Using XPI Inspector to troubleshoot HTTP SSL connections (Part 2 – Client Authentication)
In my previous blog Using XPI Inspector to troubleshoot HTTP SSL connections (Part 1 – Server Authentication), I covered the example of troubleshooting SSL server authentication issues using XPI Inspector. In this second part, I will share an example related to client authentication.
Step by Step Guide
At the end of the first blog, I provided an example on an XPI Inspector debug log for a client authentication issue. In that example, the SSL handshake requires a mandatory client certificate to be presented by the client to the server. The handshake failed because no client certificate was presented.
For the example in this blog, I will extend that scenario by configuring client authentication in the receiver channel.
The actual generation and/or CSR signing of the client certificate to be used is out of scope for this blog. This is because this process is dependent upon the actual system being accessed, i.e. some systems generates the certificate for you, whilst others might require you to provide a CSR signed certificate.
For the purpose of this example, we will assume that the certificate is already generated and available.
Step 1 – Verify client certificate in NWA
First, we verify that the client certificate is available in the keystore in NWA > Configuration > Security > Certificates and Keys.
Step 2 – Configure receiver channel with client authentication
Check View Certificate Authentication and select the Keystore Entry and Keystore View corresponding to the above private key.
Step 3 – Launch XPI Inspector and start test
Similar to the steps in the example on the previous blog, launch XPI Inspector and perform the test using Example 11. Populate the client certificate’s keystore view and entry accordingly.
Once everything is ready for testing, click the Start button, then trigger the respective end-to-end scenario. Click Stop once the scenario is complete and wait for the results to be gathered.
Step 4 – Analyse the results
At the results page, we can analyse the SSL debug logs under the Verify Remote SSL Server Certificate section. As shown in the example below, server authentication was successful as the certificate chain was trusted.
However, during the client authentication part of the handshake it encountered the following error:
SSLException while handshaking: Peer sent alert: Alert Fatal: decrypt error
Further details of the error can be viewed in the Verify Local SSL Client Key Pair section. As shown below, there seems to be some decryption error due to invalid padding.
Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero!
Step 5 – Resolve certificate issue
This particular example is a little tricky because the error description is somewhat cryptic! The resolution steps for this error is buried deep in an attachment on SAP Note 1296330 – Security Troubleshooting Guide for NetWeaver J2EE 640/700.
It seems that the issue is possibly due to the Self Signed CA (of the client certificate) being the first entry instead of normally being the last entry. In order to rectify this, the certificate needs to be exported and reimported in the correct order.
Export keystore entry as a PKCS#8 Key Pair. Click the download link to save each file as a separate file (.p8 and .crt files).
Delete or rename the existing entry in the keystore.
Import the .p8 file as a PKCS#8 Key Pair. Add the .crt files (that was downloaded above) as PKCS#8 certificates. Ensure that they are added in the order of intermediate to root. For the example below, since there are only two certificates, the root (self signed CA) certificate is added last.
Step 6 – Stop and restart receiver channel
After the NWA keystore has been updated with the certificate, stop and restart the receiver channel to clear the previous certificate that was cached by the channel.
Step 7 – Repeat XPI Inspector test
Repeat the test as per step 3 and analyse the results.
As shown in the results page, the verification of the client certificate is now successful. Note that the self signed CA certificate is now the last entry in the chain.
Also, the SSL debug log shows that SSL handshake completed successfully for both server and client authentication.
As shown above, XPI Inspector also comes in handy when troubleshooting issues related to client certificate authentication. It contains an additional section that provides further details regarding the verification of the client certificate chain.
Unless you are asking for clarification/correction of some part of the Document, please create a new Discussion marked as a Question. The Comments section of a Blog (or Document) is not the right vehicle for asking questions as the results are not easily searchable. Once your issue is solved, a Discussion with the solution (and marked with Correct Answer) makes the results visible to others experiencing a similar problem. If a blog or document is related, put in a link. Read the Getting Started documents (link at the top right) including the Rules of Engagement.
NOTE: Getting the link is easy enough for both the author and Blog. Simply MouseOver the item, Right Click, and select Copy Shortcut. Paste it into your Discussion. You can also click on the url after pasting. Click on the A to expand the options and select T (on the right) to Auto-Title the url.
Thanks, Mike (Moderator)
SAP Technology RIG