cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to configure X.509 client certificate authentication for SAP host agent in LVM

Go to solution
benny_maercz
Participant

on ‎07-05-2016 9:44 AM

0 Kudos

Hi LVM community,

on our SAP LVM 2.1 SP7_1 system I try to configure X.509 client certificate authentication for accessing our host agents. I already went successfully through the following steps:

  1. I created a SSL server PSE for the host agent (in directory /usr/sap/hostctrl/exe/sec as described in SSL für den SAP-Host-Agenten auf UNIX konfigurieren - SAP-Host-Agent - SAP Library)
  2. I created a certificate signing request and ordered a signed certificat from my CA.
  3. I imported the signed certificate into the SSL server PSE of the host agent.

Afterwards I was able to activate HTTPS for the host agent communication. I verified the connection with the "Test Connection" button. Everything is working fine.

Now I want to get to the next level and activate X.509 client certificate authentication for the host agent connection. Unfortunately I didn't find any documentation which describes how to configure this correctly. So I just followed the hints LVM provided:

After switching "Authentication Type" to "X.509 Client Certificate" LVM pointed me to the Key Storage in NWA. According to the LVM mouse-over hint of the field "Private Key Name" the private key needs to be configured in the "LVMView" of the Key Storage.

So I created another SSL private key for my LVM system in the LVMView of the NWA key storage. I also got it signed from my CA and imported the signed certificate into the LVMView:

Afterwards I was able to select my SSL private key name in the Host Agent Configuration:

Though the configuration seems to be correct, the authentication does not work. If I press the "Test Connection" button, I get a "Invalid credentials" error message now:

I already turned on tracing for the host agent. In sapstartsrv.log I see the following messages every time I do the connection test:

[Thr 140437377509120] Tue Jul  5 09:39:11 2016

[Thr 140437377509120] NiIPeekListen: peek successful for hdl 1

[Thr 140437377509120] NiIPeekListen: peek successful for hdl 1

[Thr 140437377509120] NiIAccept: hdl 1 accepted connection

[Thr 140437377509120] NiICreateHandle: hdl 18 state NI_INITIAL_CON

[Thr 140437377509120] NiIInitSocket: set default settings for hdl 18/sock 22 (I4; ST)

[Thr 140437377509120] NiIBlockMode: set blockmode for hdl 18 FALSE

[Thr 140437377509120] NiIAccept: state of hdl 18 NI_ACCEPTED

[Thr 140437377509120] NiIAccept: hdl 1 accepted hdl 18 from 149.216.2.50:56382

[Thr 140437377509120] NiIAccept: hdl 18 took local address 149.216.2.50:1129

[Thr 140437377509120] NiIBlockMode: set blockmode for hdl 18 TRUE

[Thr 140437310097152] ->> SapSSLSessionInit(&sssl_hdl=0x7fba1bfb3e08, role=2 (SERVER), auth_type=0 (NO_CLIENT_CERT))

[Thr 140437310097152] <<- SapSSLSessionInit()==SAP_O_K

[Thr 140437310097152]      in: args = "role=2 (SERVER), auth_type=0 (NO_CLIENT_CERT)"

[Thr 140437310097152]     out: sssl_hdl = 0x2725de0

[Thr 140437310097152] ->> SapSSLSetNiHdl(sssl_hdl=0x2725de0, ni_hdl=18)

[Thr 140437310097152] NiIBlockMode: leave blockmode for hdl 18 TRUE

[Thr 140437310097152]   SSL NI-sock: local=149.216.2.50:1129  peer=149.216.2.50:56382

[Thr 140437310097152] <<- SapSSLSetNiHdl(sssl_hdl=0x2725de0, ni_hdl=18)==SAP_O_K

[Thr 140437310097152] ->> SapSSLSessionStart(sssl_hdl=0x2725de0)

[Thr 140437310097152]   Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_GCM_SHA256:TLS_RSA_WITH_AES256_GCM_SHA384:TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:TLS_RSA_WITH_RC4_128_SHA:TLS_RSA_WITH_RC4_128_MD5:TLS_RSA_WITH_3DES_EDE_CBC_SHA:TLS_RSA_WITH_DES_CBC_SHA:TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:TLS_RSA_EXPORT_WITH_RC4_40_MD5"

