
2023-04-20 21:26:22,353 +0200#TRACE#com.sap.scc.ui#https-jsse-nio2-8443-exec-3#          #incoming request /admin action: ping finished after 1 ms
2023-04-20 21:26:22,397 +0200#TRACE#com.sap.scc.ui#https-jsse-nio2-8443-exec-8#          #execute incoming request /configuration with action 'createPpSampleCertificate'
2023-04-20 21:26:22,398 +0200#DEBUG#com.sap.scc.security#https-jsse-nio2-8443-exec-8#          #Creating CSR request with the following Subject : CN=test@test.net
2023-04-20 21:26:22,413 +0200#DEBUG#com.sap.scc.security#https-jsse-nio2-8443-exec-8#          #Executing POST request to https://yyyy.yyyy.com:50202/SecureLoginServer/slc3/doLogin?profile=1231232-1111-1111-1111-1111111111...
2023-04-20 21:26:22,416 +0200#INFO#com.sap.scc.tomcat.utils.SystemPrintStreamSSLWrapper#https-jsse-nio2-8443-exec-8#          #javax.net.ssl|WARNING|61|https-jsse-nio2-8443-exec-8|2023-04-20 21:26:22.416 CEST|SSLSocketImpl.java:1676|handling exception (
"throwable" : {
  java.net.SocketTimeoutException: Read timed out
  	at java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:283)
  	at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:309)
  	at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
  	at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
  	at java.base/java.net.Socket$SocketInputStream.read(Socket.java:966)
  	at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)
  	at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)
  	at java.base/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70)
  	at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1465)
  	at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1069)
  	at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137)
  	at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153)
  	at org.apache.http.impl.BHttpConnectionBase.fillInputBuffer(BHttpConnectionBase.java:330)
  	at org.apache.http.impl.BHttpConnectionBase.isStale(BHttpConnectionBase.java:350)
  	at org.apache.http.impl.conn.CPool.validate(CPool.java:71)
  	at org.apache.http.impl.conn.CPool.validate(CPool.java:45)
  	at org.apache.http.pool.AbstractConnPool$2.get(AbstractConnPool.java:256)
  	at org.apache.http.pool.AbstractConnPool$2.get(AbstractConnPool.java:198)
  	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectionManager.java:306)
  	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.java:282)
  	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190)
  	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
  	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
  	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
  	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
  	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
  	at com.sap.scc.ui.SccSingleContextHttpClient.executeUriRequest(SccSingleContextHttpClient.java:56)
  	at com.sap.scc.ui.SecureLoginServerClient.executeRequest(SecureLoginServerClient.java:266)
  	at com.sap.scc.ui.SecureLoginServerClient.executeLoginSlc3(SecureLoginServerClient.java:251)
  	at com.sap.scc.ui.SecureLoginServerClient.signCsrSlcV3(SecureLoginServerClient.java:184)
  	at com.sap.scc.ui.SecureLoginServerClient.signCSR(SecureLoginServerClient.java:177)
  	at com.sap.scc.cert.CertificateGenerator.createSlsToken(CertificateGenerator.java:188)
  	at com.sap.scc.cert.CertificateGenerator.createToken(CertificateGenerator.java:174)
  	at com.sap.scc.cert.CertificateGenerator.generateSampleToken(CertificateGenerator.java:152)
  	at com.sap.scc.servlets.ConfigurationServlet.createPpSampleCertificate(ConfigurationServlet.java:2076)
  	at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:296)
  	at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:54)
  	at javax.servlet.http.HttpServlet.service(HttpServlet.java:765)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:22)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
  	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
  	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:662)
  	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
  	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
  	at com.sap.js.statistics.tomcat.valve.RequestTracingValve.callNextValve(RequestTracingValve.java:113)
  	at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:59)
  	at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:27)
  	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
  	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
  	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:367)
  	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:639)
  	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
  	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:885)
  	at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1710)
  	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
  	at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1184)
  	at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$2.completed(Nio2Endpoint.java:637)
  	at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$2.completed(Nio2Endpoint.java:615)
  	at org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:1008)
  	at org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:936)
  	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:129)
  	at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:221)
  	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:113)
  	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
  	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
  	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
  	at java.base/java.lang.Thread.run(Thread.java:833)}

