Re: X.509 Logon through Web Dispatcher

Hi,

dev_webdisp:

========================================

... ....

[Thr 140667272742656] ->> SapSSLGetPeerInfo(sssl_hdl=0x1ca2f40, &cert=0x7fefa6d2b988, &cert_len=0x7fefa6d2b990,

[Thr 140667272742656] &subject_dn=0x7fefa6d2b980, &issuer_dn=0x7fefa6d2b978, &cipher=0x7fefa6d2b970)

[Thr 140667272742656] <<- SapSSLGetPeerInfo(sssl_hdl=0x1ca2f40)==SAP_O_K

[Thr 140667272742656]     out: subject  = "CN=PSED_USER, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU"

[Thr 140667272742656]     out: issuer   = "CN=Komus WEB Service SED Root Certificate Authority, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU"

[Thr 140667272742656]     out: cert_len = 649

[Thr 140667272742656]     out: cipher   = "TLS_RSA_WITH_AES128_CBC_SHA"

[Thr 140667272742656] HttpModGetDefRules: Client certificate received: with len=649, subj="CN=PSED_USER, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU", issuer="CN=Komus WEB Service SED Root Certificate Authority, OU=DBT, O=Komus, L=Moscow, SP=Russia, C=RU", cipher="TLS_RSA_WITH_AES128_CBC_SHA"

[Thr 140667272742656] HttpModGetDefRules: determined the defactions: ADD_CERT_TO_HEADER COMPAT_HANDLING  (148)

=> webdispatcher received the request with Client certificate correctly and add the certificate to header correctly...

[Thr 140667272742656]   MatchTargetName("sapex.komus.net", "CN=sapex.komus.net") == EXACT match

[Thr 140667272742656] <<- SapSSLSessionStart(sssl_hdl=0x2584610)==SAP_O_K

[Thr 140667272742656]  in/out: status = "resumed SSL session"

[Thr 140667272742656]   Subject DN = "CN=sapex.komus.net, OU=DBT, O=Komus, L=Moscow, SP=Moscow, C=RU"

[Thr 140667272742656]   Issuer  DN = "CN=komus-lan-CA, DC=komus, DC=lan"

[Thr 140667272742656] IcmConnPoolNiWatchRemove: NI watch entry <ce>, number 0 removed.

[Thr 140667272742656] IcmConnPoolNewEntry: created new entry 0x7fefa003d4f0[0] for pool 0x7fefa0000a50 (nihdl=206, ssl=0x2584610)

[Thr 140667272742656] ICR: IcrAttachToServer('!J2EES' 2 2 0 1 port:50001/1/-1) 0-> 0

[Thr 140667272742656] HTTP request [5/21/1] dispatched to SID='KSD', destination='sapex_KSD_00'

[Thr 140667272742656] HTR: routing to destination 'sapex_KSD_00' (balanceable=0)

[Thr 140667272742656] server triggered

[Thr 140667272742656]    Pool Entry 0x7fefa003d4f0:

[Thr 140667272742656]    NI: 206, SSL: 0x2584610, allocated: 1, inuse: 1, desc: 0x7fefa0000b00

[Thr 140667272742656] local host:  172.30.1.64:13319

[Thr 140667272742656] remote host: 172.30.1.20:50001

=> the request was sent to backend AS java system(sapex_KSD_00) correctly

[Thr 140667272742656] HttpParseResponseHeader: Keep-Alive: 0

[Thr 140667272742656] HTTP response  [5/21/1]:

[Thr 140667272742656]   HTTP/1.1 401 Unauthorized

[Thr 140667272742656]   connection: close

[Thr 140667272742656]   pragma: no-cache

[Thr 140667272742656]   cache-control: no-cache

[Thr 140667272742656]   expires: 0

[Thr 140667272742656]   content-type: text/html

[Thr 140667272742656]   content-length: 1787

[Thr 140667272742656]   server: SAP J2EE Engine/7.00

[Thr 140667272742656]   date: Mon, 28 Dec 2015 08:19:39 GM

=> however, the response from backend AS java system is " HTTP/1.1 401 Unauthorized".

=> so, the issue is not at SAP Web Dispatcher side

=> the root cause is at Java AS sapex_KSD_00 side

please see Isaias Freitas's reply, refer to SAP KBA 2160678, add the parameters to the AS Java profiles.

if issue still occurs, please also get level 3 ICM trace of backend system.

Best regards,

Shi Feng