[Thr 140437310097152]   Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_GCM_SHA256:TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_3DES_EDE_CBC_SHA:TLS_RSA_WITH_RC4_128_SHA:TLS_RFC5746_INFO_SCSV"

[Thr 140437310097152]   No Client Certificate

[Thr 140437310097152]   Cached session resumed (TLSv1.2)

[Thr 140437310097152]   HexDump of native SSL session ID { &buf= 0x271ab34, buf_len= 32 }

[Thr 140437310097152]    00000: d1 c1 bc 7b 2a 6f a2 ef  56 a4 0f 8e 2e 96 d2 03   ...{*o.. V.......

[Thr 140437310097152]    00010: fa f1 9d 1e a8 46 37 3b  af b9 cb 9c 02 bd 97 7b   .....F7; .......{

[Thr 140437310097152] <<- SapSSLSessionStart(sssl_hdl=0x2725de0)==SAP_O_K

[Thr 140437310097152]          status = "resumed SSL session, client cert NOT requested"

[Thr 140437310097152] ->> SapSSLRead(sssl_hdl=0x2725de0, buf=0x25c7a50, maxlen=32768,    timeout=-1, &readlen=0x7fba1bfb3d3c)

[Thr 140437310097152] <<- SapSSLRead(sssl_hdl=0x2725de0)==SAP_O_K

[Thr 140437310097152]          ... = "buf= 0x25c7a50, max=32768, received=1153"

[Thr 140437310097152] HTTP Parse - Start

[Thr 140437310097152] PutHeader: Host , 7

[Thr 140437310097152] PutHeader: mHeaderSet 128

[Thr 140437310097152] PutHeader: Content-Type , 4

[Thr 140437310097152] PutHeader: mHeaderSet 144

[Thr 140437310097152] PutHeader: CallingType , 29

[Thr 140437310097152] PutHeader: Content-Length , 3

[Thr 140437310097152] PutHeader: mHeaderSet 152

[Thr 140437310097152] PutHeader: SAP-PASSPORT , 29

[Thr 140437310097152] PutHeader: SOAPAction , 29

[Thr 140437310097152] - Parsing buffer 'POST  HTTP/1.1'

[Thr 140437310097152] HTTPMessage::AddBodyContent: Allocate in 0x0x271f560 8192 bytes (left=8192)

[Thr 140437310097152] HTTPMessage::AddBodyContent: Copy in 0x0x271f560 547 bytes (Size = 8192, Left=7645)

[Thr 140437310097152] Trying to lock HTTPHandlerManager::GetInstance

[Thr 140437310097152] Successfully locked HTTPHandlerManager::GetInstance

[Thr 140437310097152] Successfully unlocked HTTPHandlerManager::GetInstance

[Thr 140437310097152] Start executing Webmethod ACOSPrepare

[Thr 140437310097152] Operation ACOSPrepare; Socket type Network SSL Socket; Remote IP 149.216.2.50; Remote port 56382; Username Not Available

[Thr 140437310097152] No username set for DefaultOperationCredentialAuthenticator

[Thr 140437310097152] ->> SapSSLGetPeerInfo(sssl_hdl=0x2725de0, &cert=(nil), &cert_len=(nil),

[Thr 140437310097152]    &subject_dn=0x7fba1bfb3250, &issuer_dn=(nil), &cipher=(nil))

[Thr 140437310097152]   Current Cipher: TLS_RSA_WITH_AES128_GCM_SHA256

[Thr 140437310097152] <<- SapSSLGetPeerInfo(sssl_hdl=0x2725de0)==SAP_O_K

[Thr 140437310097152]     out: cert_len = <no cert>

[Thr 140437310097152]     out: cipher   = "TLS_RSA_WITH_AES128_GCM_SHA256"

[Thr 140437310097152] Unauthorized (user authentication required)

[Thr 140437310097152] *** ERROR => Webmethod ACOSPrepare failed: Unauthorized: User authentication required [saphostcontr 1297]

