cancel
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Cloud Platform JAVA Servlet: Client Certificate Authentication not working

christoffer_fuss
Participant
0 Likes
1,980

Hello community,

I want to protect one of my JAVA Servlets with Client Certificate Auhtentication:

 String user = request.getRemoteUser();   
 //Authenticates the User
 if (user != null) {
    _Logger.info("User already authenticated");
 } 
 else {  
   //authenticate the User    
   LoginContext loginContext;
   try {
       loginContext = LoginContextFactory.createLoginContext("CERT");
       loginContext.login();
       //update the user
       user = request.getRemoteUser();
   } catch (LoginException e) {
      _Logger.error("Authentication failed: ", e);
       return;
   } 
 } 
     

I created a certificate and signed it with my CA. I added the certificate to a keystore and uploaded it to SCP as described here:

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/0d7cf63b75a94f869895186a2d3...

In addition I added the domain cert.hana.ondemand.com to my java application.

When I call my servlet, for example with the tool "SoapUi" or with JAVA HttpClient and send the Certificate I always geht the Loginexception:

avax.security.auth.login.LoginException: Client certificate is not available in the request

Has anybody an idea what is getting wrong?

Best Regards and Thanks in advance,

Chris

View Entire Topic
christoffer_fuss
Participant
0 Likes

Hi Ivan,

Thank you so much for your answer.

Yes I added the "cert" domain to my application and used the "cert" Url in my request.

I used the following command to deploy my application without a application.properties file. Is this file required and how can I set the vm arguments there?

neo deploy --host hana.ondemand.com --account <acc> --application <app> --user <user> --vm-arguments "-Dcom.sap.cloud.crypto.clientcert.mapping_mode=CN"

I used a Custom CA (created by myself) to sign my client certificate. Maybe that is the problem? How can I use one of the above mentioned CAs (I am not an expert in certificates)?

I have configured a SAML IDP which I use for my applications hosted on SCP and it works fine.

But I have a scenario, where customers are calling my cloud services in their backend systems. In this scenario SAML is not possible as it is "machiene to machiene" communication. In this scenario I want to use client certificates for authentication. Or do you see a better way for doing that?

Best Regards,

Chris