Skip to Content

/wp-content/uploads/2013/12/sap_logo_333927.png

Appendix D:  Security Part 1

This appendix goes over some topics that should be considered for secure Kapsel apps.

HTTPS
Whitelist Connections
Password Policy
Feature Restriction
Using SAML with Kapsel
Additional Security Topics in Part 2

The following are some additional links on security.
SMP 3 – Security Concept and Features and the link to the recording 2014 Webinars
How to change SMP3 Keystore and Truststore Passwords
An Introduction to Content Security Policy
Android Security Tips
Protecting Data Using On-Disk Encryption
iOS Security

HTTPS

Hypertext Text Transfer Protocol Secure (HTTPS) can be used to communicate between the mobile app and the SMP 3.0 server and between the SMP 3.0 server and the OData endpoint rather than HTTP.  HTTPS provides a reasonable guarantee that one is communicating with precisely the web site that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

The video SSL Certificate Explained may be useful if you are not very familiar with SSL and HTTPS.

The SMP 3.0 server uses port 8080 by default for HTTP and port 8081 for HTTPS.  In addition, port 8082 is used for mutual authentication (clientAuth=”true”) and port 8083 is used for the management cockpit.  As of SP04, these ports have a specific name (see the smpConnectorName tag below) and the port is configurable in the Management Cockpit under Settings > Connectors.  For additional details on how the ports are configured see the file

C:\SAP\MobilePlatform3\Server\config_master\org.eclipse.gemini.web.tomcat\default-server.xml

<Connector acceptCount="100" connectionTimeout="20000" enableLookups="false" maxThreads="250" port="8080" protocol="HTTP/1.1"
redirectPort="8081" server="SAP" smpConnectorName="noSSL" />

<Connector SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="false"
keyAlias="smp_crt" maxThreads="200" port="8081" protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol" scheme="https"
secure="true" smpConnectorName="oneWaySSL" sslEnabledProtocols="TLSv1.2" sslProtocol="TLS" />

<Connector SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="true"
keyAlias="smp_crt" maxThreads="200" port="8082" protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol" scheme="https"
secure="true" smpConnectorName="mutualSSL" sslEnabledProtocols="TLSv1" sslProtocol="TLS" />

<Connector SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="false"
compressableMimeType="text/html,text/xml,application/javascript,text/json,text/plain,application/json" compression="on"
compressionMinSize="2048" keyAlias="smp_crt" maxThreads="200" port="8083" protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
scheme="https" secure="true" smpConnectorName="AdminSSL" smpServiceType="admin" sslEnabledProtocols="TLSv1" sslProtocol="TLS" />

<Connector SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keyAlias="serverkey" maxThreads="200" port="443" protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol" scheme="https" secure="true" smpConnectorName="customSSLConnector" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" sslProtocol="TLS"/>

Note that in SMP 3.0 SP07 of the server, a change was made to no longer support versions older than TLSv1.2 SSL by default.  SP08 SDK Hybrid Apps running on Android do not support HTTPS using TLS 1.2 with the Logon plugin to register.  To workaround this add TLSv1 and TLSv1.2 as shown above.  TLSv1.2 should be supported by the Logon plugin in SP09 of the SDK.  See HTTPS Connection Problem.

The error message on Android is

javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7a4ccbc8: Failure in SSL library, usually a protocol error

The above xml file shows a new entry added to support HTTPS on port 443 using a certificate with an alias of serverkey and a smpConnectorName of customSSLConnector.
Note that the SMP 3.0 server requires a restart after making changes to the default-server.xml file.
Also note that the alias of the certificate used by the SMP 3.0 server for connections to 8081, 8082 and 8083 (Management Cockpit) is smp_crt.

A new certificate can be created in the SMP 3.0 keystore (C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks) using the Java KeyTool command as shown below.

keytool -genkeypair -alias serverkey -dname cn=YKFN00528072A.amer.global.corp.sap,c=CA -keystore smp_keystore.jks -storepass changeit -keyalg RSA -validity 360 -keysize 2048

Note that the storepass parameter takes the password entered for the SMP 3.0 keystore which is set during the installation of the SMP 3.0 server.
The common name must be the fully qualified domain name of the machine that the SMP 3.0 server is running on.  This must match the name entered into the browser to access the site.  For example the site must be accessed using https://YKFN00528072A.amer.global.corp.sap and not https://localhost or https://ip_number.
Note that SMP 3.0 server must be restarted after making changes to the smp_keystore.jks file.