[Thr 140437310097152] NiIPeek: peek for hdl 18 timed out (r; 0ms)

[Thr 140437310097152] NiIPeek: peek successful for hdl 18 (w)

[Thr 140437310097152] HostControl_SendHeader: HTTP/1.1 401 Unauthorized : null

[Thr 140437310097152] HostControl_SendHeader: WWW-Authenticate : Basic realm="gSOAP Web Service"

[Thr 140437310097152] HostControl_SendHeader: Server : gSOAP/2.7

[Thr 140437310097152] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 140437310097152] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 140437310097152] HostControl_SendHeader: Connection : close

[Thr 140437310097152] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 140437310097152] ->> SapSSLWrite(sssl_hdl=0x2725de0, buf=0x25c7a50, len=803,        timeout=-1, &writelen=0x7fba1bfb3d54)

[Thr 140437310097152] <<- SapSSLWrite(sssl_hdl=0x2725de0)==SAP_O_K

[Thr 140437310097152]          ... = "buf= 0x25c7a50, written= 803 of 803 (all)"

[Thr 140437310097152] NiIShutdownHandle: shutdown -w of hdl 18

[Thr 140437310097152] ->> SapSSLSessionDone(&sssl_hdl=0x271a918)

[Thr 140437310097152] <<- SapSSLSessionDone()==SAP_O_K

[Thr 140437310097152]      in: sssl_hdl   = 0x2725de0

[Thr 140437310097152]          ... ni_hdl = 18

[Thr 140437310097152] NiICloseHandle: shutdown and close hdl 18/sock 22

From my point of view the SSL handshake seems to fail. I'm wondering why the authentication is tried without client certificate, because that's what I wanted to activate.

At this point I'm out of ideas. Has anybody successfully configured this in LVM or can point me to a documentation were this configuration is explained?

Your help is greatly appreciated.

Kind regards

Benny

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

benny_maercz
Participant
‎07-06-2016 11:02 AM
0 Kudos

Hi,

I noticed another interesting log message of the host agent. If a have selected "Authentication Type: Default Credentials (Basic)" in LVM, I see the following message in /usr/sap/hostctrl/work/saphostctrl_audit.log:

[2016/07/06 11:43:16][AUDIT SUCCESS]Operation ACOSPrepare; Socket type Network SSL Socket; Remote IP 149.216.2.50; Remote port 14798; Username sapadm


If I switch to "Authentication Type: X.509 Client Certificate", I get the following message in /usr/sap/hostctrl/work/saphostctrl_audit.log:



[2016/07/06 11:43:47][AUDIT SUCCESS]Operation ACOSPrepare; Socket type Network SSL Socket; Remote IP 149.216.2.50; Remote port 46699; Username Not Available

The default credentials are defined in the LVM Engine settings:

Obviously the "Defalult User Name for Host Agents" is passed to the host agent with "Authentication Type: Default Credentials (Basic)".

The mouse-over help in SAP LVM explains that this user name is used if the host configuration is set to "Default Credentials":

But the help does not explain which user name is used, if the "X.509 Client Certificate" authentication type is used. In my systems it seems that no user name is specified for this authentication type resulting in the error message "Username Not Available".

I'm wondering how I can pass the username to the SAP host agent. Maybe sapadm needs to be configured in the host_profile. But I can't find any parameter to specify the user name.

Kind regards

Benny

Show replies
Show replies
Former Member
‎07-06-2016 2:12 PM
0 Kudos

Hi Benny,

I'm working on exactly the same problem.

I think the problem is that you need to create an X.509 client certificate.

This is different to a server SSL certificate.

The client certificate will be bound to a username (instead of a CN).

As I mentioned, I'm at the same stage.  My problem is how to get a client cert that is not self-signed (as self-signed is not supported by LVM).

Hope that helps.

Darryl

benny_maercz
Participant
‎07-07-2016 6:43 AM
0 Kudos

Hi Darryl,

good to know that I'm not the only one with this problem!

Yes, you might be right. I'm also thinking in that direction. My problem is, that I don't know how to create a client certificate which is bound to a user. Does the host agent expect a certain format in the certificates subject name (CN) to derive the username from the certificate?

