cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The page requires a valid ssl client certificate (Mac OS / Safari)

Go to solution
stefan_koehler
Active Contributor

on ‎06-30-2012 2:55 PM

0 Kudos

Dear SCN Team,

i got an issue with using SCN on MAC OS with Safari.

If i don't have a valid SSL certificate provided by SAP (SMP), i am not able to logon SCN. Even if i have installed no certificate at all in my key store, i get the same error "The page requires a valid ssl client certificate".

This is a serious issue, because of i will loose my S-User due to company change and from that i will have a public SCN user (P-User) only with no SSL certificate at all.

Currently the SCN team is not able to copy any content from my old user to the new one (due to lack of functionality with the new SCN platform) and now i am not able to logon anymore with that P-user too.

Please check this SSL certificate behavior and provide a solution.

Thank you.

Safari Version: Version 5.1.7 (7534.57.2)

MAC OS: 10.7.4

Best Regards

Stefan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

CBasis
Participant
‎09-22-2012 9:12 AM
0 Kudos

Hi Stefan,

i found your thread, because i ran into the same problem.

You may already have found your solution, but i like to add what i did now.

The Apple-ID entry in the keystore of the Mac seems to be in relation with the problem. No idea why calling the scn.sap.com is catching this one.

Because the date of the keystone-entry for the Apple-ID was the day when i started my "MacOS career" i had doubts to just delete it and see what happens.    (Will there be any problems with the AppStore/OS-Updates afterwords?

There was no helpful hint to the few similar threads in the web, therefore i just tried it.

  • Start MacOS-Keystore (="Schlüsselbundverwaltung" [german])
  • Category -> "All Objects"
  • Righ-Click on "com.apple.idms.appleid.prd.xxxxxxxxxxx"  -> Export Entry -> choose location
    ( ...to feel better before deleting it)  
  • Right-Click -> Delete Entry

Result:

     Now i'm able to login to scn.sap.com again.    (= normal behavior)

      I'm still able to start the AppStore, too.

That's it so far.  I anything comes up in the next days i'll update the thread.

Best regards

Christian

Show replies
Show replies
stefan_koehler
Active Contributor
‎09-25-2012 11:17 AM
0 Kudos

Hi Christian,

thanks for your update.

I still have that issue and i am still afraid to delete that apple certificate

Regards

Stefan

CBasis
Participant
‎09-26-2012 7:19 AM
0 Kudos

Hi Stefan,

after deleting the apple-id certificate several other certificates in the "All objects" list got invalid.

They all had a URL from SAP in common
     https:// ...  sap .... .com

I guess these entries were created by all the failed attempts before and were signed by the apple-id.

To check which entries will be affected by the deletion of the

     com.apple.idms.appledid.prd.<long number>

try the following:

Take some digits from the long number or the whole string and enter it in the search field in the upper right corner.    The list will present you:

     - The apple-idms-entry that you (should) like to delete

     - all the entries that are releated to this id

If these are only entries in relation with the SAP pages, there shouldn't be reason not to give it a try.

It can't make things worse. (With the exported apple-idms you should feel save enough to do it)

For myself it works pretty fine.   I requested certificates for two S-IDs and SAFARI prompts for it when logging on the the SCN/ServiceMarketPlace.

After a few day there now is additionaly a new apple-idms-entry underneath the two S0000xxxx entries.

If there wouldn't be the the two others i might have the old problem back, but now i'm free to choose.

DISCLAIMER:    I'm a new to MacOSX and can only report what i did to get the things working. Hope that there is nothing i've not detected till now.

Being curious about your progress

Christian

stefan_koehler
Active Contributor
‎09-30-2012 1:56 PM
0 Kudos

Hi Christian,

today i got the bravery and time to remove that certificate and test it ... and it works perfect now.

I am able to logon to SCN with Safari. I hope that the "apple-idms" certificate will not return in my case, because i have a public SCN user and i can not create a SSL certificate for such users.

Regards

Stefan

Former Member
‎12-14-2013 9:00 AM
0 Kudos

Worked for me!!

Answers (6)

Answers (6)

former_member428589
Member
‎12-10-2013 6:29 AM
0 Kudos

Hi,

I also facing the same issue during SAP CONNECT,

but lucky that I also installed FireFox on my MAC OS X 10.9,

and it's running OK.

Show replies
Show replies
daniel_rothmund
Participant
‎11-18-2013 1:04 PM
0 Kudos

Hi ,

we have the same problem with our WebDispatcher Proxy and the Safari for Mac f

Have someone found a solution ? We user Sap Webdispatcher  7.40 Patch 43.

Regards

Show replies
Show replies
ramonpeek
Explorer
‎10-16-2013 9:31 AM
0 Kudos

PS:

See the post below on the Apple Support community which I created in the hope for a solution:

https://discussions.apple.com/thread/5451317

If anyone as AppleCare the might call them and refer to this issue.

Show replies
Show replies
ramonpeek
Explorer
‎10-16-2013 9:00 AM
0 Kudos

As Darren correctly mentioned, the real problem in Safari is this:

This is due to a bug in how SSL is handled by the browser.

