23 Replies Latest reply: Dec 14, 2013 10:00 AM by Michael Jeschke RSS

The page requires a valid ssl client certificate (Mac OS / Safari)

Stefan Koehler
Currently Being Moderated

Dear SCN Team,

i got an issue with using SCN on MAC OS with Safari.

 

If i don't have a valid SSL certificate provided by SAP (SMP), i am not able to logon SCN. Even if i have installed no certificate at all in my key store, i get the same error "The page requires a valid ssl client certificate".

 

This is a serious issue, because of i will loose my S-User due to company change and from that i will have a public SCN user (P-User) only with no SSL certificate at all.

 

Currently the SCN team is not able to copy any content from my old user to the new one (due to lack of functionality with the new SCN platform) and now i am not able to logon anymore with that P-user too.

 

Please check this SSL certificate behavior and provide a solution.

 

Thank you.

 

Safari Version: Version 5.1.7 (7534.57.2)

MAC OS: 10.7.4

 

Best Regards

Stefan

  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    David Cockrell
    Currently Being Moderated

    Hello Stefan,

     

    In the new SCN platform we strongly recommend against using multiple user accounts. This can cause problems as I can see in your user accounts (inconsistency between the SCN account and LDAP)

    Using the admin tool, I fixed the inconsistencies in your accounts and did some manual manipulation.

    Now your s-user is associated with brose email address and your p-user is associated with soocs email address.

    Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct?)

     

    You should be able to perform the following operations:

    Go to SCN: http://scn.sap.com/welcome

    Log in with your p-user (this time login with your p-number, not with your email address)

    Verify that your account is ok, with all the activities and points.

     

    Only if you still need your s-user account, perform the following: 

    log out from your p-user

    Log in with your s-user (this time login with your s-number, not with your email address)

     

    During this login you will have to approve the email address (must be different from the email address of your p-user), then you will be required to agree to the SCN terms of use.

     

    Please update me if this was helpful.

    • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
      Stefan Koehler
      Currently Being Moderated

      Hi David,

      sorry, but you have not understood the issue and mixed it up even more.

      Now your s-user is associated with brose email address and your p-user is associated with soocs email address.

      Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct

       

       

      No, not all. I don't have that brose email address anymore (as i quit that company) and i still see the soocs email address for the S-User.

       

      However i just want to use the P-user furthermore, but this is not possible at all, because of you can not logon to SCN without having a valid SSL certificate provided by SMP. This is the issue right here. You can test that pretty easily. Just use Safari with Mac OS and delete all your SSL certificates (for the S-Users) in your key store. After that try to open SCN and you will get the error "The page requires a valid ssl client certificate".

       

      The perfect situation would be:

      1. Transfer all of my content (blogs, points, connections, etc.) from my old S-User to the current P-User
      2. Make login work with the P-User without having a SSL certificate installed (because of i can not request a SSL certificate for the P-User through SMP)

       

      As i requested point 1 several times and i was told that this is not possible due to lack of platform functionality, i would be happy with point 2 only. But this is also not working

       

      To be honest i am almost at the end of my tether with the new SCN. Most of the basic functions, that members need (Copy user content, Logon without SSL certificate, etc.) is not working properly or even not all. Luckily my lost blog content was fixed after round about 2.5 months, but now i will lose it anyway, because of it can not be copied to my P-User.

       

      Here is a screenshot of the error, if i try to logon with my P-User without having a Single-Sign On certificate installed in my key store. I am not able to enter my P-User ID or password at all, because of this error.

       

      Bildschirmfoto 2012-07-01 um 14.58.00.png

       

      Best Regards

      Stefan

       

      P.S.: I write these posts with my old S-User to get a solution for this issue. The SSL certificate for my S-User will expire and then i have to use the P-User.

      • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
        David Cockrell
        Currently Being Moderated

        Hi Stefan,

         

         

        I do not have any experience with Mac (and no experience with Safari)

         

        I only fixed the issues that I saw related to your SCN user accounts.

         

        I have reached out to someone who might be able to help on the other topics.

         

         

        Meanwhile, you say that you still see that the s-user is associated with soocs.

        This leads me to suspect that you might have some unwanted history in your browser.

        Would you care trying the following steps:

         

         

        1. log out of SCN
        2. Delete browser history, cookies and passwords from Safari
        3. close the browser.
        4. open the browser and log in to SCN with your p-user as I mentioned in my last message.
  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    Darren Hague
    Currently Being Moderated

    The error "The page requires a valid ssl client certificate" I have seen only twice before now: once on Safari for Windows, and once on Chrome for iPad.

