Generate CSR in SAP SSO 2.0

Similar Messages

• CUCM 8.6.2 Generating CSRs With Incorrect Country Code

  Hi folks, I'm running CUCM 8.6.2.25900-8 on a single cluster (1x pub, 4x sub). My CA certs for the tomcat service are due to expire shortly so I've generated CSRs for all the servers and submitted them to our provider. All but one of the requests went through with no issues but one failed because the CSR specified a country code of 'US'. We are in the UK and the four other servers all generated CSRs specifying C=GB.
  Examining the current tomcat cert or issuing "show web-security" on the command-line of the server who's CSR failed also show 'C=GB'
  Looking at the 'set web-security' command it appears that I cannot change the country code.
  Why is the server generating CSRs with 'C=US'?
  How do I change this behaviour such that they are generated with 'C=GB' instead?

  Surprisingly, it has made it all the way to 10.5(x) with the same info and the same error...
  I did found a method to change it via root access, and you might not require root access, but I can't tell for sure as I would need to look at exactly what the contents of the file that TAC changes, but apparently it's just the platformConfig.xml that they need to change and reboot.
  If that's the case, using the utils import config using pretty much all the same info, except the country, would end up with the same outcome.
  Again, not 100% sure but theory says that should do the trick, you can run that thru TAC if you open the case and see what they think about it.

• Generate a new SAP mode maximized and active working with Excel or Word

  Hello!
  We have an event that it generates a new SAP mode in the desktop. This mode is generated ok (maximized and active) if the user is working in other SAP mode in this moment.
  But this mode is generated minimized if the user is working with a Word or Excel Microsoft document in this moment.
  We need to generate this new mode: ACTIVE and MAXIMIZED when the user is working wiht any non SAP tool in that moment. Is this possible??
  We have checked the following functions module with  failed results:
  NAVIGATION_EXECUTE_OBJECT
  ECATT_START_GUI_REMOTE
  TH_CREATE_MODE
  Thanks in advance!!
  Regards,
  Message was edited by:
          Elisa Villellas

  Could you try disabling graphics hardware acceleration? (I'm having trouble determining from your "More system information" whether it's enabled or disabled.) Since this feature was added to Firefox, it has gradually improved, but there still are a few glitches.
  You usually need to restart Firefox in order for this to take effect, so save all work first (e.g., mail you are composing, online documents you're editing, etc.).
  orange Firefox button ''or'' classic Tools menu > Options > Advanced
  On the "General" mini-tab, uncheck the box for "Use hardware acceleration when available"
  If you restart Firefox, is the issue resolved?

• Generate CSR for Third-Party Certificates

  Hi All,
  i have an issue when i tried to Generate CSR for Third-Party Certificates,
  i follow step by step in the document of cisco until this step:
  3.
  Now that your CSR is ready, copy and paste the CSR information into any CA enrollment tool.
  In order to copy and paste the information into the enrollment form, open the file in a text editor that
  does not add extra characters. Cisco recommends that you use Microsoft Notepad or UNIX vi. Refer
  to the website of the third−party CA for more information on how to submit the CSR through the
  enrollment tool.
  After you submit the CSR to the third−party CA, the third−party CA digitally signs the certificate and
  sends back the signed certificate via e−mail.
  4.
  Copy the signed certificate information that you receive back from the CA into a file.
  This example names the file CA.pem.
  my issue is where i sould copy and paste the CSR information into any CA enrollment tool. i just have done create mykey.pem and myreq.pem in my folder OpenSSL\bin
  Please help and Thanks you.
  Regards,
  Jasa

  you have to do more steps using openssl.
  before you obtain the third−part certificate, you have to copy that on a notepad text, and you have to obtain an intermediate and root certificate from the company that gives you the certificate.
  Then you have to copy and paste on a notepad or gedit:
  SSL (the certificate that they give you)
  Intermediate (the certificate that you obtain from the company that gives you the certificate)
  Root (the certificate that you obtain from the company that gives you the certificate)
  name the text file like: allcerts.pem
  then... you have to run this commands:
  C:\OpenSSL\bin>openssl pkcs12 -export -in allcerts.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:yourpassword -passout pass:yourpassowrd
  C:\OpenSSL\bin>openssl pkcs12 -in All-certs.p12 -out finalcert.pem -passin pass:yourpassword -passout pass:yourpassword
  Then you are going to have a file named: finalcert.pem, thats the one you have to update to the WLC. please note that on those lines "yourpassword" is the password you use when you create the certificate and its going to be the same that you have to use for upload to WLC.
  Note that you have to use openssl version 0.9.8 because its the only version thats WLC support
  If you have doubts please contact me.
  Have fun!

