Regular and Client-authenticated HTTPS?

Similar Messages

• WDS and client authentication

  Hello Experts;
  Currently I have 4 subnets with about 10 AP's apiece and 1 master WDS per subnet. When my clients roam from one subnet to another i cannot get another ip on the new subnet. The WDSs are configured exactly the same (except for hostname, etc) and they have connectivity to the dhcp servers. Is there anything that I am missing?

  One or more client server groups on the WDS define client authentication.
  When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again. This chapter describes how to configure access points for Wireless Domain Services (WDS), fast, secure roaming of client devices, and radio management. This chapter contains these sections:
  http://www.cisco.com/univercd/cc/td/doc/product/access/mar_3200/mar_wbrg/o13wds.htm

• Web Service, SSL and Client Authentication

  I tried to enable SSL with client authentication over a web service. I am using App Server 10.1.3.4.
  The test page requires my certificate (firefox asks me to choose the certificate) the response page of the web service returns this error:
  java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 405 Method Not Allowed
  Has anyone used web services with SSL client authentication?
  Any clue why?
  Regards

  Any comment?
  Thank you.

• HTTPS without client authentication

  Hi Friends,
  In SOAP adapter, we have three options for HTTP
  HTTP without SSL
  HTTP with SSL (= HTTPS) without client authentication
  HTTP with SSL (= HTTPS) with client authentication
  Please let me know if I use  "HTTP with SSL (= HTTPS) without client authentication" ,  is it Transport Layer Sceurity of Message level Security?
  Please answer only if you are confident. No guess please!!!
  Thanks,
  Sandeep Maurya

  Hi,
  Please let me know if I use  "HTTP with SSL (= HTTPS) without client authentication" ,  is it Transport Layer Sceurity or Message level Security?
  HTTPS is used to encrypt the traffic between the client and the Web server. SSL encrypt the segments of network connections at the Transport Layer end-to-end.
  Don't get confused with the Client Authentication (with / without), as SSL is already being used in both the forms and the network is secured.
  Regards,
  Neetesh

