• State Not Answered
  • Replies 8 replies
  • Subscribers 95 subscribers
  • Views 908 views
  • Users 0 members are here
Options
Related

After setting up SAP SNC Encryption no target system browsing in Sync-Editor possible any more

Alexander Seidl
11 months ago

The reason seems to be, that the user logged in into the sync editor is used to browse the target system.

But the SNC certificate is made for the "one identity services account for the jobserver services" , so no browsing is possible any more.

Whats the best practive to snc encrypt on the one hand and being still able to brwoser target system in sync editor?

Parents
  • 0 11 months ago

    Use a remote connection (via the JobService) to connect to the SAP system.

  • 0 11 months ago in reply to Markus Weiss-Ehlers

    Hi Markus, thank you for your answer.

    I tried to connect via remote connection.

    I folowed the instructions under [1].

    Under "To set up a remote connection for an existing synchronization project." in list point 3a it says, i can choose a jobserver, that " has the server function One Identity Manager Service installed" assigned. I have to Jobservers with this function, but i cannot choose them.

    In list point 3b it says: 

    "Select remote connection server manually.

    • Server: Full server name or the IP address of the server.

    • Port: The RemoteConnectPlugin uses port 2880."

    What Server do i have to provide here? A One Identity Jobserver, from which a connection to the target system is possible or the target system itself?

    If i provide a jobserver, from which a connection to the target system is possible, and i try to connect it says:

    "Unable to connect to the remote server, No connection could be made because the target machine, actively refused it XXX.XXX.XXX.XXX:2880"

    So there seems to be a firewall rule missing. 

    Do i understand this right, that i have to open the port 2880 on jobserver X to access it via remote connection from the synceditor who too is installed on jobserver X?

    [1] https://support.oneidentity.com/de-de/technical-documents/identity-manager/9.2/target-system-synchronization-reference-guide/4#TOPIC-2079333

  • 0 11 months ago in reply to Alexander Seidl

    Let's start with the version of OneIM you are using?  

    Alexander Seidl said:
    What Server do i have to provide here? A One Identity Jobserver, from which a connection to the target system is possible or the target system itself?

    Yes, you have to select a Job Service who is able to connect to the target system (SAP in your case) and who has the remote connection plugin configured.

    And yes, you may need to configure the port in the firewall as the https connection request is not magically mapped to localhost just because you are sitting on the same host with your Synchronization Editor.

    In addition you need to specify the certificate to use for both ports manually like explained here for the remote connection plugin. As the remote connection is always secured by TLS.

    Identity Manager 9.2 - Target System Synchronization Reference Guide (oneidentity.com)

    Permissions for the One Identity Manager Service user account.

    The RemoteConnectPlugin uses an internal HTTPS server for remote access. The user account's permissions for the One Identity Manager Service must be extended accordingly.

    • Users require permission to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be run with the following command line call:

      netsh http add urlacl url=https://+:<port number>/Remoting/ user=<domain>\<user name> listen=yes

    • If the One Identity Manager Service has to run under the Network Service's user account (NT Authority\NetworkService), explicit permissions for the internal web service must be granted. This can be run with the following command line call:

      netsh http add urlacl url=https://+:<port number>/Remoting/ user="NT AUTHORITY\NETWORKSERVICE" listen=yes

    • You can check the result with the following command line call:

      netsh http show urlacl

    The RemoteConnectPlugin port certificate

    • The RemoteConnectPlugin port must be assigned a certificate because the RemoteConnectPlugin uses HTTPS for remote access. This can be run with the following command line call:

      netsh http add sslcert ipport=0.0.0.0:<port number> certhash=<certificate thumbprint> appid="{F06D38CA-DF0F-4D72-BC33-D3F6472A8DEE}"

    • You can check the result with the following command line call:

      netsh http show sslcert

    The RemoteConnectPlugin uses System.Net.HttpListener for the web interface.

Reply
  • 0 11 months ago in reply to Alexander Seidl

    Let's start with the version of OneIM you are using?  

    Alexander Seidl said:
    What Server do i have to provide here? A One Identity Jobserver, from which a connection to the target system is possible or the target system itself?

    Yes, you have to select a Job Service who is able to connect to the target system (SAP in your case) and who has the remote connection plugin configured.

    And yes, you may need to configure the port in the firewall as the https connection request is not magically mapped to localhost just because you are sitting on the same host with your Synchronization Editor.

    In addition you need to specify the certificate to use for both ports manually like explained here for the remote connection plugin. As the remote connection is always secured by TLS.

    Identity Manager 9.2 - Target System Synchronization Reference Guide (oneidentity.com)

    Permissions for the One Identity Manager Service user account.

    The RemoteConnectPlugin uses an internal HTTPS server for remote access. The user account's permissions for the One Identity Manager Service must be extended accordingly.