It is possible to use self-signed certificates in a desktop browser.  The browser will however not be able to verify the certificate as it was not signed by a certificate authority that the browser trusts and will indicate this as shown below.image16.PNG

The self-signed certificate can be imported into the browser’s certificate authority’s store.
To do so, click on Details > Copy To File > Next > Base-64 encoded X.509 > C:\temp\serverkey.
Then click on Settings > type in cert in the Search settings > Manage certificates > Trusted Root Certification Authorities > Import > c:\temp\serverkey.cer.
At this point the self-signed certificate used by the SMP 3.0 server to identify itself and encrypt communication using SSL will now appear as a Trusted Root Certificate Authority as shown here. 
image23.PNG

Once the certificate is installed into the Trusted Root Certification Authorities store and the page is next opened in Chrome (after all instances of Chrome have been shut down), there will no longer be a certificate error (Notice the https and lock icon in the address bar is green) as shown below.
image17.PNG
Note that the default port number for HTTPS communication is 443 which is why 443 is not shown in the browser’s URL.

The same process can be used to install the certificate used by the Management Cockpit so that when opening the Management Cockpit the user is not presented with a warning screen.
image22.PNG

A better solution is to replace the self-signed smp_crt certificate with a certificate that has been signed by your company’s certificate authority or one of the standard certificate authorities.

When a certificate is signed by a Certificate Authority (CA) that is known to the browser, it is not necessary to manually install the certificate.  The browser contains the CA in its trusted root certificate authorities and will trust certificates that have been signed by that CA.  Here we can see that the certificate used by the Netweaver Gateway demo system was signed by Starfield Secure Certification Authority.image19.PNG

It is possible to view the trusted certificate authorities available to a browser such as Chrome by choosing Settings > Show Advanced Settings > HTTPS/SSL > Manage Certificates
image18.PNG

The SMP 3.0 server stores its certificates into the file named C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks.  One tool which provides a graphical view of the contents of keystores is KeyStore Explorer.
image20.PNG

In the image above, we can see that the previously created key with an alias of serverkey is a self-signed certificate as the issuer is the same as the subject.  Two other certificates of interest are smp_crt which is the default self-signed certificate used by the SMP 3.0 server and the sapgatewaycert used by the SAP Gateway demo OData source.  The sapgatewaycert was installed even though the certificate is signed by a certificate authority because the certificate authority Starfield Secure Certification Authority is not included in smp_keystore.jks.  Alternatively, we could have installed the Starfield Secure Certification Authority certificates into smp_keystore.jks.

Unlike a desktop browser such as Chrome, it is not possible to install a self-signed certificate into the device’s trusted credentials store to establish an HTTPS connection between the SMP 3.0 server and a mobile device or simulator in a Cordova app.  A certificate signed by a certificate authority is required.  It is possible to create your own certificate authority using Open SSL and use that certificate authority to sign the server certificate.  The AuthProxy sample demonstrates how to sign a client certificate using a certificate authority created using Open SSL.  Another approach is to use an SSL provider such as VeriSign and request them to sign the certificate.  The below steps will demonstrate how to use the SAP Test Server Certificate Authority to sign the server certificate.

SAP provides SAP Trust Center Services

where one can either purchase a SSL server certificate or can try a test server certificate which is valid for eight weeks.

  • Download the SAP SSL Test Server CA Certificate from SAP Trust Center Service – Root Certificates.