• Handshake failure with client authentication

  Hi,
  I am using the JDK1.4 beta 3 to accomplish the following: I want to request an HTML page on an Apache webserver configured with SSL and client-authentication. It works with Netscape and Internet Explorer (and also with the openssl s_client test program)...
  But now I want to try it using Java... So, I wrote a very simple program based on some examples found on this forum... But i keep getting the following error (excerpt from the javax.net.debug=all command)
  As you can see the server request a client certificate that's issued by the certificate authority mentioned...
  *** CertificateRequest
  Cert Types: RSA, DSS,
  Cert Authorities:
  <[email protected], CN=Andy Zaidman, OU=stage, O=Kava's Certif
  icate Authority, L=Antwerp, ST=Antwerp, C=BE>
  [read] MD5 and SHA1 hashes: len = 180
  0000: 0D 00 00 B0 02 01 02 00 AB 00 A9 30 81 A6 31 0B ...........0..1.
  0010: 30 09 06 03 55 04 06 13 02 42 45 31 10 30 0E 06 0...U....BE1.0..
  0020: 03 55 04 08 13 07 41 6E 74 77 65 72 70 31 10 30 .U....Antwerp1.0
  0030: 0E 06 03 55 04 07 13 07 41 6E 74 77 65 72 70 31 ...U....Antwerp1
  0040: 25 30 23 06 03 55 04 0A 13 1C 4B 61 76 61 27 73 %0#..U....Kava's
  0050: 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 Certificate Aut
  0060: 68 6F 72 69 74 79 31 0E 30 0C 06 03 55 04 0B 13 hority1.0...U...
  0070: 05 73 74 61 67 65 31 15 30 13 06 03 55 04 03 13 .stage1.0...U...
  0080: 0C 41 6E 64 79 20 5A 61 69 64 6D 61 6E 31 25 30 .Andy Zaidman1%0
  0090: 23 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 41 6E #..*.H........An
  00A0: 64 79 2E 5A 61 69 64 6D 61 6E 40 75 69 61 2E 61 [email protected]
  00B0: 63 2E 62 65 c.be
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, v3.1
  Random Secret: { 3, 1, 38, 54, 219, 158, 32, 158, 155, 15, 55, 137, 216, 164, 4
  5, 65, 153, 142, 200, 98, 57, 251, 55, 6, 46, 124, 181, 161, 164, 234, 218, 75,
  195, 72, 218, 187, 182, 197, 4, 11, 249, 45, 3, 136, 207, 114, 236, 172 }
  [write] MD5 and SHA1 hashes: len = 141
  0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 64 92 2E .............d..
  0010: 42 2C A5 79 1D 2B A9 A5 D0 46 2A 1F 67 F3 49 28 B,.y.+...F*.g.I(
  0020: E0 ED 1D 85 E3 06 22 49 8A 79 02 48 E2 DD E6 75 ......"I.y.H...u
  0030: F3 C0 D3 A8 31 C0 18 94 7C 81 24 75 6A A1 0C 4F ....1.....$uj..O
  0040: 99 03 66 B8 37 4F 05 0D 5D CD F2 A0 10 F5 D5 F5 ..f.7O..].......
  0050: 50 66 49 91 CA C0 18 F1 07 E9 70 D0 CB EA 70 D3 PfI.......p...p.
  0060: 8E 13 55 E7 43 BD 94 1C D3 96 1F E9 67 93 57 62 ..U.C.......g.Wb
  0070: 91 5C E6 ED B1 75 9C A8 55 B7 50 DE CE 9B 1C EE .\...u..U.P.....
  0080: 57 62 20 9C F3 11 36 68 7A 38 62 79 D1 Wb ...6hz8by.
  main, WRITE: SSL v3.1 Handshake, length = 141
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 26 36 DB 9E 20 9E 9B 0F 37 89 D8 A4 2D 41 ..&6.. ...7...-A
  0010: 99 8E C8 62 39 FB 37 06 2E 7C B5 A1 A4 EA DA 4B ...b9.7........K
  0020: C3 48 DA BB B6 C5 04 0B F9 2D 03 88 CF 72 EC AC .H.......-...r..
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 3B E9 51 EF F3 13 65 11 4E D6 B7 B1 9F E8 F6 CB ;.Q...e.N.......
  0010: B5 2B 34 8F 87 53 66 61 33 BF 5A AD 7D 22 57 7D .+4..Sfa3.Z.."W.
  Server Nonce:
  0000: 3B E9 53 4E 03 37 E9 CD E8 DB 7C 54 9A 9E 53 B9 ;.SN.7.....T..S.
  0010: 78 E0 36 DF 06 17 07 90 2C D1 83 5E 20 05 DC E9 x.6.....,..^ ...
  Master Secret:
  0000: B5 A0 37 0A 2C 29 AD AC 99 B6 2F E0 4D 80 38 68 ..7.,)..../.M.8h
  0010: F7 4F 24 C4 AA 8C ED 25 A9 D6 90 33 4B 5A 0B 1D .O$....%...3KZ..
  0020: 11 A5 C9 E8 DB DE EF 9B 8D EB 7C 84 D6 AC 94 4F ...............O
  Client MAC write Secret:
  0000: F5 AF 61 5B B4 C2 A8 12 DA 7A FE A6 82 79 7F FC ..a[.....z...y..
  0010: B9 86 B2 C0 ....
  Server MAC write Secret:
  0000: 62 22 C6 39 91 E4 45 50 2A 49 E0 26 CF 16 3E 6A b".9..EP*I.&..>j
  0010: 46 19 00 D9 F...
  Client write key:
  0000: D9 D2 99 89 5C CA 2E 7D F3 B8 52 24 9E 01 9B 3B ....\.....R$...;
  Server write key:
  0000: 37 C3 37 78 8B 85 B0 FE 01 83 E2 6C F7 C6 73 33 7.7x.......l..s3
  ... no IV for cipher
  main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
  JsseJCE: Using JSSE internal implementation for cipher RC4
  *** Finished, v3.1
  verify_data: { 51, 236, 194, 3, 230, 37, 147, 76, 251, 233, 132, 207 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
  Plaintext before ENCRYPTION: len = 36
  0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
  0010: 64 30 E3 0B 31 CF 7D C7 D6 17 D8 FB 31 23 F9 34 d0..1.......1#.4
  0020: 5D B9 47 F9 ].G.
  main, WRITE: SSL v3.1 Handshake, length = 36
  main, READ: SSL v3.1 Alert, length = 2
  main, RECV SSLv3 ALERT: fatal, handshake_failure
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at java.io.OutputStream.write(OutputStream.java:61)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
  at HttpClient.main(HttpClient.java:105)
  Now, I am sure the certificate is in the keystore, because one of the first things I do in the program is print the certificates available in the keystore...
  Does anyone know what I'm doing wrong? If you need the code to make a proper judgement, I will post it...
  Tnx in advance!
  Greetz,
  Andy Zaidman
  [email protected]