• List of systems that can / cannot be configured to accept SAP SSO

  Hi All,
  this may sound like a strange request, but I'm in search of a list that shows examples of common systems that cannot(!) be configured to use SAP SSO tickets.
  The reason is that we are evaluating various SSO infrastructures for a client. IBM WebSeal is already in use there but connecting new systems is expensive. We are trying to avoid problems that may arise in the future should we decide for SAP-SSO only.
  Thanks a lot,
  Jens

  Hi Jens,
  as far as I know there is no such list. However, I will share a thought or two on the topic. Basically, he SAP Logon Ticket is a HTTP cookie. The backend system has to able to receive and understand the ticket issued by the portal. By default most SAP systems are able to receive and accept SAP Logon Tickets. No suprise here. Most non-SAP systems do not process the SAP Logon Ticket by default. But there are ways to "upgrade" non-SAP systems to receive and accept the SAP Logon Ticket (see SAP Library section <a href="http://help.sap.com/saphelp_nw70/helpdata/en/12/9f244183bb8639e10000000a1550b0/frameset.htm">Single Sign-On to Non-SAP Systems and Applications</a>. In most cases you need to modify the native authentication process. You surely won't be able to do this for every single application.
  Also keep in mind that the SAP Logon Ticket requires that the user ids of the issuing system are the same as in the receiving system. Or at least the user must have the same user id in all receiving systems.
  Best regards,
  Martin

• How to generate CSR (certificate signing request) in PKCS#10 format

  Hi,
  First, I am a novice in security issues.
  Problem:
  I know how to generate CSR using PKCS#10 format with keytool. However I need to implement this functionality in my application. Unfortunately I can't find any docs describing this issue.
  Do anybody know about some API where I just pass data and it will generate CSR for me?
  Many Thanks,
  Miso

  Hi again,
  After a long research I am finally able to generate PKCS#10 cert. request files:
  public static void generatePKCS10() throws Exception {
          // generate PKCS10 certificate request
          KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
          String sigAlg = "MD5WithRSA";
          // generate private key - use java.util.SecureRandom for entropy
          keyGen.initialize(1024, new SecureRandom());
          KeyPair keypair = keyGen.generateKeyPair();
          PublicKey publicKey = keypair.getPublic();
          PrivateKey privateKey = keypair.getPrivate();
          PKCS10 pkcs10 = new PKCS10(publicKey);
          Signature signature = Signature.getInstance(sigAlg);
          signature.initSign(privateKey);
               //common, orgUnit, org, locality, state, country
          X500Name x500Name = new X500Name(
                    "CName",               // CN
                    "OUnit",               // OU
                    "Organization",          // O
                    "Bratislava",          // L
                    "Slovakia",               // S
                    "SK");               // C
          pkcs10.encodeAndSign(new X500Signer(signature, x500Name));
          // PKCS10 request generated
          pkcs10.print(System.out);
  Problem 1:
  However, this generates only a request with X500 subject's name ("CN, OU, O, ..."). But I also want to specify other things like "Key Usage" (example: "Digital Signature, Key Encipherment, etc.") or "Generic IA5 String" (example: "Only for test purposes."). How to do that?
  Problem 2:
  I'm also having trouble to find javadoc for "sun.security" package. As you can see, I'm using "sun.security.pkcs.PKCS10" class for generating CSR in PKCS10 format, but can't find any javadoc for it.
  Many thanks,
  Miso

• Generating Proxies for SAP Basis Objects?

  All,
  Is it possible to generate proxies for your interfaces under SAP Basis Component?
  1. I checked in SPROXY on my R3 and the SAP Basis Component is not displayed  here.What I also noticed is that none of the SWCV's containing Pre Delivered Integration Content is displayed in SPROXY.
  Is it necessary that the options , <b>All Objects are Modifiable and Original Objects</b> be selected for Proxies to be generated on the SAP Shipped SWCV's?
  2. As a work around ( one which did not work ) I created a Depenedency in the SLD for my SWCV on the SAP BASIS Swcv and I am now able to see the BASIS Objects in the IR under my Custom SWCV .
  But even then in SPROXY , (basis Objects )message interfaces are not displayed.
  Has anyone tried something of this sort? Is there some setting we need to do to enable proxy generation for SAP Delivered Components?
  Regards
  Bhavesh
  PS: I am able to see my custom SWCV in SPROXY and trigger proxy calls Successfully.
  I can generate a Custom Messge interface using the Message Type of the SAP Basis Component and create the Proxy to this Message interface . But, I just want to know if anyone has had success with the above concepts

