on 06-30-2012 2:55 PM
Dear SCN Team,
i got an issue with using SCN on MAC OS with Safari.
If i don't have a valid SSL certificate provided by SAP (SMP), i am not able to logon SCN. Even if i have installed no certificate at all in my key store, i get the same error "The page requires a valid ssl client certificate".
This is a serious issue, because of i will loose my S-User due to company change and from that i will have a public SCN user (P-User) only with no SSL certificate at all.
Currently the SCN team is not able to copy any content from my old user to the new one (due to lack of functionality with the new SCN platform) and now i am not able to logon anymore with that P-user too.
Please check this SSL certificate behavior and provide a solution.
Thank you.
Safari Version: Version 5.1.7 (7534.57.2)
MAC OS: 10.7.4
Best Regards
Stefan
Hi Stefan,
i found your thread, because i ran into the same problem.
You may already have found your solution, but i like to add what i did now.
The Apple-ID entry in the keystore of the Mac seems to be in relation with the problem. No idea why calling the scn.sap.com is catching this one.
Because the date of the keystone-entry for the Apple-ID was the day when i started my "MacOS career" i had doubts to just delete it and see what happens. (Will there be any problems with the AppStore/OS-Updates afterwords?
There was no helpful hint to the few similar threads in the web, therefore i just tried it.
Result:
Now i'm able to login to scn.sap.com again. (= normal behavior)
I'm still able to start the AppStore, too.
That's it so far. I anything comes up in the next days i'll update the thread.
Best regards
Christian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Stefan,
after deleting the apple-id certificate several other certificates in the "All objects" list got invalid.
They all had a URL from SAP in common
https:// ... sap .... .com
I guess these entries were created by all the failed attempts before and were signed by the apple-id.
To check which entries will be affected by the deletion of the
com.apple.idms.appledid.prd.<long number>
try the following:
Take some digits from the long number or the whole string and enter it in the search field in the upper right corner. The list will present you:
- The apple-idms-entry that you (should) like to delete
- all the entries that are releated to this id
If these are only entries in relation with the SAP pages, there shouldn't be reason not to give it a try.
It can't make things worse. (With the exported apple-idms you should feel save enough to do it)
For myself it works pretty fine. I requested certificates for two S-IDs and SAFARI prompts for it when logging on the the SCN/ServiceMarketPlace.
After a few day there now is additionaly a new apple-idms-entry underneath the two S0000xxxx entries.
If there wouldn't be the the two others i might have the old problem back, but now i'm free to choose.
DISCLAIMER: I'm a new to MacOSX and can only report what i did to get the things working. Hope that there is nothing i've not detected till now.
Being curious about your progress
Christian
Hi Christian,
today i got the bravery and time to remove that certificate and test it ... and it works perfect now.
I am able to logon to SCN with Safari. I hope that the "apple-idms" certificate will not return in my case, because i have a public SCN user and i can not create a SSL certificate for such users.
Regards
Stefan
Hi,
I also facing the same issue during SAP CONNECT,
but lucky that I also installed FireFox on my MAC OS X 10.9,
and it's running OK.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi ,
we have the same problem with our WebDispatcher Proxy and the Safari for Mac f
Have someone found a solution ? We user Sap Webdispatcher 7.40 Patch 43.
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
PS:
See the post below on the Apple Support community which I created in the hope for a solution:
https://discussions.apple.com/thread/5451317
If anyone as AppleCare the might call them and refer to this issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As Darren correctly mentioned, the real problem in Safari is this:
This is due to a bug in how SSL is handled by the browser.
In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore".
"Request" means that a certificate will be requested from the client, but it is not mandatory.
"Require" means that a certificate is mandatory.
Safari actually handles this correctly but is missing a feature called "Ignore this request for this website".
This is what happens:
Safari receives a "certificate request" and as a result it will look into it's certificate store to see if it has any certificates. If it does, it will ask you to select a certificate. However none of the certificates is valid for the SAP site so you will need to click on "cancel". But if you don't have any certificates installed , then Safari won't ask you for a certificate and as a result you won't have a problem.
That was the basics, but now the problems:.
I hope this summary is helpful to all of you MAC based Safari fans.
This post was created in a MAC based Safari browser (v6.0.5)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The error "The page requires a valid ssl client certificate" I have seen only twice before now: once on Safari for Windows, and once on Chrome for iPad.
In both cases, this is due to a bug in how SSL is handled by the browser.
In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore". "Request" means that a certificate will be requested from the client, but it is not mandatory. "Require" means that a certificate is mandatory.
We use the "Request" setting, precisely so that the absence of a certificate does not prevent users accessing the system via username/password.
Unfortunately, it seems that there is some piece of SSL code on some Apple platforms that interprets "request" as "require" and will not let you in without a certificate.
In the case of the other error "Digital certificate has expired", this is seems to be a case that the browser is presenting an outdated certificate to the server, and this is being rejected at SSL level - therefore, all certificates have not been removed from the browser in this case.
