Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Disable X.509 Certificate Selection when opening a SSO enabled Solman Website

sebastian_hockmann2
Participant
0 Kudos

Hello experts.

we had configured successfully X.509 certificate SSO on our Solman System.

We're using Secure Login Client 1.0 SP4 PL1.

In SAP we maintained the certificate data in transaction EXTID_DN.

User can log on successfully.

But when opening the Solman Website users get a popup asking them

to choose a appropiate certificate.

We tried to disable client certificate selection popup in IE in the security

settings for the trusted sites. But the popup still appears.


Is there a way to disable the popup or what steps we will have to perform to

get rid of the annoying popup ?


Thanks a lot for your advices!

0

Best regards,
Sebastian

17 REPLIES 17

martin_voros
Active Contributor
0 Kudos

Hi,

I guess you already tried this.Have you tried with other browsers? It looks more like browser issue to me.

Cheers

Former Member
0 Kudos

If you have more than one certificate, that matches, you have to reduce this number.

You can do this by being more restrictive on the server (in your case, it seams the server accepts more than one CA) or by removing private certificates from your cert store (could be os or browser, depending on the browser.

Regards,

Patrick

0 Kudos

Hi Patrick,

thanks a lot. sounds good to me. Can you please give me a hint where i can be be more restrictive on the ABAP Server side ?

We're using a certificate chain. And i would like to tell the server, that it only will accept certificates which matches exactly this chain. At least until Jenoptik SAP CA.

There is another certificate used by VPN access. Both certs using the same root CA. I guess that this will be the root cause. Is there any way to be more specific on server side ?

Best regards,
Sebastian

0 Kudos

Hi Sebastian,

please make sure, that your server PSE only contains the certificate of the Jenoptik User CA.

Please see Configuring the AS ABAP to Use X.509 Client Certificates - User Authentication and Single Sign-On - ...

see Procedure step 3.

Regards,

Patrick

0 Kudos

Hi Patrick.

do you mean, i can remove all certs except CN=cipfa08.... ? But will SSL work properly then ?

Or do i have to adjust something more ?

SSL :

SNC:

Best regards,
Sebastian

0 Kudos

Hi Seabstian,

I was talking about the SSL server PSE. The SNC PSE is not relevant for SSL based X.509 auth.

Could you please sepcify the trust chain for the VPN cert as well?

Regards,

Patrick

0 Kudos

Hello Patrick.

ok. For sure. This is the VPN cert chain.

Best regards,
Sebastian

0 Kudos

Hi Sebastian,

I'd guess the problem is with all intermediate CA having the same root. Therefor all keys get selected by the browser. I'm checking with some other ppl, whether there is anything that can be done to set the list of announced CAs to not include the root, in which case you will need to add the user CA intermediate to the list of trusted CA's in the SSL server PSE.

Regards,

Patrick

0 Kudos

Hi Sebastian,

is there any reason, why you have the list of certificates the way it is?

The list to my understanding actually should be called trusted CAs and is used as the list of CAs to be announced in the SSL handshake. Can you delete all the keys in there and just add the Jenoptik User CA key?

In this case the server will only announce this one CA. Some browsers still will have an issue (like safari, who allows to select all keys anyhow), however for IE (which I guess is what you did use) it should work when not configured for manual certificate selection.

Regards,

Patrick

0 Kudos

Hello Patrick.

i did the way like you propose. I removed all certs and imported only the SAP CA SSL.

I restarted ICM, but still the popup for selecting the client cert appears.

Best regards,
Sebastian

0 Kudos

Hi Sebastian,

could you please try to execute the following:

OpenSSL s_client -connect <yourhostname:ssl-port> -prexit

and copy the lines after 'Acceptable client certificate CA names' until the delimter '---'.

Or using some other way provide me with the contents of the SSL handshake?

Thanks,

Patrick

BTW: does the list still contain the same entries or did the list change?

