X.509 troubleshooting – Enabling trust between NetWeaver and intermediate server

Published by Tobias Hofmann on

2 min read

ICM in NetWeaver ABAP is not reading the HTTP header and accepting the transmitted X.509 certificate simply like that. I’ll show here a picture that shows what an intermediate server is sending to NetWeaver.

Ein Bild, das Screenshot enthält.

Automatisch generierte Beschreibung

You can see that two certificates are transmitted to SAP: the user X.509 as well as the proxy / intermediate certificate. There are two parameters that need to be enabled in ICM configuration to accept the provided certificate.

icm/HTTPS/trust_client_with_issuer = CN=intermediate, *
icm/HTTPS/trust_client_with_subject = C=DE, ST=BW, L=Karlsruhe, O=blog, *

In case the intermediate server is not authenticating itself with a certificate matching these values, the certificate in the HTTP header is ignored. A BASIS person must add the correct values to the SAP NetWeaver profile.

An additional level of security is added by how ICM is validating certificates. Just adding the above parameters won’t enable an arbitrary certificate that contains these values to be accepted. The CA certificate provided by trust_client_with_issuer must be added to the server’s PSE for its role as an HTTPS server.

Without this additional level of validation, you could create a CA and a client certificate with the same values on your own. In that case, you can fake the client certificate send to ICM and it would accept, as the issuer line matches. But as the CA certificate must be included in the PSE, this kind of attack is not working.

Client certificate must be trusted by SSL Server

If the certificate send by the client is not trusted by the SSL Server (added to its PSE), then the logon won’t work. For instance, assume that your HTTPS client uses a self-signed certificate.

Certificate validation fails

Let the world know
Categories: BasisSAP

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.