I recommend that you get the latest O/S updates from Apple, and hopefully this fixes their SSL bug.
Best regards,
Darren Hague
(SAP ID Service architect)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Darren,
thanks for your reply.
Unfortunately i am using the newest Mac OS and Safari release. As previously mentioned:
What's next? I don't want to use a different browser for SAP SCN only
I think this issue should be very easy to reproduce on your site too.
Best Regards
Stefan
Sorry, but we have not been able to reproduce this issue. As I said in my earlier message, this is clearly a bug in how the browser is handling SSL in the "Request certificate" case - a certificate is requested by us, but not required. This is from our SSL endpoint's documentation:
"Set the certification mode in the clientssl profile to Request. Setting this mode sends a certificate request to the client. In this case, the SSL profile always grants access, regardless of the status or absence of the certificate. Granting access is not dependent on whether a certificate is present, nor does connection terminate if a certificate is not received"
I did pick up a clue from another site:
"The reason why it seems to be working for some Safari users is that they don't have a private key in any of their keychains. Once you have any kind of private key (.Mac, FileVault master key, ...) in any of your keychains, it fails miserably."
Could this be the issue in your case?
Best regards,
Darren
There are some potential workarounds also in this thread at Apple.
Hello Stefan,
In the new SCN platform we strongly recommend against using multiple user accounts. This can cause problems as I can see in your user accounts (inconsistency between the SCN account and LDAP)
Using the admin tool, I fixed the inconsistencies in your accounts and did some manual manipulation.
Now your s-user is associated with brose email address and your p-user is associated with soocs email address.
Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct?)
You should be able to perform the following operations:
Go to SCN: http://scn.sap.com/welcome
Log in with your p-user (this time login with your p-number, not with your email address)
Verify that your account is ok, with all the activities and points.
Only if you still need your s-user account, perform the following:
log out from your p-user
Log in with your s-user (this time login with your s-number, not with your email address)
During this login you will have to approve the email address (must be different from the email address of your p-user), then you will be required to agree to the SCN terms of use.
Please update me if this was helpful.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi David,
sorry, but you have not understood the issue and mixed it up even more.
Now your s-user is associated with brose email address and your p-user is associated with soocs email address.
Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct
No, not all. I don't have that brose email address anymore (as i quit that company) and i still see the soocs email address for the S-User.
However i just want to use the P-user furthermore, but this is not possible at all, because of you can not logon to SCN without having a valid SSL certificate provided by SMP. This is the issue right here. You can test that pretty easily. Just use Safari with Mac OS and delete all your SSL certificates (for the S-Users) in your key store. After that try to open SCN and you will get the error "The page requires a valid ssl client certificate".
The perfect situation would be:
As i requested point 1 several times and i was told that this is not possible due to lack of platform functionality, i would be happy with point 2 only. But this is also not working
To be honest i am almost at the end of my tether with the new SCN. Most of the basic functions, that members need (Copy user content, Logon without SSL certificate, etc.) is not working properly or even not all. Luckily my lost blog content was fixed after round about 2.5 months, but now i will lose it anyway, because of it can not be copied to my P-User.
Here is a screenshot of the error, if i try to logon with my P-User without having a Single-Sign On certificate installed in my key store. I am not able to enter my P-User ID or password at all, because of this error.
Best Regards
Stefan
P.S.: I write these posts with my old S-User to get a solution for this issue. The SSL certificate for my S-User will expire and then i have to use the P-User.
Hi Stefan,
I do not have any experience with Mac (and no experience with Safari)
I only fixed the issues that I saw related to your SCN user accounts.
I have reached out to someone who might be able to help on the other topics.
Meanwhile, you say that you still see that the s-user is associated with soocs.
This leads me to suspect that you might have some unwanted history in your browser.
Would you care trying the following steps:
Hi David,
open the browser and log in to SCN with your p-user as I mentioned in my last message.
*disapproval* ... exactly THIS is not possible. How should i logon with my P-User, when i am not able to get to the logon mask due to the SSL issue!
Meanwhile, you say that you still see that the s-user is associated with soocs.
Yes for sure. Just check my profile for that (E-Mail address). However this was correct, because of this profile is currently linked to all of my activities.
Could you please revert all the changes that you have done?
I already have created a new e-mail address on my domain soocs.de for the P-User account. Unfortunately i am not able to change it for the P-User on first logon, because of the SSL issue with Mac OS and Safari.
Thank you.
Regards
Stefan
Hi Stefan,
where do you login from? Do you click login on http://scn.sap.com/welcome or http://scn.sap.com ? If the later, please try the /welcome option.
To be frank I haven't seen this issue before. I'll forward it to a colleague to have a look at it. It does not seem to be an issue with the collaboration platform here.
Did you try other browsers like Firefox or Chrome? Especially FF would be an option as it brings its own cert management etc.
Best,
Oliver
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.