2160678 - SSO stops working when the "icm/HTTPS/trust_client_with*" parameters are configured | SAP Knowledge Base Article

SAP Knowledge Base Article - Preview

2160678 - SSO stops working when the "icm/HTTPS/trust_client_with*" parameters are configured

Symptom

You have an SAP Web Dispatcher in front of an SAP system.

Single Sign-on (SSO) is configured based on X.509 Client Certificates and it is working.

You want to enhance the security of the communication between the Web Dispatcher and its backend system.

In order to do that, you maintain the parameters "icm/HTTPS/trust_client_with_issuer" and "icm/HTTPS/trust_client_with_subject" at the backend system.

After that, the SSO stops working.

The level 2 (or 3) ICM trace, at the backend system, shows the following trace entries:

(...)
[Thr 7160] <<- SapSSLGetPeerInfo(sssl_hdl=000000000C6E1160)==SAP_O_K
[Thr 7160]     out: subject  = "CN=WDP, OU=SSL CLIENT, O=SAP, C=BR"
[Thr 7160]     out: issuer   = "EMAIL=ca@example.com, O=Example CA, L=City, SP=State, C=BR"
[Thr 7160]     out: cert_len = 1828
[Thr 7160]     out: cipher   = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 7160] HttpModGetDefRules: Client certificate received: with len=1828, subj="CN=WDP, OU=SSL CLIENT, O=SAP, C=BR", issuer=
[Thr 7160] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
[Thr 7160] HttpModGetDefRules: determined the defactions: REMOVE_SSL_HEADER REMOVE_EXPECT_HEADER  (72)
(...)

  • The lines in blue show the details of the Web Dispatcher's client certificate;
  • The line in red indicates one of the possible root causes of the issue (see the "Cause" section, below).

Read more...

Environment

  • Product independent
  • Release independent
  • Client/Server Technology - ICM (Internet Communication Manager)
  • Client/Server Technology - Web Dispatcher
  • Security - Secure Sockets Layer Protocol
  • Java Application Server- Security, User Management / SSO, Logon

Product

SAP NetWeaver all versions

Keywords

Single sign on, Single sign-on, SSO, X.509, WDP, WD, Web disp, PSE, Certificate, Trust, ICM, ICMAN, Web Dispatcher , KBA , BC-CST-IC , Internet Communication Manager , BC-JAS-SEC , Security, User Management , BC-CST-WDP , Web Dispatcher , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.