SAP Knowledge Base Article - Preview

3044065 - How to verify the acceptable client certificate CA names when you configuring SSO via SAP Web Dispatcher

Symptom

Following wiki has been followed to configure SSO via SAP Web Dispatcher.
How to Configure SAP Web Dispatcher to Forward SSL Certificates for X.509 Authentication
However, SSO is still failed. Following error messages are shown in debug level dev_icm trace.

Connection (X/XXXX accepted on <hostname>:<port number> (protocol: HTTPS)
...
Client Certificate:
Client did not send a certificate, because client does not have a certificate (that is trusted by the server)!
Solution: Client has to be provided with a certificate that is trusted by the server
or existing client certificate has to be added to list of trusted CAs in the server PSE!
See above for trusted CAs in PSE '<path of backend server PSE file>'.
Client (SAP Web Dispatcher, pf=<path of webdispatcher profile>, pid=<process id>) used Client PSE '<path of webdispatcher client PSE>'!
Image /data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


Read more...

Environment

  • Product independent
  • Release independent

Product

SAP NetWeaver all versions

Keywords

icm/verify_client / VCLIENT, PSE, STRUST, webdispatcher, x509, x.509, single sign on, Issuer certificates are trusted!, Trust cannot be verified without a certificate!, See above why client did not send a certificate!, No certificate that will be forwarded to ABAP!, icm/HTTPS/trust_client_with_issuer, icm/HTTPS/trust_client_with_subject, icm/trusted_reverse_proxy_0, icm/trusted_reverse_proxy , KBA , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.