  ><i>but they are already generated... do you see that ?</i>
  I did notice it. But didnt dig deep enough . Will give this a real close look tom morning .
  <i>>>>>Does this imply, that we cannot generae proxies on SAP Basis Components?
  indeed</i>
  That answered my Question  Thanks for the info.
  I guess I will have to create a message Interface will the Message Type from the BASIS Component and use this Message Interface.
  The only issue I am now wondering with this approach would be, what if the Message Type structure changes during some SP upgrade? Due to some new feature being added?
  Any experiences to share michal?
  Thanks a bunch for all those inputs.
  Regards
  Bhavesh

• Suppressing the message generated by standard SAP code

  Hi experts,
  I have requirement in which i have to suppress the warning message generated by standard SAP code.Is it possible?
  If so how?
  Any pointers will be highly appreciated.
  Thanks,
  Rakshith

  Hi,
  Check with the functional consultant. There might be a config transaction, wherein you can specify the type of error whether Harderror' or warning etc.
  I know, Fi and MM has that.
  Regards,
  Subramanian

• Generate CSR using SAPGENPSE

  Dear all,
  Our SSL connection will be expired and I was told to generate CSR. However I could only find SAPGENPSE. How to generate CSR using SAPGENPSE? What the file name will be?
  Additional info. It is for our external Webdispatcher.
  Please help.
  Regards,
  Agoes
  Message was edited by:
          Agoes Boedi Poerwanto

  Hi,
  I think you problem is a kind of bug in STRUST.
  Here is the workaround, I use :
  Get the Verisign certificate on your Windows PC.
  Double click on the cer file, the certificate will be displayed.
  Click on "Certification path", you will see your certificate, the inermediate CA certificate and the root certificate.
  Double click on the Root CA certificate, click on "Details" then export it as Base 64 X.509 cer file.
  Do the same for the intermediate certificate anf for you certificate.
  Then with notepad concatenate the 3 files in one single file in this order :
  Your certificate,
  the intermediate certificate
  the root certificate.
  This will be a text file looking like
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  BEGIN CERTIFICATE-----
  END CERTIFICATE-----
  Now try to import this new .cer file.
  It works for me !
  Good luck !
  Regards,
  Olivier

• Generate CSR on ACE

  I am trying to generate a CSR on ACE.Actually import it from Linux box.
  I have a linux server created an openssl key  and then tried ti import it to the ace.
  This is the error i am getting on my ace
  admin#crypto import non-exportable ftp 10.192.49.8 root key.pem test123
  Password:
  Passive mode on.
  Hash mark printing on (1024 bytes/hash mark).
  Successfully imported file from remote server.
  Error: Specified local file already exists.
  s0labsw-ace1/Admin# crypto generate csr key.pem test123
  Error: Specified CSR config does not exist.
  This what i configured for csr param
  ace1/Admin# sh crypto csr-params all
  test123:
          country-name:   US
          state:         CA
          locality:       undefined
          org-name:       undefined
          org-unit:       undefined
          common-name:    xxx
          serial-number:  1
          email:          [email protected]
  can anyone let me point in the right direction