In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore".

"Request" means that a certificate will be requested from the client, but it is not mandatory.

"Require" means that a certificate is mandatory.

Safari actually handles this correctly but is missing a feature called "Ignore this request for this website".

This is what happens:

Safari receives a "certificate request" and as a result it will look into it's certificate store to see if it has any certificates. If it does, it will ask you to select a certificate. However none of the certificates is valid for the SAP site so you will need to click on "cancel". But if you don't have any certificates installed , then Safari won't ask you for a certificate and as a result you won't have a problem.

That was the basics, but now the problems:.

  1. The first time you entered the SAP site you've likely selected a certificate.
    As a result this selection is stored in the keychain as an "Identity preference".
    Because the selected certificate is invalid, you must remove it from the keychain or else you will keep getting certificate error when you try to access the SAP site. (You can google on how to do this)

  2. You have a certificate and thus Safari prompts you to select one.
    You will have to click CANCEL on every request you will receive or else you'll run into the problem descibed above. It's very annoying because the SAP website will request for certificates many times while browsing their site. Sadly Apple is missing the feature: "Ignore this request for this website" which would fix this issue.

    If the only certificate you have is that of your Apple ID, then I guess you could safely remove it. (I did too and did not have any adverse effects.)
    However, If like me you have other certificates that cannot be removed; you are screwed.
    You will have to wait for Apple to build some kind of solution.

I hope this summary is helpful to all of you MAC based Safari fans.
This post was created in a MAC based Safari browser (v6.0.5)

Show replies
Show replies
darren_hague
Contributor
‎07-02-2012 10:48 AM
0 Kudos

The error "The page requires a valid ssl client certificate" I have seen only twice before now: once on Safari for Windows, and once on Chrome for iPad.

In both cases, this is due to a bug in how SSL is handled by the browser.

In our SSL configuration, the client certificate authentication can be configured for "request", "require" or "ignore". "Request" means that a certificate will be requested from the client, but it is not mandatory. "Require" means that a certificate is mandatory.

We use the "Request" setting, precisely so that the absence of a certificate does not prevent users accessing the system via username/password.

Unfortunately, it seems that there is some piece of SSL code on some Apple platforms that interprets "request" as "require" and will not let you in without a certificate.

In the case of the other error "Digital certificate has expired", this is seems to be a case that the browser is presenting an outdated certificate to the server, and this is being rejected at SSL level - therefore, all certificates have not been removed from the browser in this case.

I recommend that you get the latest O/S updates from Apple, and hopefully this fixes their SSL bug.

Best regards,
Darren Hague

(SAP ID Service architect)

Show replies
Show replies
stefan_koehler
Active Contributor
‎07-02-2012 2:17 PM
0 Kudos

Hi Darren,

thanks for your reply.

Unfortunately i am using the newest Mac OS and Safari release. As previously mentioned:

  • Safari Version: Version 5.1.7 (7534.57.2)
  • MAC OS: 10.7.4

What's next? I don't want to use a different browser for SAP SCN only

I think this issue should be very easy to reproduce on your site too.

Best Regards

Stefan

darren_hague
Contributor
‎07-02-2012 2:47 PM
0 Kudos

Hi Stefan,

I will check with my colleagues, but several people in the SAP ID Service team also use Safari on a Mac, so this is something that we are testing constantly during development.

Best regards,
Darren

stefan_koehler
Active Contributor
‎07-04-2012 12:29 PM
0 Kudos

Hi Darren,

any updates about this issue?

Thanks and Regards

Stefan

stefan_koehler
Active Contributor
‎07-23-2012 8:43 AM
0 Kudos

... 3 weeks gone without any update or notice ...

darren_hague
Contributor
‎07-25-2012 9:22 AM
0 Kudos

Sorry, but we have not been able to reproduce this issue. As I said in my earlier message, this is clearly a bug in how the browser is handling SSL in the "Request certificate" case - a certificate is requested by us, but not required. This is from our SSL endpoint's documentation:

"Set the certification mode in the clientssl profile to Request. Setting this mode sends a certificate request to the client. In this case, the SSL profile always grants access, regardless of the status or absence of the certificate. Granting access is not dependent on whether a certificate is present, nor does connection terminate if a certificate is not received"

I did pick up a clue from another site:

"The reason why it seems to be working for some Safari users is that they don't have a private key in any of their keychains. Once you have any kind of private key (.Mac, FileVault master key, ...) in any of your keychains, it fails miserably."

Could this be the issue in your case?

Best regards,
Darren

darren_hague
Contributor
‎07-25-2012 9:25 AM
0 Kudos

There are some potential workarounds also in this thread at Apple.

stefan_koehler
Active Contributor
‎07-25-2012 9:30 AM
0 Kudos

Hi Darren,

thanks for your reply.

If i remove the SSL (SMP) certificate i still have one in my keychain. This certificate has nothing to do with SAP - it is from Apple itself (com.apple.idms.appleid.prd). I will check the thread.