I still did not find a documentation explaining the procedure. The only hint is given in SAP note 1439348. It gives an example how to specify the allowed admin users in the host_profile with the following parameter:

service/sso_admin_user_0 = CN=D??????, O=SAP-AG, C=DE


Probably my fault is, that I have entered my LVM server name (as it's specified in my certificate) into this parameter. I will have to speak to my colleagues who are responsible for our company CA. Maybe they can explain how to set up a client certificate containing a username as CN.


Kind regards

Benny

Former Member
‎07-07-2016 9:38 AM
0 Kudos

OK, so I've managed to get mine working

Steps:

1, Setup HTTPS (and therefore SSL) in the LVM system & get a valid signed (not self-signed) SSL certificate.

My certificate comes from Quovadisglobal.co.uk.

The certificate they have signed comes with the "Enhanced Key Usage" flag set to "Server Authentication" and "Client Authentication", without me having to specify this.

2, Put the signed SSL certificate in the usual ICM keystore view in NWA.

3, Also put the required ICA and CA certificates to ensure the full certificate chain, in the ICM keystore view.

3, Export the signed SSL certificate private key from the ICM view.  Choose PCKS#12 format.

4, Import the signed SSL certificate private key into the LVMView keystore view in NWA.

[ I think you've already done these bits below, but just for completeness]

5, Setup the hostagent PSE by creating a new one with a self-signed cert.

There is no need for a cert signing request.

Add the ICA and CA certificates into the hostagent PSE using the "maintain_pk -a" option.

Mine came in PEM (text) format, which I loaded in in the order ICA then CA.

Restart the hostagent and check in the "/usr/sap/hostctl/work/sapstartsrv.log" that it is now listening on port 1129.

EDIT:

Add the parameter service/sso_admin_user_0 to the host_profile of the hostagent.

It must have exactly the same fields as specified in your SSL certificate DN field, except the ones that are not important for authentication can have wildcards.  Mine looks like this:

service/sso_admin_user_0 = CN=myserver.com, OU=*, O=*, L=*, SP=*, C=GB

6, Adjust the hostagent connectivity in LVM to use HTTPS and specify the key from the LVMView keystore view to use (should be the only one).

Click the "Test Connection" button.

Regards,

Darryl

benny_maercz
Participant
‎07-07-2016 12:21 PM
0 Kudos

Hi Derryl,

thank you very much! My certificate was only for Server Authentication. I requested a new one with Client Authentication from my CA. I'll let you know if it works with the new certificate.

Kind regards

Benny

benny_maercz
Participant
‎07-13-2016 10:44 AM
0 Kudos

Hi Darryl,

thanks for your help. I finally got it working! Two tasks were necessary to solve the problem:

1. This time I used a certificate for Client and Server Authentication (ExtKeyUsage: ServerAuthentication ClientAuthentication) as you described.

2. Installing the new certificate did not solve the issue directly. After a while I noticed a slight difference between the Client DN which was returned in the sapstartsrv.log of the host agent

CN=lvmserver.server.dom, OU=SAP, O=Company, C=DE

and the configuration in my host agent profile



service/sso_admin_user_0 = CN=lvmserver.server.dom,OU=SAP,O=Company,C=DE

The difference was a bit difficult to notice, because it's just a difference in the blanks. I did not enter the blanks after each comma! After I added those blanks and restarted the host agent, the client authentication via X.509 certificate finally worked!

Thank you very much!

Kind regards,

Benny

asif_rahmetulla
Participant
‎07-15-2016 4:16 AM
0 Kudos

Hello Benny and Darryl,

The document is very helpful! I do have a question, the CA signed certificate on the LVM server is usually 2years validity and if we have 200+ hostagents then at the time of LVM server's certificate renewal we will have to update hostagent PSE with newly renewed credentials. Can you please comment on how you could possibly update the hostagents' PSE on so many hostagents.