  > s0labsw-ace1/Admin# crypto generate csr key.pem test123
  I guess your CSR paramters name is test123 and key filename is key.pem.
  If so, above configuration order is wrong.
  ACE20-slot6-yushimaz/c1# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  key.pem                                  887   PEM     Yes         KEY
  ACE20-slot6-yushimaz/c1# sh crypto csr-params all
  test123:
          country-name:   JP
          state:          Tokyo
          locality:       undefined
          org-name:       undefined
          org-unit:       undefined
          common-name:    yushimaz
          serial-number:  1
          email:          yushimaz@local
  ACE20-slot6-yushimaz/c1#
  ACE20-slot6-yushimaz/c1#
  ACE20-slot6-yushimaz/c1# crypto generate csr ?
      Please enter the name of the CSR parameters set (Max Size - 64)
  ACE20-slot6-yushimaz/c1# crypto generate csr key.pem ?
      Please enter the key filename (Max Size - 39)
  ACE20-slot6-yushimaz/c1# crypto generate csr key.pem test123  <<==
  Error: Specified CSR config does not exist.
  ACE20-slot6-yushimaz/c1# crypto generate csr test123 key.pem  <<==
  -----BEGIN CERTIFICATE REQUEST-----
  MIIBjjCB+AIBADBPMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xETAPBgNV
  BAMTCHl1c2hpbWF6MR0wGwYJKoZIhvcNAQkBFg55dXNoaW1hekBsb2NhbDCBnzAN
  BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8CcnWVe1amgXKE7ITPIDOSTys60ECf23
  1wpE/r7Yj+ihW5Y54jrvxr31QTCDXCwJVi4PjjYg8+2dtJvq+9g0fW2uzAbj6aNO
  iNP93KsEhooo1bvH6iUA/HQfJ6CxwLTMIWgOWxUuMeIdCXZwCguWmERIhq63RbTM
  F0DRP8IwEnECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAOQ+zm6NVGTbxHY5GsW4
  hPEJdChW8XLWv0bnEQo1bcreR8ACNQ3g7mETWj/hRv6gZTIbQKsQElQ+RAInUPvl
  xM47+HgMNQkzPH9621wc1niR0S/mJUVQ/aIl6ZQwROvlAmIi6Gs+nyYUtfccjgpL
  ScYjdqEO4aXDXikzZDG0Y0gW
  -----END CERTIFICATE REQUEST-----
  ACE20-slot6-yushimaz/c1#
  Regards,
  Yuji

• MIDlet signing [openssl approach to generate CSR]

  Guys,
  Here are the questions that needs verification..
  1. Aside from Wireless Toolkit - JadTool.jar, What is another way to sign the MIDlet?
  a. the approach used to generate CSR was openssl.
  2. Is it possible to sign the MIDlet, if the CSR generated is from openssl approach? [Files generated r: .key and .csr] We know that on keytool approach [Files generated r: .keystore, .alias and .csr]
  3. Does Openssl technology is used only for web signing?
  4. Does certificate for web is different from mobile?
  5. Is it possible for one CRT file from Verisign, it can be use to certify WEB and mobile?
  Thanks in advance..
  Edited by: eesbee on Jul 30, 2009 3:03 AM

  Guys,
  Here are the questions that needs verification..
  1. Aside from Wireless Toolkit - JadTool.jar, What is another way to sign the MIDlet?
  a. the approach used to generate CSR was openssl.
  2. Is it possible to sign the MIDlet, if the CSR generated is from openssl approach? [Files generated r: .key and .csr] We know that on keytool approach [Files generated r: .keystore, .alias and .csr]
  3. Does Openssl technology is used only for web signing?
  4. Does certificate for web is different from mobile?
  5. Is it possible for one CRT file from Verisign, it can be use to certify WEB and mobile?
  Thanks in advance..
  Edited by: eesbee on Jul 30, 2009 3:03 AM

• Generating CSRs for SSL Certificates

  Hi all,
  I am trying to generate CSRs for SSL Certificates, in order to set up a secure (https) dynamic dns connection to my router.
  I am supposed to access to the following directory through the Terminal:
  cd /usr/local/ssl/private
  But all I can access is /usr, I cannot go any further. I always get the message "/local: No such file or directory." Even if I am logged as root.
  I might be making some mistakes, but I do not understand what is going on.
  Thanks
  Enrique

  The error message you posted says there is no "/local" which is true.
  There is a "/usr/local"
  If you are cd'ing one directory at a time, don't lead them with a /
  For example:
  cd /usr
  cd /local
  Will give you the error you describe
  cd /usr
  cd local
  Will put you into /usr/local
  If this doesn't solve your issue, please post the exact steps you are taking.
  Jeff

• Need help on SAP SSO with SAML & SSO2

  Dear expert,
  We met an SSO issue on launchpad.
  Here is our scenario and SSO structure. We use fiori launchpad to display all SAP apps.
  1. When  an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
  2. Then IDP authenticate with SAML2.0 token back to gateway.
  3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
  4. Use logon ticket to backend ABAP ERP system for transaction apps.
  5. Use logon ticket to HANA system for factsheet.
  Now the first step above is OK as SAML token can be authenticated back to gateway. But after that, the basic form authentication pop-up for user credential on both backend system and HANA, which should not. We found out that launchpad was stucked with error message "/sap/es/ina/GetServerInfo HTTP/1.1 401 Unauthorized" at ERP backend service "GetServerInfo". By checking the cookies, we found out that after SAML token accepted by gateway, gateway did not issue any MYSAPSSO2 ticket.
  However, when we disabled SAML and use form authentication for launchpad, SSO2 logon ticket works perfectly among GW, ERP and HANA.  So, there should be no issue configuration regarding SSO2 logon ticket in SAP GUI.
  here is the system information:
  GW: NW740 SP5
  ERP: ECC6 on NW740 SP5
  HANA: v70
  Please kindly help us out on this issue. Please ask if other information is needed. thanks.
  Best regards,
  Xian' an

  This discussion thread belongs to the SAP Gateway space. For generic SSO related queries where portal is not involved the correct space is SAP NetWeaver Application Server. This space is for NetWeaver Single Sign-On (NWSSO, the separately purchasable product) topics only.

