다음을 통해 공유

MIM 2016: Configure SAP Web Service Connector with Certificate-based Authentication

  • 아티클

Introduction

In MIM 2016 and FIM 2010 R2, creating a web service connector to SAP (or any other SOAP-based web service) using basic authentication is fairly straightforward. However, sometimes there is a requirement to have a more secure authentication method to the web service. The Web Service connector in MIM supports the use of certificate-based authentication.

However, this also introduces a couple of issues when configuring the connector, and extra steps are required to ensure that all works as expected. In particular, the Web Service Configuration Tool requires a specific naming format to recognise the client authentication certificate. Also, depending on the quantity of data that needs to be imported, the default timeout configuration for the web connector may be too short. 

Configure certificate-based authentication for web connector

Overview

This procedure steps through configuring the certificate-based authentication option for the web service connector. It doesn't cover the actual configuration of the actual connector, attribute mapping and so on.

Obtain the MIM Web Service Configuration Tool and samples

The Web Service Configuration Tool to create the connector and sample SAP connector project files must be downloaded from Microsoft and installed on the MIM server: http://go.microsoft.com/fwlink/?LinkId=717495

The documentation for the Web Service Configuration Tool installation and base connector configuration is found here: http://go.microsoft.com/fwlink/?LinkID=226245

Create a basic-authentication SAP web service configuration

The initial configuration is probably easiest using basic authentication with username/password only in a Development environment, if the SAP developer can provide the functionality.

Using standard web service configuration methods per the documentation, use the Web Service Configuration Tool (WSCONFIG) to create the binding to the SAP web service and attribute mappings for the data import into MIM.

This will result in a .WSCONFIG file that is then used for the actual configuration of the SAP Web Service connector. This may be used to test the synch job using the Synchronisation Service Manager.

Configure client authentication certificate

  1. Create a signed Client Authentication certificate, ensuring it's signed by a PKI for which the SAP server also has the root certificates installed. When creating the certificate signing request, note that:

    • the certificate Key Usage should be Digital Signature

    • the Enhanced Key Usage should be Client Authentication (1.3.6.1.5.5.7.3.2)

    • the Subject name can be anything meaningful - we used the name of the account configured in SAP to connect to the web service

  2. On the MIM server, import the certificate and private key into the Local Machine Personal store. Change the NTFS permissions on the MachineKeys folder to allow the FIM Synchronisation Service account to read the cert (see instruction on changing NTFS permissions below).

  3. Alternatively, you may logon as the Synchronisation Service account and import the certificate and private key into the Current User Personal Store. It would avoid the issue of changing the NTFS permission on the MachineKeys folder, but the Synchronisation Service account would require interactive logon rights to the server.

  4. Supply the public certificate and/or Subject Name to the SAP team to configure the SAP account to allow certificate-based authentication. This SAP Wiki article describes the configuration options and testing methods.

    https://wiki.scn.sap.com/wiki/display/Basis/How+to+configure+client+certificate+logon+to+AS+ABAP

  5. Once the account is configured with certificate authentication in SAP, import the cert and the private key into a standard web browser (or other SOAP testing tool that can use certificate-based authentication) on a client that is able to reach the SAP web service URI.

  6. Enter the SAP web service URI into the browser, and ensure that certificate authentication is successful. The WSDL for the SOAP binding and schema of the target web service should be displayed with no authentication prompts or 401 access-denied errors.

Modify SAP web service configuration for certificate authentication

This section assumes the following steps have been completed:

  • A basic authentication SAP web service has been configured and the WSCONFIG file created.

  • The authentication cert has been imported into the Local Machine Personal store.

  • The SAP web service and the user account that will be used for access to the web service have been configured by the SAP administrator to accept authentication via the supplied certificate, and has been tested.

The MIM web service config will only bind the certificate for authentication if the subject name is entered into the WSConfig tool in a specific format. The usual format for a certificate subject is not recognised.

To correctly format the subject name for importing by the Web Service Configuration Tool:

  1. Note the Subject of the SAP account authentication certificate.

  2. Reformat it to consist of only the attribute values of the Subject separated by commas followed by spaces in reverse order. i.e. If the subject consists of a fully-qualified X500 path:

    • omit "CN=", "OU=" etc.
    • reverse the order of the values to start with the Country (where it exists)
    • separate each field with a comma + space 

  3. For example, Certificate Subject is:

    • CN = ws_admin, OU = SAP, O = Contoso, L = Canberra, C = AU

    Formatted for WSConfig:

    • AU, Canberra, Contoso, SAP, ws_admin

  4. Open the .WSCONFIG file created for the SAP web service in the Web Service Configuration Tool.

  5. In the Discovery section, click Edit to modify the discovered service.

  6. Select Next on the following screen to get to the authentication configuration screen.

  7. Select Certificate authentication and the following settings, complete with the reverse-formatted certificate subject name:

    • Store Location: Local Machine
    • Store Name: My
    • Subject:  AU, Canberra, Contoso, SAP, ws_admin

  8. When the Next button is clicked, the WSConfig tool will attempt to bind and download the SAP web service schema and objects. If this is successful, the .WSCONFIG file can be saved and used to configure the SAP Web Service Management Agent in the Synchronisation Service manager.

