Hello Experts!
We're currently configuring SAP NW SSO 2.0 and we're getting an error when log-in to the SL Web Client having an expired certificate.
The scenario is a Secure Login Server component installed on the same SAP Application Server where a SAP SRM runs. The Secure Login Server is supposed to generate X.509 certificates in order to perform SSO against different SAP Systems in the Landscape, including the SRM server itself.
Due to customer requirements the Certificate should expire in a short time, i.e. 10 minutes.
At his point, we were able to successfully generate and X.509 certificate and use it to perform SSO against ABAP and Java Systems.
As configured, after 10 minutes, the certificate expires. If we try to log-on again to the Secure Login Web Client in order to get a new certificate an error occurs:
In the java console, the first exception we get is:
network: Connecting https://<hidden server name>:50001/SecureLoginServer/webclient/sap.com~securelogin.webclient.jar?version=1410707274078 with proxy=DIRECT
network: Connecting http://<hidden server name>:50001/ with proxy=DIRECT
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: SHA-256Certificate finger print: <here fingerprint 1>
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
security: SHA-256Certificate finger print: <here fingerprint 2>
security: Checking if certificate is in Internet Explorer DISALLOWED certificate store
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
Workarounds:
We found the following workarounds that aren't suitable for us. We require the SL Web Client to automatically handle such situation without changes in the client machines.
1) Delete the expired certificate in IE manually and restart IE.
2) Disable in the Java Control panel "Use certificates and keys in browser keystore" and install the Secure Login Root CA certificate in the Java VM.
Any thoughts? have you faced the same issue?
Thank You!!
Diego.