    • Users require permission to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be run with the following command line call:

      netsh http add urlacl url=https://+:<port number>/Remoting/ user=<domain>\<user name> listen=yes

    • If the One Identity Manager Service has to run under the Network Service's user account (NT Authority\NetworkService), explicit permissions for the internal web service must be granted. This can be run with the following command line call:

      netsh http add urlacl url=https://+:<port number>/Remoting/ user="NT AUTHORITY\NETWORKSERVICE" listen=yes

    • You can check the result with the following command line call:

      netsh http show urlacl

    The RemoteConnectPlugin port certificate

    • The RemoteConnectPlugin port must be assigned a certificate because the RemoteConnectPlugin uses HTTPS for remote access. This can be run with the following command line call:

      netsh http add sslcert ipport=0.0.0.0:<port number> certhash=<certificate thumbprint> appid="{F06D38CA-DF0F-4D72-BC33-D3F6472A8DEE}"

    • You can check the result with the following command line call:

      netsh http show sslcert

    The RemoteConnectPlugin uses System.Net.HttpListener for the web interface.

Children
  • 0 11 months ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    wie use OI Version 9.1.1.158.

    I provided the permissions to the One Identity Manager Service as described in "Permissions for the One Identity Manager Service user account.".

    The RemoteConnectPlugin needs a acertificate assigned as described in "The RemoteConnectPlugin port certificate".

    Do i have to create a new certificate? And if so what kind of certificate do i have to create?

    Regards,

    Alexander

  • 0 11 months ago in reply to Markus Weiss-Ehlers
    Markus Weiss-Ehlers said:
    The RemoteConnectPlugin port must be assigned a certificate because the RemoteConnectPlugin uses HTTPS for remote access

    I further stumpled upon this line here.

    This means that an ISS Server has to serve https request on the Jobserver that can connect with SAP and that a want to connect to via remote connection, right?

  • 0 11 months ago in reply to Alexander Seidl

    This has nothing to do with the IIS. If you look at the documentation section I've posted, you can see that you need to configure the port 2880 with netsh to allow TLS and assign a certificate (like you would for any HTTPS-Service).

  • 0 11 months ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    thank you very much for your assistence.

    I am not a certificate expert.

    The command that you posted to assign a certificate to RemoteConnectionPlugin needs a "certificate thumbprint".

    You write I have to assign a certifiate like I would do for any HTTPS Service.

    I googled a bit to find solutions, but creating the right cert for a special port (or perhaps using an existing one) seems not to be trivial.

    Is there perhaps a knowledge base article or any other related source that describes how exactly i can assign a RemoteConnectPlugin port certificate?

    Thanks in advance,

    Alexander

     

  • 0 11 months ago in reply to Markus Weiss-Ehlers

    I managed to "Bind an SSL certificate to a port number" [1]

    I used an existing server certificates thumbprint.

    I first encountered "SSL Certificate add failed, Error 1312 A specified logon session does not exist. It may already have been terminated." I could bypass it by providing an additional parameter to the netsh command that specifies the certificate store:

    netsh http add sslcert ipport=0.0.0.0:2880 certhash-8eb2b9e344ea2bbffb246451d5c29d01d0bf2b97 appid="F06D38CA-DF0F-4D72-BC33-D3F6472A8DEE}" certstore="Remote Desktop"
    Now
    netsh http show sslcert
    returns the output in [2]
     
    When i know try to initiate a remote connection it says:
    "Response status code does not indicate success: 401 (Unauthorized)."
    In the documentation it says that one has to provide an AD groups DN whose members are permitted to use remote connection. I provided "Domain Users" Group so basically everything and anyone should now be allowed to use remote connection, but still access is not authorized.
    Is there a way to find more information what kind of authorization is missing?
    Or in other words: Where are the logs of the remote connection plugin?
    [1]

    [2]

    SSL Certificate bindings:

    IP:port: 0.0.0.0:2880
    Certificate Hash:8eb2b9e344ea2bbffb246451d5c29d01d0bf2b97
    Application ID:{f06d38ca-df0f-4d72-bc33-d3f6472a8dee}
    Certificate Store Name:Remote Desktop
    Verify Client Certificate Revocation: Enabled
    Verify Revocation Using Cached Client Certificate Only: Disabled
    Usage Check: Enabled
    Revocation Freshness Time: 0
    URL Retrieval Timeout: 0
    Ctl Identifier: (null)
    Ctl Store Name: (null)
    DS Mapper Usage: Disabled
    Negotiate Client Certificate: Disabled
    Reject Connections: Disabled
    Disable HTTP2: Not set
    Disable QUIC: Not set
    Disable TLS1.2: Not set
    Disable TLS1.3: Not set
    Disable OCSP Stapling: Not set
    Disable Legacy TLS Versions: Not set

    [2]

    support.oneidentity.com/.../3