PowerShell for formatting the certificate subject

Using PowerShell to format the certificate subject from the data in the actual certificate will help avoid typos. This example reads the certificate subject from the Local Machine certificate and formats it correctly for WSConfig.

$cert =  Get-ChildItem Cert:\LocalMachine\My | where {$_.subject -like "*ws_admin*"} |select -ExpandProperty Subject 
$str =  ($cert -replace "\w+=")  -split ", "
$strArray[-1..-($str.Count)] -join ", "
 
AU, Canberra, Contoso, SAP, ws_admin

 

NTFS Permissions change for FIM Synchronisation service to read cert

If the certificate has been installed in the Local Machine store, rather than the FIM Sync Service account, change permissions on "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" to grant the FIM Sync Service account (FIM_SYNC) Read and Execute permission.

C:\ProgramData\Microsoft\Crypto\RSA>icacls MachineKeys 
           
MachineKeys    Everyone:(R,W) 
          CONTOSO\FIM_SYNC:(OI)(CI)(RX) 
          BUILTIN\Administrators:(F)

Default perms for reference: https://support.microsoft.com/en-us/help/278381/default-permissions-for-the-machinekeys-folders

Verify SAP connector

Once the above steps have been completed, verify import from the SAP Service by creating a Web Service Management Agent connector.

This is similar to creating any kind of connector: /en-us/microsoft-identity-manager/install-mim-sync-ad-service

  1. Configure an Import profile for the SAP Web Service Management Agent (or Export profile, if that is the direction the data is flowing).

  2. Run the MA (preferably to a log file per the above recommendation and/or with a limited number of objects).

  3. Validate the MA was able to connect to the SAP Web Service and complete the Import with no errors.

  4. Once the Web Service MA can connect to the SAP Web Service, this procedure has been successfully completed.

Recommendation: Create the MA with a Run Profile that logs to a file only, and imports a limited number of objects.

SAP Web Service timeout configuration

Web service timeout errors

If Sync Manager pops up an error and shows the status stopped-extensible-extension-error, this may be a web service timeout error.

Event 6801 and 6803 are recorded in the Application event log. In Event 6801, the stack trace part will include the text:

System.TimeoutException: The HTTP request to https://saperp...has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout.

If the Web Service connector log is configured (it appears in the <Program files>\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions folder), the same exception text will appear.

The error indicates that default timeouts set in cfg.config in the web service WSCONFIG file are too short.

Configure SAP Web Service timeout

This assumes the SAP Web Service WSCONFIG file has already been correctly built using the Web Service Configuration tool.

  1. Extract the SAPWebServices WSCONFIG file with a zip file uncompression utility.

  2. Edit the cfg.config file in the archive and change the basicHttpBinding property to update the timeout values. Note that the SAP connector must also have the allowCookies="true property.

    Most timeout settings in the config are 1 minute by default – initially, set all timeouts on line 06 except the receiveTimeout to 00:02:00 (receiveTimeout is 10 mins by default

    01.<?xml version="1.0" encoding="utf-8"?>
02.<configuration>
03.<system.serviceModel>
04.<bindings>
05.<basicHttpBinding>
06.<binding name="binding" closeTimeout="00:02:00" openTimeout="00:02:00" receiveTimeout="00:10:00" sendTimeout="00:02:00" allowCookies="true" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" transferMode="Buffered">
07.<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
08.<security mode="Transport" />
09.</binding>
10.</basicHttpBinding>
11.</bindings>
12.<client>
13.<endpoint address="https://saperp:44321/sap/bc/srt/scs/sap/zhr_mim_sap_ws_connect?sap-client=511" binding="basicHttpBinding" bindingConfiguration="binding" contract="NS.ZHR_MIM_SAP_WS_CONNECT" name="binding" />
14.</client>
15.</system.serviceModel>
16.</configuration>

  3. Save the changes to the cfg.config file, repack the archive and re-save as the .WSCONFIG file.

  4. If the timeout error recurs, increment the timeout settings in cfg.config until the import can complete successfully.