Regards,

Asif

benny_maercz
Participant
‎07-15-2016 6:26 AM
0 Kudos

Hi Asif,

good point. I'm also thinking about that. I have a similar amount of host agents. So I will have to automate the initial PSE creation on the hosts. Probably I will code a script for that task and define it as custom operation in LVM. Then I can run it on all hosts and create the PSE automatically. I also think about a custom validation script which checks the validity of the certificates, so that I will be informed by LVM about expiring certificates. But that are just ideas, I did not yet start the coding.

Kind regards

Benny

Former Member
‎07-15-2016 9:07 AM
0 Kudos

Hello Asif,

When you say "CA signed certificate" I assume you mean the actual CA or ICA (intermediate) root certificates that form the certificate chain?

Mine seems to be valid until 2035.

But anyway, I have done as Benny has suggested, and scripted a solution.

I'm on Linux, so it's a lot easier to script 🙂 .

I did the following:

- Setup a central NAS share and mounted via NFS on each server (this is as per design in the landscape as it stores all software media, so it already existed).

- Setup a cron job on each server as the sapadm user (again, I've already got this covered with a central script that was run on each server a long time ago to setup & control refreshing of crontab from the central NAS and master files).

- Store the CA and ICA certificates on the central NAS.

Once all of the above is complete, then it's simply a case of writing the script to:

- Use sudo to remove existing hostagent PSE file.

- Re-create the PSE.

- Add the CA and ICA certificates from the central NAS.

- Adjust (if required) the host_profile.

- Restart the agent.

- Verify it's listening on port 1129.

All I would need to do in my case, when 2035 comes around, is to place the new CA and ICA certificates onto the NAS and ensure that I update the master crontab files, so the next crontab refresh cron job, pulls in the setup script and performs the setup operation.

Another option, instead of re-performing the setup, would be to just have a script that simply adds any certificates from a central location into the PSE.

You could then just place the new CA and ICA files into the central location and they would be added to the PSE.  No need to have it re-created.

Hope that helps,


Darryl

Former Member
‎07-15-2016 9:11 AM
0 Kudos

Please note that if you have added the LVM server certificate to the hostagent PSE then this is incorrect.

You only need the root CA and ICA certificates in the hostagent PSE.

You do not need the LVM server certificate (the client certificate).

Regards,


Darryl

asif_rahmetulla
Participant
‎07-15-2016 1:55 PM
0 Kudos

Hello Benny,

I was thinking along the same lines to use custom operations for creating self-signed cert for the hostagent on each host. In fact, a custom operation for dropping the expired certs and loading the renewed ICA and CA certificates from the LVM server into the hostagent PSE, however, this will require some pre-work to stage the ICA and CA certs at a shared location.


Another question on the profile parameter, service/sso_admin_user_X. If we have more than one LVM server, can we define more than one parameter as below?


service/sso_admin_user_0 = CN=lvmserver1.server.dom, OU=SAP, O=Company, C=DE

service/sso_admin_user_1 = CN=lvmserver2.server.dom, OU=SAP, O=Company, C=DE

Look forward for your response.

Best Regards,

Asif

benny_maercz
Participant
‎07-15-2016 1:59 PM
0 Kudos

Hi Asif,

yes, I think that's exactly the way how to specify additional LVM servers. I will do the same here, but haven't tested it yet!

Make sure to restart the host agent after adding additional users!

Kind regards

Benny

Former Member
‎07-15-2016 2:25 PM
0 Kudos

Hi Asif,

A suggestion off the top of my head:  place the certificates in a web accessible location (e.g. SAP Portal server, or Tomcat, or Apache or maybe load them into the AS-Java stack of the LVM server itself somewhere), then use WGET in a Linux script which is called from an LVM custom operation, to simply pull the CA and ICA certificates...

Regards,


Darryl

Answers (4)

Answers (4)

benny_maercz
Participant
‎07-15-2016 2:00 PM
0 Kudos

Hi,

After I spent a lot of time and used the SCN community support to find out how to configure HTTPS/SSL with client certificate authentication between LVM and the SAP host agents, I would like to share my documentation with the community:

In this blog article you can read how to configure the SSL client part in LVM as well as the SSL server part on the SAP host agents. Hope this blog article is helpful for you.

Please let me know if you think something should be corrected or improved. I'd also appreciate your feedback if the documentation is helpful for you.