  import java.net.*;
  import java.io.*;
  import java.security.*;
  import java.security.cert.*;
  import javax.net.ssl.*;
  import java.util.*;
  public class HttpClient
       public HttpClient(){}
       public static void main (String args[])
       try
            //This is my server certificate - public key
            String serverCertificateFile = "MyCA.cer";
            //This is my client personal certificate
            String clientCertificateFile = "MyPersonal.pfx";
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            KeyStore ks = KeyStore.getInstance("JKS");
            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SUNX509");
            ks.load(null, null);
            java.security.cert.X509Certificate the_cert = (java.security.cert.X509Certificate) cf.generateCertificate(new FileInputStream(serverCertificateFile));
            ks.setCertificateEntry("server", the_cert);
            tmf.init(ks);
            for (Enumeration e = ks.aliases() ; e.hasMoreElements() ;)
       System.out.println(ks.getCertificate(e.nextElement().toString()).toString());
            KeyStore ks2 = KeyStore.getInstance("PKCS12", "SunJSSE");
            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SUNX509");
            ks2.load(null, null);
            FileInputStream fin = new FileInputStream(clientCertificateFile);
            ks2.load(fin, "xxx".toCharArray());
            kmf.init(ks2, "xxx".toCharArray());
            fin.close();
            for (Enumeration e = ks2.aliases() ; e.hasMoreElements() ;)
       System.out.println(ks2.getCertificate(e.nextElement().toString()).toString());
            SSLContext ctx = SSLContext.getInstance("SSLv3");
            KeyManager[] km = kmf.getKeyManagers();
            for(int i = 0; i < km.length; ++i)
                 System.out.println(km);
            TrustManager[] tm = tmf.getTrustManagers();
            ctx.init(km, tm, null);
            // connection part
            SSLSocketFactory factory = ctx.getSocketFactory();
            SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 443);
            for(int i = 0; i < socket.getEnabledCipherSuites().length; ++i)
                 System.out.println(socket.getEnabledCipherSuites()[i]);
            socket.startHandshake();
            PrintWriter out = new PrintWriter(
                      new BufferedWriter(
                      new OutputStreamWriter(
                      socket.getOutputStream())));
            out.println("GET " + "/" + " HTTP/1.1");
            out.println();
            out.flush();
       catch(Exception e)
            e.printStackTrace();

• Client Authentication is not working

  Hi all..
  I have developed a web service with server and client authentication.. I had configured OC4J 10g successfully for client authentication but the problem is: I can NOT access the webservice from the browser the server says: no_certificate. the stub client works properly. I tried to install the certificate into IE explorer but it is not working. please help me ... Thanks in advance
  Khaled

  Hi
  How did you implement your solution to work with a client? I'm trying to authenticate users that try to access a webservice with basic authentication but I can't seem to make it work...
  Thanks in advanced
  Vitor

• Difference between client dependent table and client independent table

  hi all,
                i m new in sap pls tell me the difference between client dependent table and client independent table.
  tell me in detail.
  thanks and regards
    vikas saini

  HI
  Client dependent Means if you create that data in one client is limited to that client only and it is not accessable in other clients
  Like SAP SCRIPTS and STD texts data
  where as Client Independent means the data if you create in one client that is available in that as well as in other clients
  Like SMARTFORMS, All dictionary Objects data and Repository objects data like Programs, Fun modules, tables etc..
  There is no specific reason behind why scripts are client dep[endent and smartforms are client independent!!!
  As for SAP -- Scripts are called client dependent because if you create client in say,200 it would be available in that only.If you want to test the script in client 300 then it won't be there,you will have to go to transaction se71 in 300 .Then Utilities-> Copy from client.Give the source as 200 & form name(i.e. script name) & copy.
  Few more reasons why....? Please read below:
  SAPscript technology is based on a mainframe product from the 1980s.SAPscript forms have always been -- under the hood -- relatively passive objects, with minimal embedded logic. These forms were designed to be driven and controlled by ABAP programs, much in the way ABAP programs read in database tables to produce reports;
  if you ever download a SAPscript form (e.g., via utility program RSTXSCRP), and look at the portable text file it produces you'll see what I mean.
  Many text objects (e.g., invoice header texts) are bound directly to documents which are client-dependent, so it makes sense for these text objects to also be client-dependent. From a complexity standpoint, SAPscript forms are close enough to these text objects where I can see how it made sense at the time to make them client-dependent too.
  What is client dependent and Client Independent
  https://www.sdn.sap.com/irj/sdn/forums