    The file is named getCert.cer by default.  Rename it to SAPServerCA.cer.
    Import it into the smp_keystore.jks store.

    keytool -importcert -alias sapserverca -file SAPServerCA.cer -keystore smp_keystore.jks -storepass changeit
    

    Generate a certificate signing request (CSR).

    keytool -certreq -keyalg RSA -alias serverkey -file server.csr -keystore smp_keystore.jks -storepass changeit
    

    Open the webpage SSL Test Server Certificates and click on the Test it Now button.
    Open server.csr and copy the contents to the form, select other web server and click continue.
    Copy the resultant string and place it in a file named server.rsp.
    The below command will import the signed certificate into the keystore.

    keytool -importcert -alias serverkey -file server.rsp -keystore smp_keystore.jks -storepass changeit

    At this point the certificate serverkey is now signed by the SAP SSL Test Server Certificate Authority as shown below.
    image24.PNG

  • A certificate in a keystore can also be viewed using the following command.
    keytool -list -v -keystore smp_keystore.jks -alias serverkey -storepass changeit
  • The SMP 3.0 server needs to be restarted after making changes to the smp_keystore.jks.
  • SAPServerCA.cer should be added to the device’s trust store so that the mobile device or emulator trusts the server certificate.

    For Android

    adb push SAPServerCA.cer /mnt/sdcard/
    adb shell
    cd /mnt/sdcard
    ls
    exit
    

    Install SAPServerCA.cer to the Android trusted credential store via

    Settings -> Personal -> Security -> Install from SD card (requires Android 4.0+)

    Note, that in the Android 4.4 emulator, the SAPServerCA.cer file did not appear in the list of available certificates to install.  A workaround is to rename the file to SAPServerCA.crt, copy it to C:\SAP\MobilePlatform3\Server\webapps\sapui5, and open the emulator’s browser to http://machine_name:8080/sapui5/SAPServerCA.crt.

    Note, on Android 4.4, a warning message is shown after a trusted credentials such as SAPServerCA is installed.  For further details see Network may be monitored.

    For iOS
    When using the iOS 7.0 emulator, the SAPServerCA.cer certificate can be installed by simply dragging and dropping it onto the emulator.

    When using an iOS device the SAPServerCA.cer certificate can be installed into the device’s trusted store by sending it via an e-mail or by opening the device browser to a webpage that contains a link to the certificate.  The certificate can be viewed and uninstalled under

    Settings -> General -> Profiles

Once a certificate that has not been self-signed is used, the secure toggle can be selected on the Registration screen.  This toggle can be set to true and the HTTPS port set via the Logon plugin’s context (see the index.html from the logon demo) as shown below.

// Optional initial connection context
    var context = {
        "serverHost": "YKFN00528072A.amer.global.corp.sap", //Place your SMP 3.0 server name here
        "https": "true",
        "serverPort": "443",
        ...
    }

image1.PNG

In summary, when an HTTPS connection is established between a client and the server, the client verifies that the server certificate is signed by a certificate authority that the client trusts, that the certificate is not expired and the connection is coming from the host described in the server certificate.

For additional details on certificates see
www.sslshopper.com/ssl-faq.html
Common Keytool Commands
Changing Installed Certificates Used for HTTPS Listeners

Whitelist Connections

Cordova apps provide a setting in config.xml that lists what URLs can be accessed by the application.  By default the setting is set to *.  Change this to be the address of your SMP server to restrict network access to the URL specified.
On Android modify

LogonDemo\platforms\android\res\xml\config.xml

On iOS modify

LogonDemo\platforms\ios\LogonDemo\config.xml
<access origin="http://server1.mycompany.com" />

Note, the URL should be in lowercase.  Here is an example that demonstrates the error shown when trying to access a URL that has not been whitelisted. 
image2.PNG

For additional details see Domain Whitelist Guide.

Note that the whitelist is case sensitive.  CB-5395

Password Policy

Before a Kapsel app can be opened that includes the Logon plugin, the unlock screen appears.  This application passcode can be used to provide additional security for the application.
image9.PNG

The rules defining how often the password must be changed, the length of the password, if the password must include digits, upper and lower case letters etc. can be specified.
image15.PNG

Note, if the app does not require an unlock screen, the button disable passcode can be pressed.image7.PNG

This requires that the option Default password allowed checkbox on the Client Password Policy screen be checked.

