cancel
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Cloud Platform JAVA Servlet: Client Certificate Authentication not working

christoffer_fuss
Participant
0 Likes
1,983

Hello community,

I want to protect one of my JAVA Servlets with Client Certificate Auhtentication:

 String user = request.getRemoteUser();   
 //Authenticates the User
 if (user != null) {
    _Logger.info("User already authenticated");
 } 
 else {  
   //authenticate the User    
   LoginContext loginContext;
   try {
       loginContext = LoginContextFactory.createLoginContext("CERT");
       loginContext.login();
       //update the user
       user = request.getRemoteUser();
   } catch (LoginException e) {
      _Logger.error("Authentication failed: ", e);
       return;
   } 
 } 
     

I created a certificate and signed it with my CA. I added the certificate to a keystore and uploaded it to SCP as described here:

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/0d7cf63b75a94f869895186a2d3...

In addition I added the domain cert.hana.ondemand.com to my java application.

When I call my servlet, for example with the tool "SoapUi" or with JAVA HttpClient and send the Certificate I always geht the Loginexception:

avax.security.auth.login.LoginException: Client certificate is not available in the request

Has anybody an idea what is getting wrong?

Best Regards and Thanks in advance,

Chris

View Entire Topic
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert

Hi Christoffer,

How are you accessing your application?

This is the correct way of accessing your application, after you issue the neo command that adds the "cert" domain to it.:

https://<app_name><subaccount>.cert.hana.ondemand.com/<app-context>;

instead of:

https://<app_name><subaccount>.hana.ondemand.com/<app-context>;

I generated a war file and used the cockpit to deploy the app so I could specify the VM parameter as following:

-Dcom.sap.cloud.crypto.clientcert.mapping_mode=CN

If you do not specify this during deployment, then your cert url will not work.

You could specify this VM parameter via neo deploy command, but your have to prepare the application.properties file beforehand.

Please be advised that if your are not using any of the CAs listed here that the client certificate will never be sent by the browser since it is not a certificate that is trusted by SCP.

If that's your case I suggest you check using SCP with your corporate IdP to authenticate your users using SAML. This setup will support the certificates issued by your internal CAs (since authentication is delegated to your IdP) and the authentication will be valid for all applications on SCP.

I have seen the following additional VM parameter:

-Dcom.sap.cloud.crypto.clientcert.keystore_name=tomcat

Where <tomcat> is the name of the jks file (i.e.: C:\tomcat.jks). I have tested this scenario, but it didn't quite work for me. I would've expected to see two client certificates, but only my SAP client certificate was presented by the browser. Which leads me into thinking that the keystore is not being taken into account.

Nonetheless, check which CAs are needed on this jks as they shouldn't be quite the same as the ones you use for testing locally. All you need are the root and intermediate certificates that have signed the p12 client certificate stored on your browser.

Hope it helps.

Regards,
Ivan