cancel
Showing results for 
Search instead for 
Did you mean: 

ABAP ICM/TLS: Multiple client authentication certificates from same root - browser selection popup

Colt
Active Contributor
0 Kudos

Hi experts,

at one of our customers, we recently performed migration to SAP SSO version 3.0 and installed a new Secure Login Server. The new SLS should be operated as a Sub-CA for an existing Enterprise Root.

In addition to the client certificates issued from the SAP SSO solution, the windows clients also had an existing client authentication certificate before, used for secure WLAN 802.1x. Both are part of the same certificate chain, thus the same Root CA.

Now since we installed the trust to the new Root CA on the SAP backends the users experience a certificate selection dialog when accessing ICF-services on the AS ABAP via the browser. This is correct behavior, anyhow only the correct certificate (the one from SLS) can be used to authenticate at SAP. The customers end users don't want to see the selection screen. Also, we are not able to remove the existing certificate.

For SAP GUI this isn't an issue, as we can use CAPI filters (Registry Keys) and/or enable the certificate profile in the Secure Login Client.

Question: Is there a way, on the AS ABAP backend (ICM) to influence the trusted client authentication certificates during TLS-handshake? Any kind of filtering for usage type, issuer, OID etc.? Maybe a way to filter out certs in the Browser via GPO etc? I wasn't able to find something so far.

I'm afraid that there is no solution to this problem, but try it here anyway 😉

Cheers, Carsten

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member200373
Participant
0 Kudos

Carsten,

there are several situations to be considered.

1. There is only one user certificate resp. only one that fits the the server´s CA list:

It´s a browser security setting that controls if a certificate selection dialog is shown or not. Could be some separate configuration, or something like in 3.

2. Two or more user certificates would fit, and are offered in a selection dialog:

If the server sends more than one accepted CA, and the user certificates were issued by one of them respectively, simply remove the CA you don´t want to be used.

If the undesired CA is the server´s own PKI Root, just deselect the checkbox "Trust issuer certificate" in the "Own Certificate" pane of the SSL server PSE in STRUST. In other words, the server does not accept user certificates from the same PKI.

If the server sends one Root CA, and the user certificates were issued within this PKI but by different intermediate CAs, then remove this Root CA certificate from the "Certificate List" and add the wanted intermediate CA instead.

You may have to consider 1. (and potentially 3.) additionally.

3. You can not change STRUST because other use cases require the existing configuration:

Use the existing browser security policies to fine tune the user certificate selection based on URL patterns.

For instance Chrome: https://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateForUrls or https://blogs.sap.com/2013/10/22/how-to-automatically-select-sap-client-certificate-in-google-chrome...

Best,
Stephan

Colt
Active Contributor
0 Kudos

Or is there a way (setting on the SAP backend) to exclude a specific root CA from the TLS handshake?