This is the second part of the blog series on how to achieve X509
authentication for REST SDK. In the first blog I have provided the steps for
certificate and keystore generation. In this post I will provide the steps needed to configure WACS (which hosts RESTful web-services ) and how to
resolve the errors reported by browsers
Step 1: Logon to CMC, and navigate to Servers -> WACS. Maintain the keystore details generated earlier under the properties as shown below:
Restart WACS.
Step 2: Navigate to CMC-> Authentication -> Enterprise
Unable the Trusted Authentication checkbox, maintain validity period.
Update the setting and download the Shared Secret
Copy the downloaded conf file in the path:
<Install Dir>/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/java/pjs/container/bin/
And restart WACS
Step 3: Need to make sure the user account through which I want to X509 based trusted authentication exists in the BusinessObejcts Platform.
Example for my use case, the X509 certificate is in name of TestUser1
Step 4: Try to access the below url in your browser to achieve Trusted Authentication based on X509 certificate using REST SDK:
https://<hostname>:<ip>/biprws/logon/v1/logon/trustedx509
with the above configuration, url looks like: .
https://targetmachine/biprws/v1/logon/trustedx509
In case everything is fine, it should generate the logon token directly or it will ask to select the user certificate see below. In case of error refer next steps
And it will login with that user account. In my case: TestUser1
Step 5: In case browser displays the following error:
The security certificate presented by this website was not issued by a trusted certificate authority.
Perform this step mentioned below or moved to next step
This error indicates that browser does not trust the signing authority of the server certificate. To bypass this error, upload the server CA certificate to browsers Trusted Certificate Authority list.
Go to Internet Explorer ->Settings -> Internet options
Navigate to content tab and select Certificates.
Navigate to Trusted Root Certificate Authority Tab and select Import
Click on Browse and select the CA certificate created earlier:
Select Next, Next, Finish. And when it gives a confirmation window to install certificate. Select yes.
Note: You should not install certificates from unknown sources to your Trusted Root Certificate List, it may lead to security issues.
Try to access the below url in your browser: https://<hostname>:<ip>/biprws/logon/v1/logon/long
with the above configuration, url looks like:
https://targetmachine/biprws/v1/logon/long
If everything is fine it should display something like below and then go back to step 4. In case there are errors go to next step.
Step 6: In case browser displays the following error:
This error indicates that the required client/ user certificate in not present in your certificate store.
Go to Internet Explorer ->Settings -> Internet options
Navigate to content tab and select Certificates.
Navigate to Personal tab and click on import
Click on browse and select the client/ user certificate created earlier
Click on Next and provide the Private Key Password of the certificate
Do next, next and finish. This will successfully import the user certificate in your certificate store.
Try to access the below url in your browser: https://<hostname>:<ip>/biprws/logon/v1/logon/long
with the above configuration, url looks like:
https://targetmachine/biprws/v1/logon/long
If everything is fine it should display something like below and then go back to step 4
authentication for REST SDK. In the first blog I have provided the steps for
certificate and keystore generation. In this post I will provide the steps needed to configure WACS (which hosts RESTful web-services ) and how to
resolve the errors reported by browsers
Note: We have tested 2 Factor Authentication login for BIL with the same approach. As long as the 2nd Factor returns a Valid X509 certificate of a user, and the certificate is available in Windows Certificate Store, user can same the same certificate for login
Step 1: Logon to CMC, and navigate to Servers -> WACS. Maintain the keystore details generated earlier under the properties as shown below:
Restart WACS.
Step 2: Navigate to CMC-> Authentication -> Enterprise
Unable the Trusted Authentication checkbox, maintain validity period.
Update the setting and download the Shared Secret
Copy the downloaded conf file in the path:
<Install Dir>/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/java/pjs/container/bin/
And restart WACS
Step 3: Need to make sure the user account through which I want to X509 based trusted authentication exists in the BusinessObejcts Platform.
Example for my use case, the X509 certificate is in name of TestUser1
Step 4: Try to access the below url in your browser to achieve Trusted Authentication based on X509 certificate using REST SDK:
https://<hostname>:<ip>/biprws/logon/v1/logon/trustedx509
with the above configuration, url looks like: .
https://targetmachine/biprws/v1/logon/trustedx509
In case everything is fine, it should generate the logon token directly or it will ask to select the user certificate see below. In case of error refer next steps
And it will login with that user account. In my case: TestUser1
Step 5: In case browser displays the following error:
The security certificate presented by this website was not issued by a trusted certificate authority.
Perform this step mentioned below or moved to next step
This error indicates that browser does not trust the signing authority of the server certificate. To bypass this error, upload the server CA certificate to browsers Trusted Certificate Authority list.
Go to Internet Explorer ->Settings -> Internet options
Navigate to content tab and select Certificates.
Navigate to Trusted Root Certificate Authority Tab and select Import
Click on Browse and select the CA certificate created earlier:
Select Next, Next, Finish. And when it gives a confirmation window to install certificate. Select yes.
Note: You should not install certificates from unknown sources to your Trusted Root Certificate List, it may lead to security issues.
Try to access the below url in your browser: https://<hostname>:<ip>/biprws/logon/v1/logon/long
with the above configuration, url looks like:
https://targetmachine/biprws/v1/logon/long
If everything is fine it should display something like below and then go back to step 4. In case there are errors go to next step.
Step 6: In case browser displays the following error:
This error indicates that the required client/ user certificate in not present in your certificate store.
Go to Internet Explorer ->Settings -> Internet options
Navigate to content tab and select Certificates.
Navigate to Personal tab and click on import
Click on browse and select the client/ user certificate created earlier
Click on Next and provide the Private Key Password of the certificate
Do next, next and finish. This will successfully import the user certificate in your certificate store.
Try to access the below url in your browser: https://<hostname>:<ip>/biprws/logon/v1/logon/long
with the above configuration, url looks like:
https://targetmachine/biprws/v1/logon/long
If everything is fine it should display something like below and then go back to step 4
- SAP Managed Tags:
10 Comments
