Skip to Content
Author's profile photo Frank Schuler

Enabling on premise Fiori SSO with OpenSSL certificates – Part 1

In my previous blog Enabling X.509 based SSO for the Web AS ABAP with your own CA based on OpenSSL for Windows I had described how to enable single-sign-on based on OpenSSL for Windows on a Web AS ABAP sandbox system and this information is still valid. However, both the NWAS ABAP as well as the OpenSSL tools have evolved considerably since 2012 so that I will describe an updated approach for Fiori single-sign-on in this blog series. I will start with explaining how to setup a sucure SSL connection to the Fiori Launchpad based on OpenSSL certificates.

Again, this blog is intended for you to learn and understand the concepts. Neither key lengths nor other security considerations except for making this example work have been considered.

To start with, the SAP NWAS ABAP does require less parameter settings nowadays to enable SSL which is the basis for certificate based SSO. Please check SAP Note 510007 – Setting up SSL on Application Server ABAP for the details of your version.

To start with, I setup an OpenSSL certificate authority (CA) with TinyCA2 (TinyCA). For this blog I am using OpenSSL 1.0.1t but the latest stable version is the 1.0.2 series of releases. This is also the Long Term Support (LTS) version (support will be provided until 31st December 2019). The 1.0.1 version is currently only receiving security bug fixes and all support will be discontinued for this version on 31st December 2016.

Setting up a CA in TinyCA is pretty straight forward:

Create a new CA.png

For the CA Configuration I keep the defaults except for the nsCertType where I chose the all-in option:

CA Configuration.png

As a result, my CA got created:

CA created.png

So I log into my SAP Fiori Frontend system, call transaction STRUST and create a SSL server Standard PSE:

Create PSE.png

I confirm the Distinguished Name that has to match my Fiori Frontend server fully qualified host name (FQHN):

SSL Server.png

Next I create a Certificate Request for my just created PSE which is currently marked as self-signed:

Create certificate request.png

And chose to Save as local file:

Save as local file.png

To the default destination:

Save As.png

I then transfer this file to my Rasperry Pi that I had already setup for my IoT blog Connect a Lego Mindstorms NXT to the HCP Internet of Things Services via a Raspberry Pi over Bluetooth and where I now also run TinyCA to import it as a certificate Request:

Import Request.png

As a result, I see all the details I had put in previously:

Request Details.png

So I sign the request with my previously created CA:

Sign Request.png

And subsequently get a success message, that the Request was signed successfully and a corresponding Certificate created:

Certificate created.png

Next I export the certificate:

Export Certificate.png

And then the CA certificate as well:

Export CA Certificate.png

Next I create a Certificate Database entry for my CA in transaction STRUST:

VSTRUSTCERT.png

Then I import my CA certificate:

Import Certificate.png

And export it:

Certificate.png

to the just created Certificate Database entry:

ZCIT.png

With that I can import my Certificate Response:

Certificate Response.png

And as a result got a trusted certificate:

Own Certificate.png

The only remaining task is to import my CA certificate into the web browser that I am using to access my Fiori Launchpad:

Certificate Import Wizard.png

And with this I got a secure connection to my Fiori Launchpad:

Logon.png

With my CA hierarchy details:

Certification path.png

So now we got the basis for certificate based SSO which I will cover in part two of this blog series.

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Cristian Rolando Castañeda Gonzalez
      Cristian Rolando Castañeda Gonzalez

      Hi, Frank, this is very useful information. I have a question:

      this certificates work with the FIORI Client mobile app?


      I ask because, as you probably know, the IOS version of the FIORI client doesn't support X.509 certificates. Do you know if we create the certificates following your procedure it will work with the FiORI Client?


      Thank you in advance for your comments.


      Best regards.


      Cristian R.

      Author's profile photo Frank Schuler
      Frank Schuler
      Blog Post Author

      Hello Cristian,

      if you upload your CA certificate into your iPhone, then you get a trusted secure connection to your Fiori Launchpad through the Fiori Client. For single-sign-on, you would have to use the SAP Authenticator.

      Best regards

      Frank

      Author's profile photo Cristian Rolando Castañeda Gonzalez
      Cristian Rolando Castañeda Gonzalez

      Hi Frank, thank you for your quick response.  Sadly, the SAP Authenticator is currently out of scope. Let me give you a broader context of our situation: What we want to achieve is to add a "second layer" of security to the FIORI apps besides the user & password of the FIORI launchpad. So we think in importing proxy server certificates (netscaler) to the devices to make a "trusted connection" between proxy server and mobile devices. This works with the FIORI launchpad URL, but with the FIORI client (IOS version) the installed certificates (X.509 certificates) are not presented back to the server and therefore the connection fails (since X.509 certificates are not supported natively in FIORI client for IOS).

      So, if i understand correctly, If we go with your approach with OpenSSL certificates, after upload the CA certificates to the Iphone, the SAP gateway will "trust" the device and will ask for the FIORI user & password?  and this will work with the FIORI client for IOS as well,  that's correct?

      Thank you in advance,

      Best regards.

      Cristian R.

      Author's profile photo Frank Schuler
      Frank Schuler
      Blog Post Author

      Hello Cristian,

      yes, that is correct. A mobile browser would potentially allow you to accept a not trusted certificate, but the Fiori Client does not, so you need the CA certificate on the device.

      Best regards

      Frank

      Author's profile photo Cristian Rolando Castañeda Gonzalez
      Cristian Rolando Castañeda Gonzalez

      OK, perfect. We will try it then.


      Thank you very much for the valuable information.

      Best regards.

      Cristian R.

      Author's profile photo Diego Rodriguez
      Diego Rodriguez

      Hi Cristian, I´m not sure if I understood your situation, but I think we have the same problem in the customer were we are working. We are trying to config SSO with FLP Url using Citrix Netscaler, but unfortunately it`s not working. Were you able to config that? so with Netscaler FLP URL SSO is working?

      Thanks for your feedback.

      Best regards.

       

      Diego.

      Author's profile photo Jens Schwendemann
      Jens Schwendemann

      Hi all,

       

      I think the main problem with the (vanilla) Fiori Client on iOS would be, that it is not entitled to access the device's portion of the keychain. So any certificates installed on the device itself will not work through Fiori Client, whereas Safari as a first class citizen does have access to that keychain slice.

       

      If Fiori Client would use Safari View Controller (which it doesn't afaik) then this would work.

       

      Cheers

      Jens

      Author's profile photo Former Member
      Former Member

      Thank you very much. Worked!