SAP Knowledge Base Article - Preview

2160678 - SSO stops working when the ICM trust parameters are configured

Symptom

An SAP Web Dispatcher is in front of an SAP system (remark: this is valid for third party load balancers / reverse proxies too, although this KBA focus on the SAP Web Dispatcher).

Single Sign-on (SSO) is configured based on X.509 Client Certificates and it is working.

You want to enhance the security of the communication between the Web Dispatcher and its backend system.

To do that, you either:

  • Maintain the parameters "icm/HTTPS/trust_client_with_issuer" and "icm/HTTPS/trust_client_with_subject" at the backend system; or
  • Maintain the parameter(s) "icm/trusted_reverse_proxy_X".

After that, the SSO stops working.

The level 2 (or 3) ICM trace, at the backend system, shows the following trace entries:

(...)
[Thr 7160] <<- SapSSLGetPeerInfo(sssl_hdl=000000000C6E1160)==SAP_O_K
[Thr 7160]     out: subject  = "CN=WDP, OU=SSL CLIENT, O=SAP, C=BR"
[Thr 7160]     out: issuer   = "EMAIL=ca@example.com, O=Example CA, L=City, SP=State, C=BR"
[Thr 7160]     out: cert_len = 1828
[Thr 7160]     out: cipher   = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 7160] HttpModGetDefRules: Client certificate received: with len=1828, subj="CN=WDP, OU=SSL CLIENT, O=SAP, C=BR", issuer=
[Thr 7160] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
[Thr 7160] HttpModGetDefRules: determined the defactions: REMOVE_SSL_HEADER REMOVE_EXPECT_HEADER  (72)
(...)

  • The lines in blue show the details of the Web Dispatcher's client certificate;
  • The line in red indicates one of the possible root causes of the issue (see the "Cause" section, below).

Read more...

Environment

  • Product independent
  • Release independent
  • Client/Server Technology - ICM (Internet Communication Manager)
  • Client/Server Technology - Web Dispatcher
  • Security - Secure Sockets Layer Protocol
  • Java Application Server- Security, User Management / SSO, Logon

Product

SAP NetWeaver all versions

Keywords

Single sign on, Single sign-on, SSO, X.509, WDP, WD, Web disp, PSE, Certificate, Trust, ICM, ICMAN, Web Dispatcher , KBA , BC-CST-IC , Internet Communication Manager , BC-JAS-SEC , Security, User Management , BC-CST-WDP , Web Dispatcher , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.