In part 1 of this blog series, I showed how to secure your SCC with a trusted UI Certificate:
Therefore, in this blog, I will show how to further secure your SCC with a trusted System Certificate, put your CA certificate in the Trust Store, install a SCC CA Certificate and with that enable Principal Propagation.
Installing a SCC System Certificate is very similar to installing a UI Certificate. The steps are:
- Generate and export a Certificate Signing request (CSR)
- Import and sign the CSR in your CA tool
- Export the resulting certificate and subsequently import it into the SCC
To import your CA certificate into your SCC, you have to export it in DER format:
Then you can import it into your SCC Trust Store:
Generating the CSR for your SCC CA Certificate is similar to the SCC System Certificate, but there is one important difference and that is 2 additional X.509 Extensions, i.e. Certificate Sign and CRL Sign. These are generated automatically by the SCC, but make sure they are present prior to singing the request:
Subsequently, your SCC CA Certificate can be imported:
And with that, Principal Propagation can be activated:
As a result, we got 2 more green boxes in the SCC General Security Status:
In my next and final blog of this series I will show how to Configure local LDAP authentication of your Cloud Connector administrators.
Frank, Nice document Thank you for that.
I have one issue may be you can help, we are trying to update UI certificate in newer version of SCC 2.9, and we always get the error when we try to import
Below are the logs:#importing certificate chain failed
java.security.cert.CertificateException: Error parsing certificates! iaik.asn1.DerInputException: Next ASN.1 object is no OBJECT IDENTIFIER!
at iaik.x509.CertificateFactory.engineGenerateCertificates(Unknown Source)
at com.sap.scc.servlets.ConfigurationServlet.readX509Certificate(ConfigurationServlet.java:900)
at com.sap.scc.servlets.ConfigurationServlet.importCertificate(ConfigurationServlet.java:845)
at com.sap.scc.servlets.ConfigurationServlet.importUiCsrReply(ConfigurationServlet.java:824)
at com.sap.scc.servlets.ConfigurationServlet.uploadCertificate(ConfigurationServlet.java:993)
at com.sap.scc.servlets.ConfigurationServlet.dispatch(ConfigurationServlet.java:120)
at com.sap.scc.servlets.ServletUtilities.service(ServletUtilities.java:41)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.sap.scc.ui.rt.UTF8Filter.doFilter(UTF8Filter.java:23)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:812)|
Can you please suggest something on it?
Hello Naveen,
On what OS and with which JVM do you run your SCC?
Best regards
Frank
Hello Frank,
Linux X_86 and JVM version 8.