     

    In both cases, this is due to a bug in how SSL is handled by the browser.

     

    In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore". "Request" means that a certificate will be requested from the client, but it is not mandatory. "Require" means that a certificate is mandatory.

     

    We use the "Request" setting, precisely so that the absence of a certificate does not prevent users accessing the system via username/password.

    Unfortunately, it seems that there is some piece of SSL code on some Apple platforms that interprets "request" as "require" and will not let you in without a certificate.

     

    In the case of the other error "Digital certificate has expired", this is seems to be a case that the browser is presenting an outdated certificate to the server, and this is being rejected at SSL level - therefore, all certificates have not been removed from the browser in this case.

     

    I recommend that you get the latest O/S updates from Apple, and hopefully this fixes their SSL bug.

     

    Best regards,
    Darren Hague

    (SAP ID Service architect)

  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    Christian Braukmueller
    Currently Being Moderated

    Hi Stefan,

    i found your thread, because i ran into the same problem.

    You may already have found your solution, but i like to add what i did now.

     

     

    The Apple-ID entry in the keystore of the Mac seems to be in relation with the problem. No idea why calling the scn.sap.com is catching this one.

     

    Because the date of the keystone-entry for the Apple-ID was the day when i started my "MacOS career" i had doubts to just delete it and see what happens.    (Will there be any problems with the AppStore/OS-Updates afterwords?

     

    There was no helpful hint to the few similar threads in the web, therefore i just tried it.

     

    • Start MacOS-Keystore (="Schlüsselbundverwaltung" [german])
    • Category -> "All Objects"
    • Righ-Click on "com.apple.idms.appleid.prd.xxxxxxxxxxx"  -> Export Entry -> choose location
      ( ...to feel better before deleting it)  
    • Right-Click -> Delete Entry

     

    Result:

         Now i'm able to login to scn.sap.com again.    (= normal behavior)

          I'm still able to start the AppStore, too.

     

    That's it so far.  I anything comes up in the next days i'll update the thread.

     

    Best regards

    Christian

  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    Ramon Peek
    Currently Being Moderated

    As Darren correctly mentioned, the real problem in Safari is this:

     

    This is due to a bug in how SSL is handled by the browser.

    In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore".

    "Request" means that a certificate will be requested from the client, but it is not mandatory.

    "Require" means that a certificate is mandatory.

     

    Safari actually handles this correctly but is missing a feature called "Ignore this request for this website".

     

     

    This is what happens:

     

    Safari receives a "certificate request" and as a result it will look into it's certificate store to see if it has any certificates. If it does, it will ask you to select a certificate. However none of the certificates is valid for the SAP site so you will need to click on "cancel". But if you don't have any certificates installed , then Safari won't ask you for a certificate and as a result you won't have a problem.

     

     

     

    That was the basics, but now the problems:.

    1. The first time you entered the SAP site you've likely selected a certificate.
      As a result this selection is stored in the keychain as an "Identity preference".
      Because the selected certificate is invalid, you must remove it from the keychain or else you will keep getting certificate error when you try to access the SAP site. (You can google on how to do this)

    2. You have a certificate and thus Safari prompts you to select one.
      You will have to click CANCEL on every request you will receive or else you'll run into the problem descibed above. It's very annoying because the SAP website will request for certificates many times while browsing their site. Sadly Apple is missing the feature: "Ignore this request for this website" which would fix this issue.

      If the only certificate you have is that of your Apple ID, then I guess you could safely remove it. (I did too and did not have any adverse effects.)
      However, If like me you have other certificates that cannot be removed; you are screwed.
      You will have to wait for Apple to build some kind of solution.

     

    I hope this summary is helpful to all of you MAC based Safari fans.
    This post was created in a MAC based Safari browser (v6.0.5)

  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    Ramon Peek
    Currently Being Moderated

    PS:

    See the post below on the Apple Support community which I created in the hope for a solution:

     

    https://discussions.apple.com/thread/5451317

     

    If anyone as AppleCare the might call them and refer to this issue.

  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    Daniel Rothmund
    Currently Being Moderated

    Hi ,

     

    we have the same problem with our WebDispatcher Proxy and the Safari for Mac f

     

    Have someone found a solution ? We user Sap Webdispatcher  7.40 Patch 43.

     

    Regards

  • Re: The page requires a valid ssl client certificate (Mac OS / Safari)
    Bona Hutauruk
    Currently Being Moderated

    Hi,

     

    I also facing the same issue during SAP CONNECT,

    but lucky that I also installed FireFox on my MAC OS X 10.9,

    and it's running OK.