• Enabling CLIENT-CERT and FORM authentication in same web-app

  Hi!
  I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
  My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
  1. If client does not send tokens in request, then set response header:
  response.setHeader("WWW-Authenticate", "Negotiate");
  response.sendError(response.SC_UNAUTHORIZED);
  This works fine and client starts to send his tokens
  2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
  RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
  dispatcher.forward(request, response);
  3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
  log-in page is as defined in edocs:
  <form method="POST" action="j_security_check">
       <table border=1>
            <tr>
                 <td>Username:</td>
                 <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
                 <td>Password:</td>
                 <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                 <td colspan=2 align=right><input type=submit value="Submit"></td>
            </tr>
       </table>
  </form>
  Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
  I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
  Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• HTTPs without client authentication, error while posting through Altova

  Hi Experts
  I am doing a SOAP- XI-Proxy synchronous scenario where i have to use HTTPs without client authentication for the first time in my system.
  I have made the scenario and WSDL out of it.
  When i am trying to test it through Altova, i am getting the following error:
  <?xml version="1.0"?>
  <!-- see the documentation -->
  <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
      <SOAP:Body>
          <SOAP:Fault>
              <faultcode>SOAP:Server</faultcode>
              <faultstring>Server Error</faultstring>
              <detail>
                  <s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
                      <context>XIAdapter</context>
                      <code>ADAPTER.JAVA_EXCEPTION</code>
                      <text><![CDATA[
  java.security.AccessControlException: https scheme required
      at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:918)
      at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3.process(ModuleLocalLocalObjectImpl0_3.java:103)
      at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:296)
      at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0_0.process(ModuleProcessorLocalLocalObjectImpl0_0.java:103)
      at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:187)
      at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:496)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
      at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
      at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
      at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
      at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
      at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
      at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
      at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
      at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
            ]]></text>
                  </s:SystemError>
              </detail>
          </SOAP:Fault>
      </SOAP:Body>
  </SOAP:Envelope>
  i saw a few discussion on web but nowhere the solution was provided.
  the url is
  http://abc.sap.point:1234/XISOAPAdapter/MessageServlet?channel=:system:communicationchannel&amp;version=3.0&amp;Sender.Service=x&amp;Interface=x%5Ex
  i changed it to https also but in that case it was not even posting the request.
  i have set the sender adapter like this
  is there any setting that i am missing.
  What is the setting the i need to do in SM59.
  Please help me getting through this.
  Your help is highly appreciated. Thanks in advance.
  Neha

  HI Neha,
  1. Enable the https service in the ICM: you can follow the way to do it like is pointed out in the page 4 of this document (PI 7.1 and PI 7.0 has the same smicm abap transaction) http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?overridelayout=t…
  2. Generate the certificate. Use the STRUST transaction. Chech this document SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure
  Hope this helps.
  Regards.

• The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

  when i connect to wcf service , i am getting the client authentication error.
  It happens only when i connect to wcf service from a client machine (virtual machine) that is logged in with local user account.
  Wcf service is hosted as windows service in my case.
  Client application is a windows application that connects using below security mode.
  BasicHttpBinding httpbind = new BasicHttpBinding();
  httpbind.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
  httpbind.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
  httpFactory.Credentials.Windows.AllowedImpersonationLevel
                                  = System.Security.Principal.TokenImpersonationLevel.Impersonation;
  Please help me with a solution.
  As i read more through below link , i doubt if the client is not in the same domain, it might not work ? is it rite.
  http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
  Regards Battech

  https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
  Well, you need to figure out what the authentication is supposed to be bettwen the WCF client and WCF service, because Windows Authentication is being rejected.

