cancel
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Cloud Platform JAVA Servlet: Client Certificate Authentication not working

christoffer_fuss
Participant
0 Likes
1,977

Hello community,

I want to protect one of my JAVA Servlets with Client Certificate Auhtentication:

 String user = request.getRemoteUser();   
 //Authenticates the User
 if (user != null) {
    _Logger.info("User already authenticated");
 } 
 else {  
   //authenticate the User    
   LoginContext loginContext;
   try {
       loginContext = LoginContextFactory.createLoginContext("CERT");
       loginContext.login();
       //update the user
       user = request.getRemoteUser();
   } catch (LoginException e) {
      _Logger.error("Authentication failed: ", e);
       return;
   } 
 } 
     

I created a certificate and signed it with my CA. I added the certificate to a keystore and uploaded it to SCP as described here:

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/0d7cf63b75a94f869895186a2d3...

In addition I added the domain cert.hana.ondemand.com to my java application.

When I call my servlet, for example with the tool "SoapUi" or with JAVA HttpClient and send the Certificate I always geht the Loginexception:

avax.security.auth.login.LoginException: Client certificate is not available in the request

Has anybody an idea what is getting wrong?

Best Regards and Thanks in advance,

Chris

Accepted Solutions (0)

Answers (3)

Answers (3)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert

Hi Christoffer,

How are you accessing your application?

This is the correct way of accessing your application, after you issue the neo command that adds the "cert" domain to it.:

https://<app_name><subaccount>.cert.hana.ondemand.com/<app-context>;

instead of:

https://<app_name><subaccount>.hana.ondemand.com/<app-context>;

I generated a war file and used the cockpit to deploy the app so I could specify the VM parameter as following:

-Dcom.sap.cloud.crypto.clientcert.mapping_mode=CN

If you do not specify this during deployment, then your cert url will not work.

You could specify this VM parameter via neo deploy command, but your have to prepare the application.properties file beforehand.

Please be advised that if your are not using any of the CAs listed here that the client certificate will never be sent by the browser since it is not a certificate that is trusted by SCP.

If that's your case I suggest you check using SCP with your corporate IdP to authenticate your users using SAML. This setup will support the certificates issued by your internal CAs (since authentication is delegated to your IdP) and the authentication will be valid for all applications on SCP.

I have seen the following additional VM parameter:

-Dcom.sap.cloud.crypto.clientcert.keystore_name=tomcat

Where <tomcat> is the name of the jks file (i.e.: C:\tomcat.jks). I have tested this scenario, but it didn't quite work for me. I would've expected to see two client certificates, but only my SAP client certificate was presented by the browser. Which leads me into thinking that the keystore is not being taken into account.

Nonetheless, check which CAs are needed on this jks as they shouldn't be quite the same as the ones you use for testing locally. All you need are the root and intermediate certificates that have signed the p12 client certificate stored on your browser.

Hope it helps.

Regards,
Ivan

alex_zhu2
Product and Topic Expert
Product and Topic Expert
0 Likes

Hi Chris,

I got the same scenario as yours, backend system connects to the cloud service.

Did you resolve this issue? I am very curiouse about your solution for this issue.

Thanks a lot.

Alex.

christoffer_fuss
Participant

Hi Alex,

I switched to "API Management Service". Here the client certificate authentication was working fine and the service was matching my requirements fine.

Best Regards,

Chris

alex_zhu2
Product and Topic Expert
Product and Topic Expert
0 Likes

Thank you Chris.

a_wuttig
Explorer
0 Likes

maybe OAuth Client Credentials Flow is also a good way for machine to machine communication.

christoffer_fuss
Participant
0 Likes

Hi Ivan,

Thank you so much for your answer.

Yes I added the "cert" domain to my application and used the "cert" Url in my request.

I used the following command to deploy my application without a application.properties file. Is this file required and how can I set the vm arguments there?

neo deploy --host hana.ondemand.com --account <acc> --application <app> --user <user> --vm-arguments "-Dcom.sap.cloud.crypto.clientcert.mapping_mode=CN"

I used a Custom CA (created by myself) to sign my client certificate. Maybe that is the problem? How can I use one of the above mentioned CAs (I am not an expert in certificates)?

I have configured a SAML IDP which I use for my applications hosted on SCP and it works fine.

But I have a scenario, where customers are calling my cloud services in their backend systems. In this scenario SAML is not possible as it is "machiene to machiene" communication. In this scenario I want to use client certificates for authentication. Or do you see a better way for doing that?

Best Regards,

Chris