Hello,
I try to setup a https based connection to the sapstartsrv service including a client certificate SSO. The server validation for SSL is successfully done at client side. The sapcontrol program validates the server certificate (based on self signed certificates issued by myself as this is just for test purpose)
I can see the request for the client certificate in the trace information of the sapstartsrv.log
[Thr 139637867071232] ->> SapSSLSessionInit(&sssl_hdl=7efff976be18, role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT))
[Thr 139637867071232] <<- SapSSLSessionInit()==SAP_O_K
[Thr 139637867071232] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
...
[Thr 139637867071232] No Client Certificate
The sapcontrol program should now send a client certificate... but I run into a http 401
sapcontrol -prot NI_HTTPS -host <remotehost> -nr <instancenumber> -function GetVersionInfo -debug
FAIL: HTTP error, HTTP/1.1 401 Unauthorized
If it is done via -queryuser the sapcontrol shows up with the requested information. But I want to do the authorization based on the certificate without providing user / pwd.
service/sso_admin_user_0 ist defined in the profile of sapstartsrv (default.pfl) which enables the request for the client certificate.
Self signed client certificate was added to SAPSSLC.pse on the sapcontrol side. The access is done from a linux system to another linux system. I read notes 1439348 and 1642340 and the sapcontrol / sapstartsrv is on kernel 7.21 PL 201.
Any ideas or suggestions on this issue ?
Kind regards, Hinrich