0 Kudos

Hello Patrick.

of course 🙂

C:\OpenSSL-Win32\bin>openssl s_client -connect pfa.sap.jenoptik.corp:9443 -prexit

CONNECTED(000001E4)

---

Certificate chain

0 s:/CN=cipfa08.sap.jenoptik.corp

   i:/CN=Jenoptik SAP CA - SSL

1 s:/CN=Jenoptik SAP CA - SSL

   i:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA

2 s:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA

   i:/CN=Jenoptik Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDCzCCAfOgAwIBAgIEXCIIzTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVK

ZW5vcHRpayBTQVAgQ0EgLSBTU0wwHhcNMTMwOTIwMDc1NDIzWhcNMjEwOTE5MTAw

MDAwWjAkMSIwIAYDVQQDExljaXBmYTA4LnNhcC5qZW5vcHRpay5jb3JwMIIBIjAN

BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmWiwaGRJ1Bozyz0W1QkaIg5ZdBdF

fEsTQ6VzTJgRr9+3UEZaJ0wEvmBClwp60T4DvjkxnQPsuWRvMhU2dWy2Gn6ZufC+

Mu3l6c0M2y/0gqkahLc7zub/q1WkUdUZcnZC16jnTj7o86zoaAlzaNCxd3WBtjMu

WE2gcaAg6EzGvwDqyVYyUhZfCptdM+NclZJYEdoUV1+rVx34I7qowMksUOlprEeK

HQP0HNofbklMxG3EVFQWnkhD+Du4m/PbJ8jTgCvEwnY3gGRh3dW1MZauP/McJbCc

74wsnBXnjugIDURsBQwR0pWqgVZe5fLKMuaMLx4W1fWK5eZgQVQoppHAkwIDAQAB

o0kwRzAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIAYDVR0R

BBkwF4IVcGZhLnNhcC5qZW5vcHRpay5jb3JwMA0GCSqGSIb3DQEBBQUAA4IBAQAK

SX1uqnQtkUxg8OOzHjSU/4tWHm1bae077h6aC7NVNIr3WcuWbbbH4tTKdnbL/xDQ

/eD8tRtgVUqovcUh96sPmQbEXVZG+tw1nW/3vlz19slvOSY+omh3YCYHatbAz7wA

GyQeTSU7PsRJlbjd4iRsuu5XgaJ3JB+hIBEhMv//JJjkI2nY5gbo9MjzdeFbOw60

kMvnIMJY7lHT1Zcs5V4aMpFNTx2uMiULgfPxRnxQKhT7QmFhRQvyKpd1vBJwztPB

+4FTtd2TDHqPtcHGunfKK38NSSUZLq6WN0b0ZcsybryqeDOMrOVuJDkCV9w/JIsD

+LZlGBMloJswjVBt8INV

-----END CERTIFICATE-----

subject=/CN=cipfa08.sap.jenoptik.corp

issuer=/CN=Jenoptik SAP CA - SSL

---

Acceptable client certificate CA names

/CN=Jenoptik SAP CA - SSL

/CN=Jenoptik Certificate Authority

---

SSL handshake has read 2953 bytes and written 659 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: AA0B931EE6092A1CA335276533521A04FA7070C0EE13131070B3C985AAD175A5

    Session-ID-ctx:

    Master-Key: 8D3D90CE628C5DB26FDB5E8F705779A2288CE9B2665536C25F1BE348C8408BCC51C6117CF207391CD4222181F089C581

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1422972606

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

closed

---

Certificate chain

0 s:/CN=cipfa08.sap.jenoptik.corp

   i:/CN=Jenoptik SAP CA - SSL

1 s:/CN=Jenoptik SAP CA - SSL

   i:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA

2 s:/DC=corp/DC=jenoptik/CN=Jenoptik SAP CA

   i:/CN=Jenoptik Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDCzCCAfOgAwIBAgIEXCIIzTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVK

ZW5vcHRpayBTQVAgQ0EgLSBTU0wwHhcNMTMwOTIwMDc1NDIzWhcNMjEwOTE5MTAw

MDAwWjAkMSIwIAYDVQQDExljaXBmYTA4LnNhcC5qZW5vcHRpay5jb3JwMIIBIjAN

BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmWiwaGRJ1Bozyz0W1QkaIg5ZdBdF