If the application does not register with an SMP 3.0 server, the passcode policy can be specified as shown below using the initPasscodeManager API call rather than init.

var passcodePolicy = {
    "expirationDays":"0",
    "hasDigits":"false",
    "hasLowerCaseLetters":"false",
    "hasSpecialLetters":"false",
    "hasUpperCaseLetters":"false",
    "defaultAllowed":"true",
    "lockTimeout":"0",
    "minLength":"6",
    "minUniqueChars":"0",
    "retryLimit":"0"
};

//Used if the application is not registering with the SMP 3.0 server.  New to SP03.
sap.Logon.initPasscodeManager(successCallback, errorCallback, appId, null, passcodePolicy, context);

Feature Restriction

In some cases, it may be a company policy to restrict certain types of functionality on a device.  Starting with SMP 3.0 Server SP05, the feature restriction capability provides this ability for a set of predefined Cordova plugins.  This list can be seen in the management cockpit under Application > Client Policy tab. 
imagefr1.PNG

In order to make use of this, the Settings plugin provides an API that can be used to see if a feature is available or not.

isFeatureEnabled(FeatureName, successCallback, errorCallback)

To try this out, start with the example shown in the Logon section named Accessing the Values Stored by the Logon Plugin.

  • Add the Cordova contacts plugin and the Kapsel settings plugin.
    cordova plugin add org.apache.cordova.contacts
    cordova plugin add com.sap.mp.cordova.plugins.settings

    Each time the application starts a settings exchange will occur between the app and the SMP 3.0 server.  The information passed to the app includes the feature policy which is then accessible to the app.

  • Add the following methods to index.html which will enable the selection of a contact from the list of contacts on the device.
    function pickContact() {
        //first check if the feature is enabled
        sap.Settings.isFeatureEnabled("navigator.contacts", isPickContactEnabledCallback, errorCallback);
    }
    
    function isPickContactEnabledCallback(enabled) {
        if (enabled) {
            navigator.contacts.pickContact(contactPickedCallback, errorCallback);
        }
        else {
            alert("The Contacts Plugin has been disabled by the feature restriction policy");    
        }
    }
    
    function contactPickedCallback(contact)  {
        alert("The following Conact was selected: " + JSON.stringify(contact));
    }
    
    function errorCallback(error) {
        alert(JSON.stringify(error));
    }
    
    
  • Add a button to show the contacts picker.
    <button id="picker" onclick="pickContact()">Choose Contact</button>
  • Copy the files to the platform directory by running
    cordova -d prepare

    Optionally modify the method SettingsExchangeDone in

    C:\Kapsel_Projects\LogonDemo\platforms\android\assets\www\plugins\com.sap.mp.cordova.plugins.settings\www\settings.js

    to display the info returned from the SMP server during the settings exchange.

    console.log("YYZ Settings are: " + JSON.stringify(JSON.parse(message)));
    
  • Use the Android IDE or Xcode to deploy and run the project.  Click on Register and then press the Choose Contact button.
    imagefr2.PNGimagefr3.PNG

    Notice that the application has access to the device’s contacts.

  • The next step will be to demonstrate how the functionality exposed through the Cordova contacts plugin can be disabled by an administrator.
    In the managment cockpit, select Applications > com.mycompany.logon > Client Policy > select the Contacts plugin in the Available Feature Policy table and click on Restrict.
  • Exit and reopen the app. Notice that this time the contacts picker is not shown after the Choose Contact button is pressed.

Security Part 2

Back to Getting Started With Kapsel

To report this post you need to login first.

37 Comments

You must be Logged on to comment or reply to a post.

    1. Rakshit Doshi

      Dear Daniel,

      I am trying to use the Relay Server with Kapsel and used your sample above.

      But i am not able to register. However if i am trying to use the OData Services via the Relay Server its working fine so this means the Outbound enablers and all are working fine.

      And also while opening these two pages from the browser open the same pages

      1. http://smpserverip:8080

      2. http://relayserverip/ias_relay_server/client/rs_client.dll/FarmID

      Can you please advice what is something that i missed in this.

      Thanks,

      Rakshit Doshi

      (0) 
  1. suresh babu

    Hi Daniel Van Leeuwen,

    Great Job, One of the best document i have ever seen.

    I have small doubt, i downloaded index.html and changed the host and post

    then it is working fine in locally with server URL.

    But if i give the URL of relay server then it is not working,I am getting CSRF token validation failed error.

    Do i need to do anything more?