Thanks.

Best Regards

Stefan

former_member323
Employee
Employee
‎07-01-2012 12:31 PM
0 Kudos

Hello Stefan,

In the new SCN platform we strongly recommend against using multiple user accounts. This can cause problems as I can see in your user accounts (inconsistency between the SCN account and LDAP)

Using the admin tool, I fixed the inconsistencies in your accounts and did some manual manipulation.

Now your s-user is associated with brose email address and your p-user is associated with soocs email address.

Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct?)

You should be able to perform the following operations:

Go to SCN: http://scn.sap.com/welcome

Log in with your p-user (this time login with your p-number, not with your email address)

Verify that your account is ok, with all the activities and points.

Only if you still need your s-user account, perform the following: 

log out from your p-user

Log in with your s-user (this time login with your s-number, not with your email address)

During this login you will have to approve the email address (must be different from the email address of your p-user), then you will be required to agree to the SCN terms of use.

Please update me if this was helpful.

Show replies
Show replies
stefan_koehler
Active Contributor
‎07-01-2012 1:42 PM
0 Kudos

Hi David,

sorry, but you have not understood the issue and mixed it up even more.

Now your s-user is associated with brose email address and your p-user is associated with soocs email address.
Your p-user account is the one that now holds all your activities and points (I assume that this is what you wanted. Correct

No, not all. I don't have that brose email address anymore (as i quit that company) and i still see the soocs email address for the S-User.

However i just want to use the P-user furthermore, but this is not possible at all, because of you can not logon to SCN without having a valid SSL certificate provided by SMP. This is the issue right here. You can test that pretty easily. Just use Safari with Mac OS and delete all your SSL certificates (for the S-Users) in your key store. After that try to open SCN and you will get the error "The page requires a valid ssl client certificate".

The perfect situation would be:

  1. Transfer all of my content (blogs, points, connections, etc.) from my old S-User to the current P-User
  2. Make login work with the P-User without having a SSL certificate installed (because of i can not request a SSL certificate for the P-User through SMP)

As i requested point 1 several times and i was told that this is not possible due to lack of platform functionality, i would be happy with point 2 only. But this is also not working

To be honest i am almost at the end of my tether with the new SCN. Most of the basic functions, that members need (Copy user content, Logon without SSL certificate, etc.) is not working properly or even not all. Luckily my lost blog content was fixed after round about 2.5 months, but now i will lose it anyway, because of it can not be copied to my P-User.

Here is a screenshot of the error, if i try to logon with my P-User without having a Single-Sign On certificate installed in my key store. I am not able to enter my P-User ID or password at all, because of this error.

Best Regards

Stefan

P.S.: I write these posts with my old S-User to get a solution for this issue. The SSL certificate for my S-User will expire and then i have to use the P-User.

former_member323
Employee
Employee
‎07-01-2012 3:34 PM
0 Kudos

Hi Stefan,

I do not have any experience with Mac (and no experience with Safari)

I only fixed the issues that I saw related to your SCN user accounts.

I have reached out to someone who might be able to help on the other topics.

Meanwhile, you say that you still see that the s-user is associated with soocs.

This leads me to suspect that you might have some unwanted history in your browser.

Would you care trying the following steps:

  1. log out of SCN
  2. Delete browser history, cookies and passwords from Safari
  3. close the browser.
  4. open the browser and log in to SCN with your p-user as I mentioned in my last message.
stefan_koehler
Active Contributor
‎07-01-2012 6:08 PM
0 Kudos

Hi David,

open the browser and log in to SCN with your p-user as I mentioned in my last message.

*disapproval* ... exactly THIS is not possible. How should i logon with my P-User, when i am not able to get to the logon mask due to the SSL issue!

Meanwhile, you say that you still see that the s-user is associated with soocs.

Yes for sure. Just check my profile for that (E-Mail address). However this was correct, because of this profile is currently linked to all of my activities.

Could you please revert all the changes that you have done?

I already have created a new e-mail address on my domain soocs.de for the P-User account. Unfortunately i am not able to change it for the P-User on first logon, because of the SSL issue with Mac OS and Safari.

Thank you.

Regards

Stefan

oliver
Product and Topic Expert
Product and Topic Expert
‎07-02-2012 10:20 AM
0 Kudos

Hi Stefan,

where do you login from? Do you click login on http://scn.sap.com/welcome or http://scn.sap.com ? If the later, please try the /welcome option.

To be frank I haven't seen this issue before. I'll forward it to a colleague to have a look at it. It does not seem to be an issue with the collaboration platform here.

Did you try other browsers like Firefox or Chrome? Especially FF would be an option as it brings its own cert management etc.

Best,

  Oliver

stefan_koehler
Active Contributor
‎07-02-2012 2:27 PM
0 Kudos

Hi Oliver,

it is the same error regardless of which URL i use.

No i didn't try any other browser, because of i want to use Safari like for all the other millions of websites too

Regards

Stefan

Ask a Question
Top Q&A Solution Author
View all