cancel
Showing results for 
Search instead for 
Did you mean: 

EP6 sp2: Editing authschemes.xml file for Client Certificates - Urgent

Former Member
0 Kudos

Urgent Help Needed..

I am trying to modify the authschemes.xml file so that i can have Client Certificate Authentication. Has anyone done this before? I am unable to get client certificate authentication working. I also need to get rid of form based logon screen?

Please help.

regards

anton

Accepted Solutions (1)

Accepted Solutions (1)

detlev_beutner
Active Contributor
0 Kudos

Hi Anton,

I haven't done this, but...

1.) I expect you to know this source, but if not, it should be valuable: http://help.sap.com/saphelp_nw04/helpdata/en/1a/3afd4e641b8f42ac07bb77fe30375b/frameset.htm

2.) If you followed these steps, could you provide the details of what you have done, for example the authscheme.xml?!

Hope it helps

Detlev

Former Member
0 Kudos

Hi detlev,

I followed all the instructions i can find but nothing explains what exactly i need to implment to request client certificates in the xml file.

I want portal to request the client cert as soon as they hit the portal webpage. I am also going through IIS6 with iisproxy module installed.

I am using verisign certificates, i configured J2ee engine to request the root cert for the client cert for the SSL port but that does not work. I get the dialog box requesting in IE asking me to choose a cert but i can make any selection its greyed out. After i say yes it connects to me to the portal logon screen.

Here is the authscheme that i am using.

<authschemes>

<!-- authschemes, the name of the node is used -->

<authscheme name="uidpwdlogon">

<!-- multiple login modules can be defined -->

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>

<controlFlag>SUFFICIENT</controlFlag>

<options></options>

</loginmodule>

<loginmodule>

<loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>

<!-- specifying whether this LoginModule is REQUIRED, REQUISITE, SUFFICIENT, or OPTIONAL -->

<controlFlag>REQUISITE</controlFlag>

<options></options>

</loginmodule>

<priority>21</priority>

<!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->

<frontendtype>2</frontendtype>

<!-- target object -->

<frontendtarget>com.sap.portal.runtime.logon.default</frontendtarget>

</authscheme>

Former Member
0 Kudos

Anton,

user authentication with client certificates works in the default installation on the porttal side. You "only" need to configure the J2EE Engine, i.e. setup SSL, import the CA certificates from which the user certificates are issued etc. Everyhting is neatly documented by SAP.

But if I understand you correctly, you go through IIS(proxy). In this case, SSL client authentication needs to be performed on the IIS instead of the J2EE Engine. (why? because the SSL protocol is terminated (and possibly re-established on the IIS, thus you have no cirect SSL connection user--> portal server).

Configure the IIS to speak SSL and request certificates. Then check the documentation how the verification result can be forwared as HTTP headers to the portal server.

Regards,

Dominik

Former Member
0 Kudos

Ok dominik,

I got the request for Client Cert workin when i access the portal server through SSL, it is working correctly. i prompted for client cert, i enter my client cert userid/pwd and then i get sent to the portal logon page.

Now I need to get direct access to the portal once i get client cert authroisation, i dont want to have login twice. What do i need to change in authschemes.xml to enable this.

Also you mention that for IIS i need to have configured IIS with SSL. IIS is configured with SSL and that works, but how do i get information for configuring the HTTP headers to the portal server. The documentation you mention where can i find it?

regards

anton

Former Member
0 Kudos

Anton,

try this:

For configuring SAP J2EE to accept client certificates that come from an intermediary server (i.e. IISProxy):

http://help.sap.com/saphelp_webas630/helpdata/en/ea/301e3e6217b40be10000000a114084/frameset.htm

Hope it works on SP2 too. Couldn't find documentation for this version.

For properly configuring IISProxy to forward the user's certificate:

http://help.sap.com/saphelp_webas630/helpdata/en/46/ea8f715b259d42b44c5d4d49af0de1/content.htm

Check attribute "Certificate-Header".

Also be sure to set authentication to "forward" in your filter definition.

For the uid/pwd --> certificate mapping problem:

I know this issue from several EP versions. Although the login screen tells you "You user ID will be mappd to your certificate" - it won't. It might be wise to open an OSS call for this.

Regards,

Dominik

Answers (0)