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• Autoscaling Application block for Azure worker role console app not working. Get error as The HTTP request was forbidden with client authentication

  I have written a console application to test the WASABi(AutoScaling Application Block) for my worker role running in azure. The worker role processes the messages in the queue and I want to scale-up based on the queue length. I have configured and set the
  constraints and reactive rules properly. I get the following error when I run this application.
  [BEGIN DATA]{}
      DateTime=2013-12-11T21:30:02.5731267Z
  Autoscaling General Verbose: 1002 : Rule match.
  [BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","MatchingRules":[{"RuleName":"default","RuleDescription":"The default constraint rule","Targets":["AutoscalingWebRole","AutoscalingWorkerRole"]},{"RuleName":"ScaleUpOnHighWebRole","RuleDescription":"Scale
  up the web role","Targets":[]},{"RuleName":"ScaleDownOnLowWebRole","RuleDescription":"Scale down the web role","Targets":[]},{"RuleName":"ScaleUpOnHighWorkerRole","RuleDescription":"Scale
  up the worker role","Targets":[]},{"RuleName":"ScaleDownOnLowWorkerRole","RuleDescription":"Scale down the worker role","Targets":[]},{"RuleName":"ScaleUpOnQueueMessages","RuleDescription":"Scale
  up the web role","Targets":[]},{"RuleName":"ScaleDownOnQueueMessages","RuleDescription":"Scale down the web role","Targets":[]}]}
      DateTime=2013-12-11T21:31:03.7516260Z
  Autoscaling General Warning: 1004 : Undefined target.
  [BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","TargetName":"AutoscalingWebRole"}
      DateTime=2013-12-11T21:31:03.7516260Z
  Autoscaling Updates Verbose: 3001 : The current deployment configuration for a hosted service is about to be checked to determine if a change is required (for role scaling or changes to settings).
  [BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","HostedServiceDetails":{"Subscription":"psicloud","HostedService":"rmsazure","DeploymentSlot":"Staging"},"ScaleRequests":{"AutoscalingWorkerRole":{"Min":1,"Max":2,"AbsoluteDelta":0,"RelativeDelta":0,"MatchingRules":"default"}},"SettingChangeRequests":{}}
      DateTime=2013-12-11T21:31:03.7516260Z
  Autoscaling Updates Error: 3010 : Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClientException: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure'
  in subscription id 'af1e96ad-43aa-4d05-b3f1-0c9d752e6cbb' and deployment slot 'Staging'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException:
  The remote server returned an error: (403) Forbidden.
     at System.Net.HttpWebRequest.GetResponse()
     at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     --- End of inner exception stack trace ---
  Server stack trace: 
     at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
     at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
     at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  If anyone know why I am getting this anonymous access violation error. My webrole is secured site but worker role not.
  I appreciate any help.
  Thanks,
  ravi
    

  Hello,
  >>: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure' in subscription id **************
  Base on error message, I guess your azure service didn't get your certificate and other instances didn't have certificate to auto scale. Please check your upload the certificate on your portal management. Also, you could refer to same thread via link(
  http://stackoverflow.com/questions/12843401/azure-autoscaling-block-cannot-find-certificate ).
  Hope it helps.
  Any question or result, please let me know.
  Thanks
  Regards,
  Will 
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• HTTPS with Client Authentication in SOAP sender Adapter

  Hi All,
  In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
  But when I tried with “HTTPS with Client Authentication” option its giving error
  “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
  Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
  Regards

  Rohan,
  With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
  You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
  So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
  Regards
  Ravi Raman

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John

• HTTPS Without client authentication shows error of Certificate

  Hi Experts,
  I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
  I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
  However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
  Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
  Is below understanding right ?
  -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
  Thanks..
  regards,
  Omkar.

  Hello Omkar,
  What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
  1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
  2) At the time of Key Generation definitely it shall ask for a password. You remember that.
  3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
  Here follows the major part
  4) Open NWA and go to Configuration Management->Authentication
  5) Go to Properties Taband click Modify
  6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
  7) Now go to the Components Tab.
  8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
  ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
         Flag : Sufficient
  ==> Name: BasicPasswordLoginModule
         Flag: Optional
  9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
  ==>Name: Rule1.getUserFrom
         value : wholeCert
  10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
  and edit it.
  11) Under the Authentication stack select the template client_cert against the used template label. and save it
  12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
  13) Now in NWA navigate to Operation management->Identity Management
  14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
  15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
  16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
  17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
  18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
  19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
  20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
  Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
  Good Luck!!
  Best Regards,
  Sundar