Have a great weekend

Benny

Show replies
Show replies
jochen_wilhelm
Explorer
‎07-06-2016 3:21 PM
0 Kudos

Hi Benny,

i think the profile parameter is wrong:

service/sso_admin_user_0 = CN=lvmserver.server.dom, OU=SAP, O=Company, C=DE

And you have to make sure, that the hostagent trusts your CA.

You can basically apply the SSO documentation for the instance agent also for the hostagent, only use the sapadm and /usr/sap/hostctrl/exe.

Best regards

Jochen

Show replies
Show replies
benny_maercz
Participant
‎07-07-2016 6:48 AM
0 Kudos

Hi Jochen,

yes, I now understood that I need a certificate which is bound to a username and not to a hostname like in my case. I'll have to find out how to create such a certificate and get it signed by my CA.

Probably the service/sso_admin_user_0 parameter should look like this:



service/sso_admin_user_0 = CN=sapadm, OU=SAP, O=Company, C=DE

Because sapadm is the operating system user who needs to be authenticated.

I'll also look up the SSO documentation for the instance agent. Hope this documentation is a bit more detailed.

Kind regards

Benny

jochen_wilhelm
Explorer
‎07-07-2016 9:39 AM
0 Kudos

Hi Benny,

you do not necessarily need to use the sapadm user, therefore the sso_admin_user_0 parameter mapping. The reason for the lagging of the documentation from HostAgent side is, that all sso users will have sapadm rights (which is desired in the SAP LVM use case), but imposse a problem for some other use cases, e.g. starting hdblcm via SAP HostAgent (where only a sid-adm user is required).

Best regards

Jochen

MarioDeFelipe
Contributor
‎07-05-2016 11:57 AM
0 Kudos

Hello Benny

did you install the SAP server credentials in your browser client?

Can you perform this test from the server itself?

Show replies
Show replies
benny_maercz
Participant
‎07-06-2016 9:03 AM
0 Kudos

Hi Mario,

I think this issue has nothing to do with my browser configuration. The LVM system is operating as SSL client while SAP host agent operates as SSL server. I only want client certificate authorization from LVM system to the host agent. Not from my browser to LVM. So from my point of view the credentials are only required in LVM and not on my browser.

In the current configuration the communication between my browser and LVM is still HTTP and not HTTPS.

Kind regards,

Benny

adarshs_kapoor
Active Participant
‎07-05-2016 9:55 AM
0 Kudos

Hi Benny,

Please refer to these SAP Notes and Official Documentation as it may provide some useful information or hints.


[SAP Notes]

http://service.sap.com/sap/support/notes/927637


http://service.sap.com/sap/support/notes/1439348


http://scn.sap.com/thread/3856869


[Official Documentation]

SAP Single Sign-On 2.0 – SAP Help Portal Page

Hope this helps.

Best Regards,

Adarsh

Show replies
Show replies
benny_maercz
Participant
‎07-06-2016 8:57 AM
0 Kudos

Hi Adarsh,

thanks for pointing me to those SAP notes. SAP notes 1439348 at least brought me one step forward. I now added 



service/sso_admin_user0 = CN=lvmserver.server.dom, OU=SAP, O=Company, C=DE

to the host_profile of the host agent. Unfortunately the authentication still does not work, but the messages in sapstartsrv.log are different. Now the host agent asks the client (=LVM server) for a certificate and the LVM server sends it:





[Thr 140598393976576] Wed Jul  6 09:30:55 2016


[Thr 140598393976576] NiIPeekListen: peek successful for hdl 1


[Thr 140598393976576] NiIPeekListen: peek successful for hdl 1


[Thr 140598393976576] NiIAccept: hdl 1 accepted connection


[Thr 140598393976576] NiICreateHandle: hdl 18 state NI_INITIAL_CON


[Thr 140598393976576] NiIInitSocket: set default settings for hdl 18/sock 22 (I4; ST)


[Thr 140598393976576] NiIBlockMode: set blockmode for hdl 18 FALSE


[Thr 140598393976576] NiIAccept: state of hdl 18 NI_ACCEPTED


[Thr 140598393976576] NiHLGetHostName: found address 149.216.2.50 in cache


[Thr 140598393976576] NiIGetHostName: addr 149.216.2.50 = hostname 'is2500.ds.server.dom'


