2160678 - SSO stops working when the ICM trust parameters are configured

An SAP Web Dispatcher is in front of an SAP system (remark: this is valid for third party load balancers / reverse proxies too, although this KBA focus on the SAP Web Dispatcher).

Single Sign-on (SSO) is configured based on X.509 Client Certificates and it is working.

You want to enhance the security of the communication between the Web Dispatcher and its backend system.

To do that, you either:

• Maintain the parameters "icm/HTTPS/trust_client_with_issuer" and "icm/HTTPS/trust_client_with_subject" at the backend system; or
• Maintain the parameter(s) "icm/trusted_reverse_proxy_X".

After that, the SSO stops working.

The level 2 (or 3) ICM trace, at the backend system, shows the following trace entries:

(...)
[Thr 7160] <<- SapSSLGetPeerInfo(sssl_hdl=000000000C6E1160)==SAP_O_K
[Thr 7160]     out: subject  = "CN=WDP, OU=SSL CLIENT, O=SAP, C=BR"
[Thr 7160]     out: issuer   = "EMAIL=ca@example.com, O=Example CA, L=City, SP=State, C=BR"
[Thr 7160]     out: cert_len = 1828
[Thr 7160]     out: cipher   = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 7160] HttpModGetDefRules: Client certificate received: with len=1828, subj="CN=WDP, OU=SSL CLIENT, O=SAP, C=BR", issuer=
[Thr 7160] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
[Thr 7160] HttpModGetDefRules: determined the defactions: REMOVE_SSL_HEADER REMOVE_EXPECT_HEADER  (72)
(...)

Or:

HttpCertIsReverseProxyTrustworthy: client did not sent any cert ->intermediate not trustworthy
HttpIsReverseProxyTrustworthy: intermediary is NOT trusted
HTTP request [161/162/1] Reject untrusted forwarded certificate (received via HTTPS without certificate): subject=...
HttpModGetDefRules: determined the defactions: REMOVE_SSL_HEADER COMPAT_HANDLING ADD_SSL_CONNINFO_TO_HEADER STATIC_OPERATIONS (184)

• The lines in blue show the details of the Web Dispatcher's client certificate;
• The line in red indicates one of the possible root causes of the issue (see the "Cause" section, below).

The configuration explained in Resolution section is also used for principal propagation setup.

• Product independent
• Release independent
• Client/Server Technology - ICM (Internet Communication Manager)
• Client/Server Technology - Web Dispatcher
• Security - Secure Sockets Layer Protocol
• Java Application Server- Security, User Management / SSO, Logon

Single sign on, Single sign-on, SSO, X.509, WDP, WD, Web disp, PSE, Certificate, Trust, ICM, ICMAN, Web Dispatcher, Principal Propagation, SSSLERR_PEER_CERT_UNTRUSTED,ERR_BAD_SSL_CLIENT_AUTH_CERT Reject untrusted forwarded certificate , KBA , s4, cpi & webdispatcher certificate aut , smicm log 401 unauthorized , authentication issue , 503 service not available , client certificate rejected , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-JAS-SEC , Security, User Management , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem