Introduction

In my previous blog Using XPI Inspector to troubleshoot HTTP SSL connections (Part 1 – Server Authentication), I covered the example of troubleshooting SSL server authentication issues using XPI Inspector. In this second part, I will share an example related to client authentication.

Step by Step Guide

At the end of the first blog, I provided an example on an XPI Inspector debug log for a client authentication issue. In that example, the SSL handshake requires a mandatory client certificate to be presented by the client to the server. The handshake failed because no client certificate was presented.

For the example in this blog, I will extend that scenario by configuring client authentication in the receiver channel.

The actual generation and/or CSR signing of the client certificate to be used is out of scope for this blog. This is because this process is dependent upon the actual system being accessed, i.e. some systems generates the certificate for you, whilst others might require you to provide a CSR signed certificate.

For the purpose of this example, we will assume that the certificate is already generated and available.

Step 1 – Verify client certificate in NWA

First, we verify that the client certificate is available in the keystore in NWA > Configuration > Security > Certificates and Keys.

/wp-content/uploads/2016/02/nwa2_888479.png

Step 2 – Configure receiver channel with client authentication

Check View Certificate Authentication and select the Keystore Entry and Keystore View corresponding to the above private key.

/wp-content/uploads/2016/02/channel_888405.png

Step 3 – Launch XPI Inspector and start test

Similar to the steps in the example on the previous blog, launch XPI Inspector and perform the test using Example 11. Populate the client certificate’s keystore view and entry accordingly.

Once everything is ready for testing, click the Start button, then trigger the respective end-to-end scenario. Click Stop once the scenario is complete and wait for the results to be gathered.

/wp-content/uploads/2016/02/xpi2_888480.png

Step 4 – Analyse the results

At the results page, we can analyse the SSL debug logs under the Verify Remote SSL Server Certificate section. As shown in the example below, server authentication was successful as the certificate chain was trusted.

However, during the client authentication part of the handshake it encountered the following error:

SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error

/wp-content/uploads/2016/02/log1_888481.png

Further details of the error can be viewed in the Verify Local SSL Client Key Pair section. As shown below, there seems to be some decryption error due to invalid padding.

Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero!

/wp-content/uploads/2016/02/error1_888482.png

Step 5 – Resolve certificate issue

This particular example is a little tricky because the error description is somewhat cryptic! The resolution steps for this error is buried deep in an attachment on SAP Note 1296330 – Security Troubleshooting Guide for NetWeaver J2EE 640/700.

It seems that the issue is possibly due to the Self Signed CA (of the client certificate) being the first entry instead of normally being the last entry. In order to rectify this, the certificate needs to be exported and reimported in the correct order.

Export keystore entry as a PKCS#8 Key Pair. Click the download link to save each file as a separate file (.p8 and .crt files).

/wp-content/uploads/2016/02/export1_888483.png

Delete or rename the existing entry in the keystore.

Import the .p8 file as a PKCS#8 Key Pair. Add the .crt files (that was downloaded above) as PKCS#8 certificates. Ensure that they are added in the order of intermediate to root. For the example below, since there are only two certificates, the root (self signed CA) certificate is added last.

/wp-content/uploads/2016/02/import1_888484.png

Step 6 – Stop and restart receiver channel

After the NWA keystore has been updated with the certificate, stop and restart the receiver channel to clear the previous certificate that was cached by the channel.

Step 7 – Repeat XPI Inspector test

Repeat the test as per step 3 and analyse the results.

As shown in the results page, the verification of the client certificate is now successful. Note that the self signed CA certificate is now the last entry in the chain.

/wp-content/uploads/2016/02/key_888456.png

Also, the SSL debug log shows that SSL handshake completed successfully for both server and client authentication.

/wp-content/uploads/2016/02/log2_888457.png

Conclusion

As shown above, XPI Inspector also comes in handy when troubleshooting issues related to client certificate authentication. It contains an additional section that provides further details regarding the verification of the client certificate chain.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Michael Appleby

    Unless you are asking for clarification/correction of some part of the Document, please create a new Discussion marked as a Question.  The Comments section of a Blog (or Document) is not the right vehicle for asking questions as the results are not easily searchable.  Once your issue is solved, a Discussion with the solution (and marked with Correct Answer) makes the results visible to others experiencing a similar problem.  If a blog or document is related, put in a link.  Read the Getting Started documents (link at the top right) including the Rules of Engagement. 

    NOTE: Getting the link is easy enough for both the author and Blog.  Simply MouseOver the item, Right Click, and select Copy Shortcut.  Paste it into your Discussion.  You can also click on the url after pasting.  Click on the A to expand the options and select T (on the right) to Auto-Title the url.

    Thanks, Mike (Moderator)

    SAP Technology RIG

    (0) 

Leave a Reply