Enabling on premise Fiori SSO with OpenSSL certificates – Part 1
In my previous blog Enabling X.509 based SSO for the Web AS ABAP with your own CA based on OpenSSL for Windows I had described how to enable single-sign-on based on OpenSSL for Windows on a Web AS ABAP sandbox system and this information is still valid. However, both the NWAS ABAP as well as the OpenSSL tools have evolved considerably since 2012 so that I will describe an updated approach for Fiori single-sign-on in this blog series. I will start with explaining how to setup a sucure SSL connection to the Fiori Launchpad based on OpenSSL certificates.
Again, this blog is intended for you to learn and understand the concepts. Neither key lengths nor other security considerations except for making this example work have been considered.
To start with, the SAP NWAS ABAP does require less parameter settings nowadays to enable SSL which is the basis for certificate based SSO. Please check SAP Note 510007 – Setting up SSL on Application Server ABAP for the details of your version.
To start with, I setup an OpenSSL certificate authority (CA) with TinyCA2 (TinyCA). For this blog I am using OpenSSL 1.0.1t but the latest stable version is the 1.0.2 series of releases. This is also the Long Term Support (LTS) version (support will be provided until 31st December 2019). The 1.0.1 version is currently only receiving security bug fixes and all support will be discontinued for this version on 31st December 2016.
Setting up a CA in TinyCA is pretty straight forward:
For the CA Configuration I keep the defaults except for the nsCertType where I chose the all-in option:
As a result, my CA got created:
So I log into my SAP Fiori Frontend system, call transaction STRUST and create a SSL server Standard PSE:
I confirm the Distinguished Name that has to match my Fiori Frontend server fully qualified host name (FQHN):
Next I create a Certificate Request for my just created PSE which is currently marked as self-signed:
And chose to Save as local file:
To the default destination:
I then transfer this file to my Rasperry Pi that I had already setup for my IoT blog Connect a Lego Mindstorms NXT to the HCP Internet of Things Services via a Raspberry Pi over Bluetooth and where I now also run TinyCA to import it as a certificate Request:
As a result, I see all the details I had put in previously:
So I sign the request with my previously created CA:
And subsequently get a success message, that the Request was signed successfully and a corresponding Certificate created:
Next I export the certificate:
And then the CA certificate as well:
Next I create a Certificate Database entry for my CA in transaction STRUST:
Then I import my CA certificate:
And export it:
to the just created Certificate Database entry:
With that I can import my Certificate Response:
And as a result got a trusted certificate:
The only remaining task is to import my CA certificate into the web browser that I am using to access my Fiori Launchpad:
And with this I got a secure connection to my Fiori Launchpad:
With my CA hierarchy details:
So now we got the basis for certificate based SSO which I will cover in part two of this blog series.
Hi, Frank, this is very useful information. I have a question:
this certificates work with the FIORI Client mobile app?
I ask because, as you probably know, the IOS version of the FIORI client doesn't support X.509 certificates. Do you know if we create the certificates following your procedure it will work with the FiORI Client?
Thank you in advance for your comments.
if you upload your CA certificate into your iPhone, then you get a trusted secure connection to your Fiori Launchpad through the Fiori Client. For single-sign-on, you would have to use the SAP Authenticator.
Hi Frank, thank you for your quick response. Sadly, the SAP Authenticator is currently out of scope. Let me give you a broader context of our situation: What we want to achieve is to add a "second layer" of security to the FIORI apps besides the user & password of the FIORI launchpad. So we think in importing proxy server certificates (netscaler) to the devices to make a "trusted connection" between proxy server and mobile devices. This works with the FIORI launchpad URL, but with the FIORI client (IOS version) the installed certificates (X.509 certificates) are not presented back to the server and therefore the connection fails (since X.509 certificates are not supported natively in FIORI client for IOS).
So, if i understand correctly, If we go with your approach with OpenSSL certificates, after upload the CA certificates to the Iphone, the SAP gateway will "trust" the device and will ask for the FIORI user & password? and this will work with the FIORI client for IOS as well, that's correct?
Thank you in advance,
yes, that is correct. A mobile browser would potentially allow you to accept a not trusted certificate, but the Fiori Client does not, so you need the CA certificate on the device.
OK, perfect. We will try it then.
Thank you very much for the valuable information.
Hi Cristian, I´m not sure if I understood your situation, but I think we have the same problem in the customer were we are working. We are trying to config SSO with FLP Url using Citrix Netscaler, but unfortunately it`s not working. Were you able to config that? so with Netscaler FLP URL SSO is working?
Thanks for your feedback.
I think the main problem with the (vanilla) Fiori Client on iOS would be, that it is not entitled to access the device's portion of the keychain. So any certificates installed on the device itself will not work through Fiori Client, whereas Safari as a first class citizen does have access to that keychain slice.
If Fiori Client would use Safari View Controller (which it doesn't afaik) then this would work.
Thank you very much. Worked!