• SAP SSO between Microsoft AD and SAP R/3 GUI&WebGui

  Hello Everybody,
  We are looking in to implementing SSO between Mircosoft AD and our SAP CRM ABAP 7.0.
  We have users both logging in through SAP Gui and also the web gui.
  Found there a multiple options for achieving SSO:
  1) SNC
  2) X.509 cerfificate
  3) Kerberos
  I would like to go with X.509 certificate , and have already implemented the SAPCRYPTOLIB 5.5.5. Now am trying to download the "SAP NW Single Sign on 2.0" for installing the Secure Login Library SSL. And when i looked at PAM the required product versions are only:
  1. SAP EHP1 for SAP NW 7.3
  2. SAP NW 7.3
  3. SAP NW 7.4
  4. SAP NW CE 7.2
  So I went back and looked at PAM for SAP NW SINGLE SIGN ON 1.0 required product versions and I only see the below:
  1. SAP EHP1 FOR SAP NETWEAVER 7.3
  2. SAP NETWEAVER 7.3
  3. SAP NETWEAVER CE 7.2
  Our version of SAP is CRM ABAP 7.0, so I am not sure how/which version of Single Sign on I have to use.
  Can someone please advise.
  Thanks!

  Thank you Donka for the information!
  Looks like NW SSO 2.0 is supported for AIX 7.1 SAP ABAP CRM 7.0.
  But we also have users logging in to ABAP CRM 7.0 via HTTP Web dispatcher.
  And the PAM does not mention if NWSSO 2.0 is supported for X.509 method for web gui users logging in via HTTP.
  Also if we decide to go with SSO 2.0 and I manually Install the COMMONCRYPTOLIB 8 instead of the SAPCRYPTOLIB 5.5.5, I should be able to use the Secure Login Library files that come with the SSO 2.0 right?
  Here's our current Kernel version:
  kernel make variant           720_REL, 64 BIT AIX, UNICODE , Patch number 500
  Thanks!

• Opendocument SAP SSO in BO 4.0

  Hi all !
  /people/ingo.hilgefort/blog/2010/03/29/sap-businessobjects-enterprise-sap-enterprise-portal--part-1-of-4
  Parameter name                                      Configuration Value
  opendoc.authentication.default                 secSAPR3
  opendoc.siteminder.enabled                        False
  opendoc.sso.enabled                                  True
  What i must to edit in BO 4.0 to use opendocument sso from sap portal ?
  We have SAP BW and SAP portal(SSO) and i want to use webi reports with sso opendocument.
  We have users from SAP BW in BO 4.0
  My opendocument file
  app.name=BusinessObjects OpenDocument
  app.name.short=OpenDocument
  You can specify the default Authentication types here.  secEnterprise, secLDAP, secWinAD, secSAPR3
  authentication.default=secSAPR3
  Choose whether to let the user change the authentication type.  If it isn't shown the default authentication type from above will be used
  authentication.visible=false
  You can specify the default CMS machine name here
  cms.default=BO40:6400
  Choose whether to let the user change the CMS name.  If it isn't shown the default System from above will be used
  cms.visible=false
  Set to false to disable logon with token.
  logontoken.enabled=true
  Allow or disallow logoff on web session expiry for external logon.
  Has no effect if the global logoff.on.websession.expiry value is false
  extlogon.allow.logoff=true

  Wikipedia has a good article on SAML and how it works: Security Assertion Markup Language - Wikipedia, the free encyclopedia
  For it to work in BO, you would need an identity provider and a service provider, and the ability to pass in one of the parameters mentioned in the Admin Guide  (such as REMOTE_USER). The identity provider and service provider would be specified by your organization (we use Shibboleth for example). You may also need to install Apache if your SP does not talk directly to Tomcat (and in which case you can skip the web.xml configuration on p221), though there is other configuration needed for that scenario.
  I don't know the answer to your Windows AD question, but it appears there is an AD/SAML service available: Active Directory Federation Services