Is there a Public SAP Passport Root Certificate I can use to import into an SAP system so that we could use SAP Passports as Logon certificates?
I would like to test a SAP Passport in a DEV ABAP system and need the to import the Public root Certificate first.
The SAP Passport root certificate can currently be downloaded from here. Should that link no longer work, an updated link should be on the SAP Trust Center Services site.
I've just installed that root certificate and verified that it is the one used to sign SAP Passports.
Related
I am working on ADFS external authentication project. I am using a self signed certificate, which is imported in Trusted people store. I need to verify whether importing a CA certificate to Trusted people store work or not.
When I tried using the CA certificate in Trusted people, it does not work. Can you explain why?
You can use self-signed certificate or you can purchase from third party vendor it will work if you import into any ADFS store or trusted store. But the certificates must met the ADFS certificate requirements. Kindly check the requirements in this link
I have an azure web app. Now, I am trying to install shibboleth service provider for my web app.
I found a way to do this though this blog.
Is there any other way to set up shibboleth sp without installing a VM on azure?
I have searched a lot on web but all they show is to set up SSO in azure using Azure active directory as IdP.
Is there any way to configure my external Idp to web app in azure?
SSL is the first layer of defense for an SSO web application. Thus you must obtain an SSL certificate for your web site’s URL.
The biggest trick seems to be configuring Azure and Visual Studio to not get confused between the remote desktop certificate and the SSL certificate. The Azure instructions for configuring SSL you could refer to.
Here are the most important points as below:
1.You will need to have the certificate in a PFX file so it can be uploaded to Azure. This PFX file must contain the certificate’s private key! You will also need the certificate thumbprint.
2.Modify the cloud service’s service definition and service configuration files.
3.Upload the SSL certificate to your cloud service application.
4.Now the SSL-modified cloud service application needs to be uploaded to Azure.
5.Browse to your web site using HTTPS. Fingers crossed! It should work but HTTP should be rejected.
If you need to set up a test IdP, Microsoft has produced a series of videos on how to do this.
Of course there is the Shibboleth IdP documentation at shibboleth.net.
You should also have downloaded the Shibboleth SP 64-bit Windows/IIS 7 MSI file.
Get the latest version from the download site.
Now when you browse to your Azure web site you should be redirected to your IdP’s login page. Once you successfully log in you should be redirected back to your web app. There will now be session variables that contain authentication attributes such as IdP URN, user name, and so on.
For more details, you could refer to this blog.
I have a cloud foundry instance hosted on IBM Cloud (formerly Bluemix). A third party vendor requires a url to publish webhooks onto my app. If I use the bluemix generated base url it works fine but if its a custom route (with my own domain) bluemix doesn't pass it on to the app.
Why is this happening and whats the solution (to be able to use custom domains)?
Turned out to be an SSL CA certificate issue.
Resolution was to grab a g2_bundle.crt file (with root cert in it from GoDaddy as my original cert was bought from them), upload to IBM Cloud certificate manager (found in the catalog) and viola :)!
We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.
We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code
All these resources are great, but I have some questions :
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
What happen when the SSL certificate is revoked ?
What happen when the SSL certificate is expired ?
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Please advice
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.
The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.
What happen when the SSL certificate is revoked ?
Requests that are bound to the MobileFirst Server will fail.
What happen when the SSL certificate is expired ?
Requests that are bound to the MobileFirst Server will fail.
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.
On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage, the chain can't be built again.
I know about Authority Information Access extension. The problem is that the topmost available certificate in the chain (the child of missing trusted root) does NOT have such extension included. And even if it had, Windows would not automatically trust the downloaded certificate.
So there must be some other source of knowledge about trusted roots. The question is - how can we use that source ourselves. The topmost available certificate is available here if anyone is interested in inspecting it.
This link http://support.microsoft.com/kb/931125 explains how Windows updates root certificates silently in Vista and 7.
I also stumbled on this multiple times. It can be reproduced easily using windows sandbox. If you use curl or similar certificates can not be verified. Only if you call WinHttpOpen the root certificate (if trusted) will be added to the root certificate store.
See this post
Certificates contain an extension called "Authority Information Access" which contains the details of the issuing CA. An example of the certificate used for "https://gooogle.com" is shown below. The browser reads this value, downloads the certificate from the URL provided and repeats the process up the certificate chain.