    Daniel Van Leeuwen,

    Thanks

    Suresh

    (0) 
  2. Jitendra Kansal

    Hi Dan,

    I have downloaded SAP SSL Test server CA certificate as mentioned above. Default file name is itself SAPServerCA.cer

    The file is named getCert.cer by default.  Rename it to SAPServerCA.cer.

    Import it into the smp_keystore.jks store.

    keytool -importcert -alias sapserverca -file SAPServerCA.cer -keystore smp_keystore.jks -storepass changeit

    When i run keytool command, i get keytool error: FileNotFoundException.

    importcertificate.PNG

    (0) 
    1. Daniel Van Leeuwen Post author

      Perhaps try copying the file SAPServerCA.cer to the configuration folder.

      I would also check to see which version of Java you are using.  Here is what I see. 

      java -version

      java version “1.7.0_55”

      Java(TM) SE Runtime Environment (build 1.7.0_55-b13)

      Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)

      (0) 
    2. Rakshit Doshi

      Hi Jitendra,

      Its actually not the error of the certificate..run the keytool command from the Java/jre6/bin folder and give the path of your files like for SAPServerCA.cer and for smp_keystore.jks.

      It will work.

      Hope this helps,

      Thanks,

      Best Regards,

      Rakshit Doshi

      (0) 
  3. Jitendra Kansal

    Hi Dan,

    It didnt work even after copying the SAPServerCA.cer file to the configuration folder. F:\SAP\MobilePlatform3\Server\configuration

    I have using below java version

    java version “1.8.0_05”

    Java(TM) SE Runtime Environment (build 1.8.0_05-b13)

    Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

    Could Java version be an issue?

    (0) 
    1. Daniel Van Leeuwen Post author

      I tried downloading the file and was able to import it OK.  I am not sure what to suggest.  Perhaps try downloading the file again and if you have access to another machine, perhaps try it there.  You can simply copy the smp_keystore.jks and cer file to the other machine to try the test.

      A few posts mention a permission problem.  See

      http://www.public.madeinengland.co.nz/keytool-error-java-io-filenotfoundexception-access-is-denied/

      JavaXp.com | Java Experts Blog | Java Examples | API | Errors | Exceptions: keytool error: java.io.FileNotFoundException

      (0) 
      1. Jitendra Kansal

        When you downloaded again, what was the certificate file name by default? same as SAPServerCA.cer?

        This is the certificate right?

        SSLcertificate.PNG

        I have tried with “Run as Admin” but same issue.

        Rgrds,

        JK

        (0) 
  4. Jitendra Kansal

    oops.. i was trying with .der. Now it worked. Thanks  a lot !!

    Now i am able to see the certificate serverkey signed by SAP SSL Test server CA and same certificate i have added in android simulator (4.4.2 GoogleAPI) and can see the warning message about certificate installation.

    But now when i try to register with HTTPS connection, i am getting “Registration error”

    /wp-content/uploads/2014/09/registrationerror_536217.png

    When i access Logcat, i see

    “”LogonController.getRegistrationErrorText: {\”errorCode\”:\”80003\”,\”errorMessage\”:\”Unable to resolve host \\\”jk\\\”: No address associated with hostname\”,\”errorDomain\”:\”MAFLogonCoreErrorDomain\”}””, source: file:///android_asset/www/plugins/com.sap.mp.cordova.plugins.logon/www/common/modules/Utils.js (8)

    my computer name is “jk” only and same i can verify in Certificate details for Entry ‘serverkey’. What i have missed?

    /wp-content/uploads/2014/09/registrationerror_536217.png

    (0) 
        1. Daniel Van Leeuwen Post author

          You could also try http://jk:8080/sapui5/ 

          Perhaps the android emulator is not resolving your host name for some reason. 

          Do you use a proxy in your network environment?

          Are you sure jk is your complete host name?

          One thing to try would be ipconfig /all

          I see

            Host Name . . . . . . . . . . . . : YKFN00528072A

            Primary Dns Suffix  . . . . . . . : amer.global.corp.sap

          The name of my machine is  YKFN00528072A.amer.global.corp.sap

          (0) 
          1. Dave Fish

            Hi Dan,

            I am getting an error (webpage not found) when I try to access the server via https (https://<ip address>:443\sapui5 but it works when I use http://<ip address>:8080/sapui5

            What do I need to do to get it to work with https? Is it a certificate issue?

            Thanks,

            Dave

            (0) 
  5. Jitendra Kansal

    Yes, my computer name is “JK” and i am not using any proxy. its on my home network.

    When i try to add certificate in emulator using below url http://jk:8080/sapui5/SAPServerCA.crt, i get “Webpage not available” message but if i change hostname with ipaddress i get certificate installation pop-up.


    You are right, android emulator is not resolving hostname. I have googled a lot on this. Can you suggest some tips?

    (0) 
  6. Rakshit Doshi

    Hi Daniel,

    I am able to connect through via the relay server to SMP Server via http but when i create an outbound enabler binding the HTTPS ports of both the servers i am not able to navigate to the services.

    https://relayserver/ias_relay_server/client/rs_client.dll/FarmID/gateway/odata/sap/EspmService;v=1

    but the same works with HTTP.

    I tried all the combinations of 443-8080,443-8081,443-8082 but none of them worked.

    Can you please help

    Regards,

    Rakshit Doshi

    (0) 
      1. Daniel Van Leeuwen Post author

        What error are you seeing? 

        Are you working with Android or iOS?  I followed the instructions in the document above that use the publicly available relay server.  It worked for me on an Android 4.4 device.  The only change I made was to the context variable to use https and the https port.

        “https”: “true”,

        “serverPort”: “443”,

        Can you expand on the comment

        <<i am not able to navigate to the services

        Regards,

        Dan van Leeuwen

        (0) 
          1. Daniel Van Leeuwen Post author

            You may wish to start a separate thread for this as it is a bit outside the scope of this section of the Getting Started with Kapsel guide and provide more detailed steps of what you are trying to do.  Are you using Integration Gateway to make a non OData service available as OData?  I have not had a chance to use Integration Gateway yet.

            (0) 
  7. Elia Occhiuzzi

    Hi Daniel,

    your post is very helpful.

    I have a problem with Hybrid application and CSRF token.

    I have buil an SMP application that use a Integration Gateway service as back-end endpoint. If I simulate the application using rest client all work correctly, In the response I can read the  CSRF token and then use it for POST, PUT, etc…

    But with kapsel application I don’t receive the token. I followed your example, in particular after successfully login, I call ha read method:

    function read() {

      updateStatus2(“read request started”);

      startTime = new Date();

      showScreen(“MainDiv”);

      clearTable(“DataTableResult”);

      if (!haveAppID()) {

      return;

      }

      var sURL = getEndPointURL() + “/tblPersone?$top=” + document.getElementById(“numRecordShow”).value;

      var oHeaders = {};

      oHeaders[‘Authorization’] = “Basic ” + authStr;

      oHeaders[‘X-SMP-APPCID’] = appCID;

      oHeaders[‘X-CSRF-Token’] = “FETCH”; //occorre recuperare il token per operazioni di INSERT/UPDATE/DELETE

      var request = {

      headers : oHeaders,

      requestUri : sURL,

      method : “GET”

      };

      console.log(“read using ” + sURL);

      OData.read(request, readSuccessCallback, errorCallback);

      }

    but whe I try to read token in readSuccessCallback, the value is empty (but with no error in catch):

    ………

    try {

             x_csrf_token = response.headers[“X-CSRF-Token”];

             alert(“X-CSRF-Token=”) + response.headers[“X-CSRF-Token”];

             alert(“x_csrf_token=”) + x_csrf_token;

         }

         catch(e) {

             alert(“error recovery token” + e.message);

         }

    Do you have idea what could be my problem?

    I have installed aRest client on my android tablet, and it work fine, but javascript from kapsel app don’t work.

    Regards,

    Elia.

    (0) 
    1. Daniel Van Leeuwen Post author

      If you are using Android, or iOS, I would use Chrome(Android) and Safari(Mac) to debug the network requests.  See Getting Started with Kapsel – Appendix B — Debugging

      You should be able to see the read request and response headers in the debugger.

      Note that if the authproxy Kapsel plugin is present, you will not be able to debug the network requests if it is intercepting all requests.  See the following section for additional details.  Specifically look for SAPKapselHandleHttpRequests=true.

      Getting Started with Kapsel – Part 8 — AuthProxy

      Finally if it makes it easier to debug this particular problem, you could perhaps try to get this working in a regular html 5 application without adding any Cordova/Kapsel plugins.  Specifically make sure to comment out the include for cordova.js if you are doing this.  If you decide to do this and are using Chrome, setting the option disable-web-security may be of some help.  I believe this is mentioned in the AuthProxy section as well.

      Hope that helps,

      Dan van Leeuwen

      (0) 
  8. Dave Fish

    Hi Dan, I’m trying to get the SAPServerCA.cer certificate installed and the CSR generated but I’m running into this error when I generate the request:

    Alias <sapserverca> has no key

    The command I used to install the certificate in the keystore was this:

    .\keytool -importcert -alias sapserverca -file SAPServerCA.cer -keystore smp_keystore.jks -storepass changeit

    I can see the certificate is in the keystore.

    Tto generate the CSR I used this:

    keytool -certreq -keyalg RSA -alias sapserverca -file server.csr -keystore smp_keystore.jks -storepass changeit

    I’m using Windows Server 2012 and SMP Server 3.0 SP05 (PL2)

    Any suggestions?

    Thanks,

    Dave

    (0) 
    1. Dave Fish

      I was able to resolve the has no key issue (i needed to generate the serverkey cert from an earlier step) but now I’ve run into the issue that when I try to access the server via https://<FQDN>/sapui5 I get this warning: This server could not prove that it is xx001a1a091.compname.ds; its security certificate is from 174.16.206.172. This may be caused by a misconfiguration or an attacker intercepting your connection.

      So it is trying to use the smp_cert.cer which is issued to the IP address instead of the new certificate issued to the machine name. If I go ahead it takes me to the SAPUI5 page but for port 8081. If I replace 8081 with 443 then I get a this webpage is not available error.

      I’m not sure what I have configured wrong at this point.

      Thanks,

      Dave

      (0) 
      1. Ali Chalhoub

        The one thing that I see this happening, if you are using in your corporate a proxy server to access the internet. In that case, the proxy does not allow you to access an internal 443 port. I had this issue myself. What I had to do is change security port to something else which is not 443, or check your IT policy.

        Thx

        (0) 
        1. Dave Fish

          Thanks Ali. I don’t think a corporate proxy server is in place but I believe that 443 is not open. I’m checking with the security team to see if that is the case and if they can open it (its a development sandbox server). I’m not sure how to change the security port though. I see that 445 is open and I don’t think it is in use.

          Thanks again,

          Dave

          (0) 
  9. Dave Fish

    I’m still struggling to get this to work. I’ve followed the steps multiple times but I am getting the following error in the SMP server log file:

    Alias name serverkey does not identify a key entry

    Also, I’ve installed the Keystore Explorer but when I try to open the smp_keystore.jks file I get an error: could not load Keystore as type ‘JKS’.

    So my SMP server is not listening on port 443 (or now 8081) because of this issue.

    Environment: Windows Server 2012

    SMP 3.0 SP05 (PL2)

    Any suggestions appreciated.

    Thanks,

    Dave

    (0) 
    1. Daniel Van Leeuwen Post author

      I am assuming you have added  a new connector entry in the file default-server.xml with an alias of serverkey.

      I would imagine the error

      Alias name serverkey does not identify a key entry


      might indicate that the SMP server cannot find a certificate in the smp_keystore.jks file that has an alias of the name serverkey.


      I don’t know why the keystore explorer cannot open your smp_keystore.jks file.  Do you have a backup of that file you could try or smp_keystore.jks file from another SMP server to see if the problem is with the smp_keystore.jks file or with the keystore explorer setup.


      Another way to view the certificates installed in a keystore is to use the keytool command.


      C:\SAP\MobilePlatform3\Server\configuration>keytool -list -keystore smp_keystore.jks > c:\temp\out.txt


      the out.txt file should contain a listing for serverkey such as

      serverkey, Jan 26, 2015, PrivateKeyEntry,

      smp_crt, Nov 25, 2014, PrivateKeyEntry,

      baltimorecybertrustca, Jul 12, 2013, trustedCertEntry,


      It may also be beneficial to open these type of questions as a new discussion so that other’s may more easily find them as comments to documents are not easily searchable and the title appears as the title of this document rather than something that indicates the problem you are trying to solve.


