cancel
Showing results for 
Search instead for 
Did you mean: 

Issuer issue from SAP SSO ticket

joris_quenee
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello,

I got an issue with SAP Security library.

I'm trying to validate a SSO Ticket. It seems the SAP Security library cannot find the certificate for a space issue.

Indeed, the issuer of my certificate is "OU=J2EE, CN=TEST" and the issuer from SSO ticket seems to be "OU=J2EE,CN=TEST".

For the issuer from SSO ticket, I'm not really sure because SAP Security library doesn't provide method to extract issuer field.

In fact, I'm using the same ticket and library in Production environment.

And I'm trying to reproduce the ticket validation in Java.

My questions are:

- Can we force the issuer value to use on SAP Security library side ?

- Do this issue is known bug ? If yes, which SAP Security library version I should use ?

- Is there a workaround ?

===== Ticket.toString() =====

Ticket Version  = 2

Ticket Codepage = 1100 (Encoding=ISO8859_1)

User = Z99999990742

Issuing System ID     = TEST

Issuing System Client = 000

Creation Time = 201307230729

Valid Time    = 8 h 0 min

Valid from   Tue Jul 23 09:29:00 CEST 2013   until   Tue Jul 23 17:29:00 CEST 2013

Signature (length=261 bytes)

InfoUnit 32, length=19

InfoUnit 136, length=19

InfoUnit 10, length=12

===== Some Test =====

com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE, CN=TEST", BigInteger.ZERO); --> Found

com.sap.security.core.ticket.imp.Ticket.findCertificates(certificates, "OU=J2EE,CN=TEST", BigInteger.ZERO);  --> Didn't find

====== Certificate.toString() ======

[

  Version: V1

  Subject: OU=J2EE, CN=TEST

  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key

    Parameters:DSA

    p:     X

    q:     X

    g:     X

    y:     X

  Validity: [From: Fri Mar 23 14:54:28 CET 2007,

               To: Tue Mar 23 14:54:28 CET 2027]

  Issuer: OU=J2EE, CN=TEST

  SerialNumber: [    00]

]

====== Certificate Importation ======

> keytool -import -alias certificate -file TEST_000.crt -keypass password -keystore storekey.jks -storepass password

Propriétaire : OU=J2EE, CN=TEST

Emetteur : OU=J2EE, CN=TEST Numéro de série : 0

Valide du : Mon Sep 24 11:12:42 CEST 2007 au : Fri Sep 24 11:12:42 CEST 2027

Empreintes du certificat :

MD5:            X

SHA1 :         X

SHA256 :     X

Nom de l'algorithme de signature : SHA1withDSA

Version : 1

Faire confiance à ce certificat ? [non] : oui

Certificat ajouté au fichier de clés

===== Error raised =====

Caused by: java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=TEST", S/N=0) not found.

  at com.sap.security.core.ticket.imp.Ticket.verify(Ticket.java:1016)

  at org.eurocopter.sap.security.impl.SAPTicketValidation.verifyTicket(SAPTicketValidation.java:231)

==== Java version ======

java version "1.7.0_25"

Java(TM) SE Runtime Environment (build 1.7.0_25-b17)

Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)

==== SAP Security version ======

environment: com.sap.security.api

Implementation-Vendor-Id: sap.com

Implementation-Version: 7.0107.20120601132146.0000

environment: com.sap.security.core

Implementation-Vendor-Id: sap.com

Implementation-Version: 7.0107.20120601132146.0000

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

As a workaround you could try to create the issuer DN to only contain CN, OU is not required. Of course, the subject has to match.

joris_quenee
Product and Topic Expert
Product and Topic Expert
0 Kudos

As I said, it's an existing production environment. It's not possible to change the certificate or ticket format. Otherwise, we can do I would not imagine the consequences of such a change.

The best option is to find a workaround on SAP Security client library like override class or method.

Can we do that with SAP Security library ? I would like to force the issuer value inside library code.

Former Member
0 Kudos

I don't think that is something you can do, SAP doesn't provide source code for SAP Cryptolib. Since you are an SAP employee, you could contact the product manager for SAP Cryptolib internally and get in touch with the people involved in SAP Cryptolib development. Creating a support message is another option. Maybe could point you into the right direction.

frane_milicevic
Active Participant
0 Kudos

Hi Joris,

please create a support ticket and provide more details about the versions and historie.

Thanx,

Frane