fEsTQ6VzTJgRr9+3UEZaJ0wEvmBClwp60T4DvjkxnQPsuWRvMhU2dWy2Gn6ZufC+

Mu3l6c0M2y/0gqkahLc7zub/q1WkUdUZcnZC16jnTj7o86zoaAlzaNCxd3WBtjMu

WE2gcaAg6EzGvwDqyVYyUhZfCptdM+NclZJYEdoUV1+rVx34I7qowMksUOlprEeK

HQP0HNofbklMxG3EVFQWnkhD+Du4m/PbJ8jTgCvEwnY3gGRh3dW1MZauP/McJbCc

74wsnBXnjugIDURsBQwR0pWqgVZe5fLKMuaMLx4W1fWK5eZgQVQoppHAkwIDAQAB

o0kwRzAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIAYDVR0R

BBkwF4IVcGZhLnNhcC5qZW5vcHRpay5jb3JwMA0GCSqGSIb3DQEBBQUAA4IBAQAK

SX1uqnQtkUxg8OOzHjSU/4tWHm1bae077h6aC7NVNIr3WcuWbbbH4tTKdnbL/xDQ

/eD8tRtgVUqovcUh96sPmQbEXVZG+tw1nW/3vlz19slvOSY+omh3YCYHatbAz7wA

GyQeTSU7PsRJlbjd4iRsuu5XgaJ3JB+hIBEhMv//JJjkI2nY5gbo9MjzdeFbOw60

kMvnIMJY7lHT1Zcs5V4aMpFNTx2uMiULgfPxRnxQKhT7QmFhRQvyKpd1vBJwztPB

+4FTtd2TDHqPtcHGunfKK38NSSUZLq6WN0b0ZcsybryqeDOMrOVuJDkCV9w/JIsD

+LZlGBMloJswjVBt8INV

-----END CERTIFICATE-----

subject=/CN=cipfa08.sap.jenoptik.corp

issuer=/CN=Jenoptik SAP CA - SSL

---

Acceptable client certificate CA names

/CN=Jenoptik SAP CA - SSL

/CN=Jenoptik Certificate Authority

---

SSL handshake has read 2990 bytes and written 696 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: AA0B931EE6092A1CA335276533521A04FA7070C0EE13131070B3C985AAD175A5

    Session-ID-ctx:

    Master-Key: 8D3D90CE628C5DB26FDB5E8F705779A2288CE9B2665536C25F1BE348C8408BCC51C6117CF207391CD4222181F089C581

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1422972606

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

BR,

Sebastian

0 Kudos

Hi Sebastian,

the issue is the ABAP system announcing the certificate chain instead of only the single cert. As all your CAs are belonging to the same root CA, the browser will select all installed keys signed (directly or indirectly) by one of these CAs. I just try to fiddle out, if there is anything you can do other than using a seperate CA which is not an intermediate of  your current root CA.

BTW: you still have some other intermediate used instead of the user CA, is this by intention?

You did use the Jenoptik SAP CA - SSL however your private certificate was signed by Jenoptik SAP CA - USER.

Actually if the system would behave differently and only announce the single CA, you would have no matching certificate as you have no certificate that was signed by Jenoptik SAP CA - SSL only by

- Jenoptik SAP CA - USER and

- VPN Auth CA.

Are you able to log in with this certificate?

Regards,

Patrick

0 Kudos

Hello Patrick.

thanks a lot for your help, so far 🙂

ok. i put in the SAP CA USER Cert in the Certlist, restarted the ICM. But i still

have to select the cert.

Any ideas what to try else ?

And yes, i'm able to login with this certificate.

Best regards,
Sebastian

0 Kudos

Hi Sebastian,

I'm sorry, but this can not be changed at the moment due to the layout of your PKI.

After some more digging I learned, that the SAP system trusts and announces in the SSL Handshake the root CA of the server certificate and all the certificates in the certificate list of the server PSE. You can see this in the below snippet from the output of the openssl cmd you executed.


Acceptable client certificate CA names

/CN=Jenoptik SAP CA - SSL

/CN=Jenoptik Certificate Authority

As your user CA and your VPN CA have the same root as the server CA, the browser will select them both as valid certificates.

The only way to get around this is splitting the PKI into a server PKI and a user PKI. This way the server would not be announcing the root of the user PKI and the browser would just select the certificate from the user CA.

SAP development is preparing a change to this behaviour, however I have no clue as to when there will be an update containing this change.

Kind regards,

Patrick

0 Kudos

Hi,

it is possible as of SAP_BASIS 750 in combination with CCL >= 8.4.38 to switch on/off for each PSE the implicit trust of the own root. The issuer certificate chain will be shown together with the switch.

Kind regards,

Uwe

anita_tleel
Explorer
0 Kudos

Hi

did you find a solution for this?