[Thr 140598393976576] NiIAccept: hdl 1 accepted hdl 18 from is2500.ds.server.dom:10640


[Thr 140598393976576] NiIAccept: hdl 18 took local address 149.216.2.50:1129


[Thr 140598393976576] NiIBlockMode: set blockmode for hdl 18 TRUE


[Thr 140598324979456] ->> SapSSLSessionInit(&sssl_hdl=0x7fdf99375e08, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))


[Thr 140598324979456] <<- SapSSLSessionInit()==SAP_O_K


[Thr 140598324979456]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"


[Thr 140598324979456]     out: sssl_hdl = 0x261f880


[Thr 140598324979456] ->> SapSSLSetNiHdl(sssl_hdl=0x261f880, ni_hdl=18)


[Thr 140598324979456] NiIBlockMode: leave blockmode for hdl 18 TRUE


[Thr 140598324979456]   SSL NI-sock: local=149.216.2.50:1129  peer=149.216.2.50:10640


[Thr 140598324979456] <<- SapSSLSetNiHdl(sssl_hdl=0x261f880, ni_hdl=18)==SAP_O_K


[Thr 140598324979456] ->> SapSSLSessionStart(sssl_hdl=0x261f880)


[Thr 140598324979456]   Server-configured Ciphersuites: "TLS_RSA_WITH_AES128_GCM_SHA256:TLS_RSA_WITH_AES256_GCM_SHA384:TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_AES256_CBC_SHA:TLS_RSA_WITH_RC4_128_SHA:TLS_RSA_WITH_RC4_128_MD5:TLS_RSA_WITH_3DES_EDE_CBC_SHA:TLS_RSA_WITH_DES_CBC_SHA:TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:TLS_RSA_EXPORT_WITH_RC4_40_MD5"


[Thr 140598324979456]   Client-offered Ciphersuites: "TLS_RSA_WITH_AES128_GCM_SHA256:TLS_RSA_WITH_AES128_CBC_SHA:TLS_RSA_WITH_3DES_EDE_CBC_SHA:TLS_RSA_WITH_RC4_128_SHA:TLS_RFC5746_INFO_SCSV"


[Thr 140598324979456]   Client Certificate available (FCPath-Len= 2)


[Thr 140598324979456]   New session (TLSv1.2)


[Thr 140598324979456]   HexDump of native SSL session ID { &buf= 0x2659e84, buf_len= 32 }


[Thr 140598324979456]    00000: 69 2b 5d 9d 6f f8 1c 47  bc 71 79 69 c0 a6 2c 3e   i+].o..G .qyi..,>


[Thr 140598324979456]    00010: 60 5d 38 f5 fe fe 42 63  8d 40 b6 53 2e e4 3a 5d   `]8...Bc .@.S..:]


[Thr 140598324979456] Base64-Dump of peer certificate (len=2315 bytes)


[Thr 140598324979456]


[Thr 140598324979456] -----BEGIN CERTIFICATE-----


[Thr 140598324979456] MIIJBzCCBu+gAwIBAgITGAAABPoIyEABMlnqJAAAAAAE+jANBgkqhkiG9w0BAQsF


[Thr 140598324979456] ADBQMRMwEQYKCZImiZPyLGQBGRYDZG9tMRMwEQYKCZImiZPyLGQBGRYDZWFkMSQw


...


...


