Skip to Content

15 Comments

You must be Logged on to comment or reply to a post.

  1. Carsten Olt

    Great post Stephan, thanks a lot 😎

    I got one question in regards to the Remote CA feature which isn’t clearly to me.

    Using SLS one is able to define a custom certificate layout, same in other CAs like the supported ADCS where this is done by creating custom certificate templates. However the user mapping features in ADCS are somehow limited and not as flexible as in the SLS. The SLS has these nice little „user name mapping features“ allowing a company to include details of the authenticated End-Entity like various LDAP/AD attributes and maybe others, in oder to construct the certificate subject name or additional extensions such as the subject alternative name with a value of choice.

    Given the fact one has enabled Remote CA, that means the SLS is now acting as a intermediary between the End-Entity and the signing CA e.g. ADCS. As a registration authority i understand, the SLS is still responsible to authenticate the End-Entity thus still with the unchanged feature set allowing him to enrich the received certificate request with additional information about the requester.

    The CA trusts the SLS-RA, receives the „modified“ PCKCS#10 signature request from SLS, somehow wrapped inside CMS or by other means, sent from SLS to CA via enrollment web service or CMC using HTTP/TLS as a transport layer. All fine.

    Now based on the CA certificate policies, certificate template design etc. the CA may be able to use the additional user name attributes part of the CSR and just signs the certificate or maybe just not, because it does not meet the policy and the request will be denied by the CAs policy module. Do you already have some experiences when it comes to those user mapping scenarios e.g. instead using the Fully Distinguished Name or Display Name as the subject of a user certificate, to use a custom CN attribute in the subject? Hope I will soon have the chance to make my first project experience with that long-awaited Remote CA feature 😉

    Cheers, Colt

    (0) 
    1. Stephan André Post author

      Hi Carsten,

      the capabilities of an SLS Remote CA strongly depend on the concrete product, service, and configuration. With ADCS it is quite limited. You cannot access the full scope of the CA´s certificate templates (which is also a restriction in the current ADCS adapter we ship with SP0, it does not allow to configure the template; we plan to change this and to offer an ADCS NDES adapter).

      However, it is possible to take over at least the full subject name sent in the PKCS#10 CSR. And this name can be set by SLS, using the full set of user mapping and name generation features.

      Btw. SLS is not able to modify the client´s PKCS#10 request. It´s one of the new things in SSO 3.0 that SLS clients (like SLC or SAPSLSCLI) perform a name negotiation before the CSR is created on client side. That´s why Remote CA support is only provided for new SLS clients.

      — Stephan

      (0) 
  2. Greg Capps

    Under Anything Else you discuss OCSP.  If I search the SAP Single-Sign On implementation guide I only find one reference for OCSP.  There is documentation related to configuring CRL, maintaining the list, and more.  But with OCSP it is a dynamic call at the point you need a certificate validated.  Is there a different guide for using OCSP?  From the image above, is this handled outside at the JAVA layer so that a revoked certificate is not known to SSO similar to how a CAPI filter prevents certificates from being seen or consumed?

    (0) 
    1. Stephan André Post author

      Your client side needs to support OCSP to make use of such extension. The SAP SSO clients or CCL based apps do not support OCSP yet.

      A possible use case could be that a web server validates the user´s certificate, or a web browser is doing it for a server certificate.

      — Stephan

      (0) 
  3. Patrik Sepela

     

    Hello Mr. Andre,

     

    From the installation guide it is not clear to me, where the secure login server should be installed.

    Should it be deployed into some running AS Java instance?

    Or it is independent self-running instance and can be installed anywhere?

     

    Thank you

     

    (0) 
    1. Stephan Andre Post author

      Hello,

      Secure Login Server is a Java application that runs on AS JAVA. Indeed, there is no explicit mentioning in the installation guide, except https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/b8ff297db0cf42c7a76b798bb0e76823.html.

      But the PAM https://support.sap.com/content/dam/launchpad/en_us/pam/pam-essentials/TIP/PAM_SSO_30.pdf is listing all supported platforms (SLS: slide 9).

      — Stephan

      (0) 
  4. Venugopal Rao

    Hi Stephan,

     

    Thanks for sharing the nice blog,

    We are configuring the SSO 3.0 with LDAP Authentication As I have installed the Secure login server and secure login client.  but i am really not getting any idea on how to proceed,further to configure the SSO.

    I really appreciate if i can get any document or any steps.

     

    Thanks & Regards

    M V Gopal

     

    (0) 

Leave a Reply