)
2023-04-20 21:26:22,444 +0200#DEBUG#com.sap.scc.security#https-jsse-nio2-8443-exec-8#          #Executing POST request to https://yyyy.yyyy.com:50202/SecureLoginServer/slc3/getCertificate?profile=84932e9d-738d-49a6-82e0-9a... 21:26:22,457 +0200#ERROR#com.sap.scc.ui#https-jsse-nio2-8443-exec-8#          #Sample certificate generation failed. See ''Log And Trace Files'' and in particular ljs_trace.log for details.<br>com.sap.core.connectivity.spi.sso.BackendTokenGenerationException: Failed to create X509Certificate on SLS https://yyyy.yyyy.com:50202 for CN=test@test.net: Chain generated by Secure Login Server is empty<br>	at com.sap.scc.cert.CertificateGenerator.createSlsToken(CertificateGenerator.java:222)
	at com.sap.scc.cert.CertificateGenerator.createToken(CertificateGenerator.java:174)
	at com.sap.scc.cert.CertificateGenerator.generateSampleToken(CertificateGenerator.java:152)
	at com.sap.scc.servlets.ConfigurationServlet.createPpSampleCertificate(ConfigurationServlet.java:2076)
	at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:296)
	at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:54)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:765)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:22)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:662)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
	at com.sap.js.statistics.tomcat.valve.RequestTracingValve.callNextValve(RequestTracingValve.java:113)
	at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:59)
	at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:27)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:367)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:639)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:885)
	at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1710)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1184)
	at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$2.completed(Nio2Endpoint.java:637)
	at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$2.completed(Nio2Endpoint.java:615)
	at org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:1008)
	at org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:936)
	at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:129)
	at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:221)
	at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:113)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: com.sap.scc.servlets.CriticalSccException: Chain generated by Secure Login Server is empty
	at com.sap.scc.cert.CertificateGenerator.createSlsToken(CertificateGenerator.java:194)
	... 42 common frames omitted
2023-04-20 21:26:22,457 +0200#TRACE#com.sap.scc.ui#https-jsse-nio2-8443-exec-8#          #incoming request /configuration action: createPpSampleCertificate finished after 60 ms<br>

Ulrich_Schmidt1 · ‎2023 Apr 21

The subjectName in the POST request looks correct. It's "content-type: application/x-www-form-urlencoded".

The problem rather seems to a misconfiguration about the subject DN, either on the SLS server or on the SCC:

PKCS#10 Subject in certificate request rejected.CN=test@test.net does not match
CN=TEST@TEST.NET

Currently the SLS only accepts this upper case subject, but the SCC sends it in lower case. Solution would be one of

change subject name patter in SCC to generate one with upper case
change settings on SLS to also accept the lower case version

Which one is the right one, depends on what kind of certificates are accepted by the backend (e.g. mapped in its CERTRULE configuration). If the backend expects the lower case version, then changing the patter to upper case in the SCC would solve the problem with the SLS, but won't allow a successful login to the backend anyway... So in such a case the config on the SLS would need to be adjusted.

florian2636 · ‎2023 Apr 21

Hi Markus,

ticket is already raised but also wanted to give it a try.

Best Regards,
Florian

florian2636 · ‎2023 Apr 21

Hi Ulrich,

thank you for your feedback. Now the issue changed and I get the following error shown in SLS. Hope you have an idea. Thank you! Best Regards, Florian

Cannot process an HTTP request to servlet [login30] in [SecureLoginServer] web application.
[EXCEPTION]
java.lang.NullPointerException: while trying to invoke the method iaik.pkcs.pkcs9.ExtensionRequest.listExtensions() of a null object loaded from field com.sap.securelogin.certificatemgt.core.ExtensionsRequestComparator.extReq2 of an object loaded from local variable 'this'
at com.sap.securelogin.certificatemgt.core.ExtensionsRequestComparator.extensionsExceptSubjectAltNamesAreEqual(ExtensionsRequestComparator.java:38)
at com.sap.securelogin.certificatemgt.core.PKCS10Comparator.checkCertTemplateMatchesPkcs10Extensions(PKCS10Comparator.java:80)
at com.sap.securelogin.connection.http.GetCertificate30Action.buildCertificateChain(GetCertificate30Action.java:91)
at com.sap.securelogin.connection.http.GetCertificateAction.handleCertification(GetCertificateAction.java:239)
at com.sap.securelogin.connection.http.GetCertificateAction.performAction(GetCertificateAction.java:119)
at com.sap.securelogin.connection.http.SecureLoginServlet.doPost(SecureLoginServlet.java:76)

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Principal propagation using Cloud Connector and Secure Login Server failing

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)