DpMIsKAhp0MHqyOUlnrArNvIcOyWeTZP9l6Uhu/DGX1fTTK0SAWSZKqoXngcsHmt


[Thr 140598324979456] tRoArxAN7q3yXa2wxDyIrlp3G86ntuE1Q+Np2wFimzQPxWOz7y0Ibkms9HKF+5bG


[Thr 140598324979456] K6izhWqU3O4uOb8=


[Thr 140598324979456] -----END CERTIFICATE-----


[Thr 140598324979456]   Subject DN: CN=lvmserver.server.dom, OU=SAP, O=Company, C=DE


[Thr 140598324979456]   Issuer  DN: CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom


[Thr 140598324979456]   Current Cipher: TLS_RSA_WITH_AES128_GCM_SHA256


[Thr 140598324979456] <<- SapSSLSessionStart(sssl_hdl=0x261f880)==SAP_O_K


[Thr 140598324979456]          status = "new SSL session, received client cert"


[Thr 140598324979456]       Client DN = "CN=lvmserver.server.dom, OU=SAP, O=Company, C=DE"


[Thr 140598324979456] ->> SapSSLRead(sssl_hdl=0x261f880, buf=0x28d9010, maxlen=32768,    timeout=-1, &readlen=0x7fdf99375d3c)


[Thr 140598324979456] <<- SapSSLRead(sssl_hdl=0x261f880)==SAP_O_K


[Thr 140598324979456]          ... = "buf= 0x28d9010, max=32768, received=1153"


[Thr 140598324979456] HTTP Parse - Start


[Thr 140598324979456] PutHeader: Host , 7


[Thr 140598324979456] PutHeader: mHeaderSet 128


[Thr 140598324979456] PutHeader: Content-Type , 4


[Thr 140598324979456] PutHeader: mHeaderSet 144


[Thr 140598324979456] PutHeader: CallingType , 29


[Thr 140598324979456] PutHeader: Content-Length , 3


[Thr 140598324979456] PutHeader: mHeaderSet 152


[Thr 140598324979456] PutHeader: SAP-PASSPORT , 29


[Thr 140598324979456] PutHeader: SOAPAction , 29


[Thr 140598324979456] - Parsing buffer 'POST  HTTP/1.1'


[Thr 140598324979456] HTTPMessage::AddBodyContent: Allocate in 0x0x278ab50 8192 bytes (left=8192)


[Thr 140598324979456] HTTPMessage::AddBodyContent: Copy in 0x0x278ab50 547 bytes (Size = 8192, Left=7645)


[Thr 140598324979456] Trying to lock HTTPHandlerManager::GetInstance


[Thr 140598324979456] Successfully locked HTTPHandlerManager::GetInstance


[Thr 140598324979456] Successfully unlocked HTTPHandlerManager::GetInstance


[Thr 140598324979456] Start executing Webmethod ACOSPrepare


[Thr 140598324979456] Operation ACOSPrepare; Socket type Network SSL Socket; Remote IP 149.216.2.50; Remote port 10640; Username Not Available


[Thr 140598324979456] No username set for DefaultOperationCredentialAuthenticator


[Thr 140598324979456] ->> SapSSLGetPeerInfo(sssl_hdl=0x261f880, &cert=(nil), &cert_len=(nil),


[Thr 140598324979456]    &subject_dn=0x7fdf99375250, &issuer_dn=(nil), &cipher=(nil))


[Thr 140598324979456] <<- SapSSLGetPeerInfo(sssl_hdl=0x261f880)==SAP_O_K


[Thr 140598324979456]     out: subject  = "CN=lvmserver.server.dom, OU=SAP, O=Company, C=DE"


[Thr 140598324979456]     out: issuer   = "CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom"


[Thr 140598324979456]     out: cert_len = 2315


[Thr 140598324979456]     out: cipher   = "TLS_RSA_WITH_AES128_GCM_SHA256"


[Thr 140598324979456] Unauthorized (user authentication required)


[Thr 140598324979456] *** ERROR => Webmethod ACOSPrepare failed: Unauthorized: User authentication required [saphostcontr 1297]

From the messages it seems to me that the certificate was accepted by the host agent. But I still get the same "Invalid credentials" error in LVM. I assume that I still have a problem with the message



[Thr 140598324979456] Operation ACOSPrepare; Socket type Network SSL Socket; Remote IP 149.216.2.50; Remote port 10640; Username Not Available


[Thr 140598324979456] No username set for DefaultOperationCredentialAuthenticator

It seems that the host agent does not know which user was authenticated with the certificate. In LVM I can't find an option to configure a username as "DefaultOperationCredentialAuthenticator".

Do you have another hint how to analyze this further?

Thank you very much

Benny

Ask a Question