      To include a reference to this document, Right Click on the title and select ‘Copy Shortcut’.  Paste it into the new Discussion so people will know the relevance.  If you want to bring it to the attention of the author, repeat the same process with the Author’s name.


      Regards,


      Dan van Leeuwen

      (0) 
      1. Dave Fish

        Hi Dan,

        I think the problem was a fundamental misunderstanding on my part. I thought the password for the keystore was “changeit” by default. When I tried the list command you provided above I got a message the keystore had either been tampered with or the password was incorrect. When I entered the server password (same one used to log in to the management cockpit) then I got the output. So apparently all of the commands I had been trying to add the cert to the keystore were failing silently. I am going to start over with the instructions now and see if I can get it to work.

        Thanks,
        Dave

        (0) 
  10. Hossam Abdelazeem

    Hi Daniel Van Leeuwen

    Thanks a lot for sharing this useful information.

    I have a question regarding signed certificate when it used with iOS.

    Is there any way to automaticlly install the certificate when opening the applicaition for the first time ?, as I don’t want to send the certificate everytime to users when they install the application in order to be able to user https.

    Thanks

    Hossam

    (0) 
    1. Daniel Van Leeuwen Post author

      Typically a device or emulator will have the certificates from the common Certificate Authorities pre-installed on them.  For example on an Android device choose Settings > Security > Trusted credentials to see the list.

      If you have your SMP server’s certificate signed by one of these Certificate Authorities, the device will already trust communications with the server since it has that CA’s root certificate.

      If you instead mean the client certificate that uniquely identifies a user in a mutual authentication setup, these certificates are commonly provisioned to devices using Mobile Device Management software such as SAP Mobile Secure/Afaria. 

      Regards,

      Dan van Leeuwen

      (0) 
  11. Daniel Van Leeuwen Post author

    Updated for SP07 server and SP08 SDK

    Note that in SP07 of the server, a change was made to use TLS 1.2 only by default for HTTPS ports which causes problems on Android with the Logon plugin using SP08 of the SDK.  The workaround is to enable older versions of TLS.

    (0) 
  12. Premnarayan Patidar

    Hi Daniel,

    i was trying the setting plugin for feature restriction but getting the message “MAFLogonCoreCDVPluginJS functionality is not yet implemented” any help for this? my code for exchange setting is as below, i am trying this with web IDE and HAT configured.

    exchSettings: function() {

      var connectionData = {

      “keyMAFLogonOperationContextConnectionData”: {

      “keyMAFLogonConnectionDataApplicationSettings”: {

      “DeviceType”: this.device.platform,

      “DeviceModel”: this.device.model,

      “ApplicationConnectionId”: “my app name”

      },

      “keyMAFLogonConnectionDataBaseURL”: “HCPms server path”

      },

      “keyMAFLogonOperationContextApplicationId”: “application ID”,

      “keyMAFLogonOperationContextBackendUserName”: “”,

      “keyMAFLogonOperationContextBackendPassword”: “”,

      “keyMAFLogonOperationContextSecurityConfig”: “”,

      “keySSLEnabled”:”false”

      };

      sap.Settings.start(connectionData, function(mesg) {

      sap.Logger.debug(“Setting Exchange is successful ” + mesg, “SMP_SETTINGS_JS”, function(m) {}, function(m) {});

      },

      function(mesg) {

      sap.Logger.debug(“Setting Exchange failed” + mesg, “SMP_SETTINGS_JS”, function(m) {}, function(m) {});

      });

      },

    Thanks, Prem

    (0) 
    1. Daniel Van Leeuwen Post author

      Have you tried using the method

      sap.Settings.isFeatureEnabled(“navigator.contacts”, ContactsEnabledCallback, errorCallback);

      That might be easier.  The above is checking to see if the Contacts functionality is enabled or not.

      When I get a chance, I will give your code a try.

      Regards,

      Dan van Leeuwen

      (0) 

Leave a Reply