/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
An SAP Web Dispatcher is in front of an SAP system (remark: this is valid for third party load balancers / reverse proxies too, although this KBA focus on the SAP Web Dispatcher).
Single Sign-on (SSO) is configured based on X.509 Client Certificates and it is working.
You want to enhance the security of the communication between the Web Dispatcher and its backend system.
To do that, you either:
- Maintain the parameters "icm/HTTPS/trust_client_with_issuer" and "icm/HTTPS/trust_client_with_subject" at the backend system; or
- Maintain the parameter(s) "icm/trusted_reverse_proxy_X".
After that, the SSO stops working.
The level 2 (or 3) ICM trace, at the backend system, shows the following trace entries:
(...)
[Thr 7160] <<- SapSSLGetPeerInfo(sssl_hdl=000000000C6E1160)==SAP_O_K
[Thr 7160] out: subject = "CN=WDP, OU=SSL CLIENT, O=SAP, C=BR"
[Thr 7160] out: issuer = "EMAIL=ca@example.com, O=Example CA, L=City, SP=State, C=BR"
[Thr 7160] out: cert_len = 1828
[Thr 7160] out: cipher = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 7160] HttpModGetDefRules: Client certificate received: with len=1828, subj="CN=WDP, OU=SSL CLIENT, O=SAP, C=BR", issuer=
[Thr 7160] HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
[Thr 7160] HttpModGetDefRules: determined the defactions: REMOVE_SSL_HEADER REMOVE_EXPECT_HEADER (72)
(...)
- The lines in blue show the details of the Web Dispatcher's client certificate;
- The line in red indicates one of the possible root causes of the issue (see the "Cause" section, below).
The configuration explained in Resolution section is also used for principal propagation setup.
Read more...
Environment
- Product independent
- Release independent
- Client/Server Technology - ICM (Internet Communication Manager)
- Client/Server Technology - Web Dispatcher
- Security - Secure Sockets Layer Protocol
- Java Application Server- Security, User Management / SSO, Logon
Product
Keywords
Single sign on, Single sign-on, SSO, X.509, WDP, WD, Web disp, PSE, Certificate, Trust, ICM, ICMAN, Web Dispatcher, Principal Propagation, SSSLERR_PEER_CERT_UNTRUSTED, Reject untrusted forwarded certificate , KBA , s4, cpi & webdispatcher certificate aut , authentication issue , smicm log 401 unauthorized , 503 service not available , client certificate rejected , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-JAS-SEC , Security, User Management , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)