on 2018 May 16 11:16 AM
Hello community,
I want to protect one of my JAVA Servlets with Client Certificate Auhtentication:
String user = request.getRemoteUser();
//Authenticates the User
if (user != null) {
_Logger.info("User already authenticated");
}
else {
//authenticate the User
LoginContext loginContext;
try {
loginContext = LoginContextFactory.createLoginContext("CERT");
loginContext.login();
//update the user
user = request.getRemoteUser();
} catch (LoginException e) {
_Logger.error("Authentication failed: ", e);
return;
}
}
I created a certificate and signed it with my CA. I added the certificate to a keystore and uploaded it to SCP as described here:
https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/0d7cf63b75a94f869895186a2d3...
In addition I added the domain cert.hana.ondemand.com to my java application.
When I call my servlet, for example with the tool "SoapUi" or with JAVA HttpClient and send the Certificate I always geht the Loginexception:
avax.security.auth.login.LoginException: Client certificate is not available in the request
Has anybody an idea what is getting wrong?
Best Regards and Thanks in advance,
Chris
Request clarification before answering.
Hi Christoffer,
How are you accessing your application?
This is the correct way of accessing your application, after you issue the neo command that adds the "cert" domain to it.:
https://<app_name><subaccount>.cert.hana.ondemand.com/<app-context>;
instead of:
https://<app_name><subaccount>.hana.ondemand.com/<app-context>;
I generated a war file and used the cockpit to deploy the app so I could specify the VM parameter as following:
-Dcom.sap.cloud.crypto.clientcert.mapping_mode=CN
If you do not specify this during deployment, then your cert url will not work.
You could specify this VM parameter via neo deploy command, but your have to prepare the application.properties file beforehand.
Please be advised that if your are not using any of the CAs listed here that the client certificate will never be sent by the browser since it is not a certificate that is trusted by SCP.
If that's your case I suggest you check using SCP with your corporate IdP to authenticate your users using SAML. This setup will support the certificates issued by your internal CAs (since authentication is delegated to your IdP) and the authentication will be valid for all applications on SCP.
I have seen the following additional VM parameter:
-Dcom.sap.cloud.crypto.clientcert.keystore_name=tomcat
Where <tomcat> is the name of the jks file (i.e.: C:\tomcat.jks). I have tested this scenario, but it didn't quite work for me. I would've expected to see two client certificates, but only my SAP client certificate was presented by the browser. Which leads me into thinking that the keystore is not being taken into account.
Nonetheless, check which CAs are needed on this jks as they shouldn't be quite the same as the ones you use for testing locally. All you need are the root and intermediate certificates that have signed the p12 client certificate stored on your browser.
Hope it helps.
Regards,
Ivan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| User | Count |
|---|---|
| 8 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.