Blog list

X509 based logon – 2 – Add CA certificates to PSE

Certificates are based on trust. Trust is established by trusting a PKI and the CA that issues certificates. To establish the trust needed for X.509 based user logon, import the certificates of the issuing PKI. In my case, I do have a root CA and intermediate CA. I’ll have to import both certificates to ensure that NW can validate the complete certificate chain. Tx: STRUST Add Root CA certificate Select the client the user will Read more…

X509 based logon – 1 – Configure ICM to accept client certificates

SAP Help Configuring the SAP Web AS for Supporting SSLicm/HTTPS/verify_clientConfiguring the AS ABAP to Use X.509 Client Certificates A pre-requisite is to configure NW ABAP to support TLS / HTTPS. To be able to log on to NW ABAP using a X.509 user certificate, the ICM service must be configured to accept client certificates. This is a profile configuration. The parameter is: icm/HTTPS/verify_client The enable client certificate validation, set the value to 1. To make Read more…

Issue and renew a web server certificate from letsencrypt on AWS EC2

I’ll show how to obtain a valid letsencrypt certificate for Apache on AWS EC2 Linux AMI and Namecheap as DNS provider. Running a private web server on AWS EC2 is easy. Managing it is not so easy. Having a valid TLS web server certificate from letsencrypt is one of the managing jobs that could be easier. I was told that this part is easier on Azure, maybe I should take a look at that option. Read more…

Ein goldenes Jahrzehnt oder verbrannte Erde?

Die SAP Hauptversammlung fand am 20. Mai statt. Die eigentlichen Themen (Gewinn, Wachstum, Dividende) einer HV fanden wenig Interesse in den Medien. Dafür das was der Aufsichtsratsvorsitzende sagte. Ausgiebig wurden die Infos zu dem Ende des Co-CEO Models aufgenommen.* Seine Infos zum Abgang von Bill McDermott gingen etwas unter, fanden aber trotzdem etwas Beachtung. Seine getätigten Aussagen werfen ein neues Licht auf den Abgang (auf mehreren Kanälen wurde es als übles Nachtreten interpretiert). Persönlich stand Read more…

How to obtain an OAuth 2.0 token in SAP Cloud Platform

SAP Help OAuth 2.0 Service Sample request in my Gitlab repo I’ll show how you can obtain an OAuth 2.0 token in SAP Cloud Platform (SCP) and manage it for authentication of apps. For the example detailed here, I am going to use an OAuth authorization grant of type client credentials. SAP Cloud Platform environment: Neo. Create scope Select an OAuth protected Java app and add a scope to it. If you just want to Read more…

Troubleshooting – OAuth 2.0 NW ABAP token service return HTTP 500 Internal Server Error

Problem After sending a request to the access token endpoint /sap/bc/sec/oauth2/token you get an internal server error 500. Investigation Tx: SA38 Program: SEC_TRACE_ANALYZER Run program. Select OAuth varian: click on Get Variants Click on Activate Trace is active. Reproduce the issue. The log trace for the user will show the cause of the error: Error while parsing an XML stream: undeclared namespace prefix. Root cause The XML send by the IdP in the SAMLResponse parameter Read more…

Troubleshooting – Recipient in SubjectConfirmationData is invalid

Scenario A user authenticated against the SAML 2.0 IdP. The OAuth client is sending the SAML 2.0 Response containing the user assertions to the NetWeaver ABAP system. An error of type invalid grant is returned. Error message: {    “error”: “invalid_grant”,    “error_description”: “Provided authorization grant is invalid. Exception was Attribute ‘Recipient’ of element ‘SubjectConfirmationData’ is invalid. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545” } Root cause The OAuth client is sending the SAML Response to the OAuth token service for validation. The SAML Response is configured for a different SAML endpoint in the ABAP system. Therefore the request Read more…

Troubleshooting – Access token not issued due to missing signing of Message Assertion

Scenario You send a SAML Bearer Assertion to the OAuth token service of SAP Gateway. The Return type is 400 Bad Request. Error message {    “error”: “invalid_grant”,    “error_description”: “Provided authorization grant is invalid. Exception was Message Assertion is not signed. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545” } Root cause The error message contains a description of the root cause for the HTTP 400: “Exception was Message Assertion is not signed.” To get more details, an OAuth trace can be performed. Additional information is described in SAP Note 1688545. Tx: SA38 Program: SEC_TRACE_ANALYZER Click run Read more…

Delete OAuth scope

To be able to access an OData service with OAuth, a scope is needed. I blogged about how to create a scope (using the wizard or a report) already. While adding a scope to a service is very easy, deleting is a little bit more effort. For instance, when you go to transaction iwfnd/maint_service, select the service and then on OAuth, you’ll get a message stating that a scope already exists. The wizards creates a Read more…