Dot Net Connector using X509 Client Certificate

Hi,

I'm trying to connect to a system using the Doe Net Connector 3.0 and use a X509 Client Certificate for Authentication.

But I'm struggling with the parameters for the destination. When using the Base64-encoded Client Certificate as the X509Certificate parameter and leave the User parameter empty, like described here, I get the error "No credentials were supplied".

So I tried to find out how the JCO connector connects, there I found that to connect you should use $X509CERT$ as user parameter and base64 encoded certificate as password.

How do I connect to a SNC secured server with the Dot Net Connector and a Client Certificate?

This is how I tried it so far:

parms.Add(RfcConfigParameters.MessageServerHost, "Servername");
parms.Add(RfcConfigParameters.SystemNumber, "00");
parms.Add(RfcConfigParameters.SystemID, "System Name");
parms.Add(RfcConfigParameters.LogonGroup, "PUBLIC");
parms.Add(RfcConfigParameters.Client, "001");
parms.Add(RfcConfigParameters.SncMode, "1");
parms.Add(RfcConfigParameters.SncPartnerName, "p:CN=xxx, O=YYY, C=DE");
parms.Add(RfcConfigParameters.SncMyName, "p:CN=ZZZ, O=YYY, C=DE");
parms.Add(RfcConfigParameters.SncQOP, "3");
parms.Add(RfcConfigParameters.SncLibraryPath, "C:\\Program Files\\SAP\\FrontEnd\\SecureLogin\\lib\\sapcrypto.dll");
X509Certificate Cert = new X509Certificate();
Cert = X509Certificate.CreateFromCertFile("N:\\ClientCertificate.cer");
byte[] certData = Cert.GetRawCertData();
string X509CertificateString = Convert.ToBase64String(certData);
parms.Add(RfcConfigParameters.X509Certificate, X509CertificateString);

Thanks,

Oliver

EDIT:

I got it working now on my local Machine where the Secure Login Client is installed, with the following settings:

parms.Add(RfcConfigParameters.MessageServerHost, "Servername");
parms.Add(RfcConfigParameters.SystemNumber, "00");
parms.Add(RfcConfigParameters.SystemID, "System Name");
parms.Add(RfcConfigParameters.LogonGroup, "PUBLIC");
parms.Add(RfcConfigParameters.Client, "001");
parms.Add(RfcConfigParameters.SncMode, "1");
parms.Add(RfcConfigParameters.SncMyName, "p:CN=ZZZ, O=YYY, C=DE");
parms.Add(RfcConfigParameters.SncLibraryPath, "C:\\Program Files\\SAP\\FrontEnd\\SecureLogin\\lib\\sapcrypto.dll");
X509Certificate Cert = new X509Certificate();
Cert = X509Certificate.CreateFromCertFile("N:\\ClientCertificate.cer");
byte[] certData = Cert.GetRawCertData();
string X509CertificateString = Convert.ToBase64String(certData);
parms.Add(RfcConfigParameters.Password, X509CertificateString);

When tracing is enabled in the sapcrypto.dll, this is what happens:

[  1332] Try get Kerberos ticket from SBUS (Kerberos-CN=xxx, O=YYY, C=DE)

[sbusps.dll  ][  1332] { PSEProxy::readApplObject

[sbusps.dll  ][  1332] }        1

[GSS         ][  1332] Cli-40000000: Searching key

[GSS         ][  1332]   Type   : EncOrSig

[GSS         ][  1332]   Name   : Not specified

[GSS         ][  1332]   Target : CN=xxx, O=YYY, C=DE

[GSS         ][  1332]   PeerCAs: Not specified

[sbusps.dll  ][  1332] { PSEProxy::getOwnCertificate

[sbusps.dll  ][  1332] }        0

[GSS         ][  1332] Cli-40000000: Own encryption key found

[GSS         ][  1332] Cli-40000000: Protocol2010: X.509 authentication used because only certificate available

[GSS         ][  1332] Cli-40000000: ClientHello:

[GSS         ][  1332]                Supported versions[1]: 1.0

[GSS         ][  1332]         MACs for application data[2]: HMAC-SHA256     HMAC-SHA1     

[GSS         ][  1332]      ciphers for application data[3]: AES256          AES128          RC4           

[GSS         ][  1332]         Hashes for handshake MACs[2]: SHA256          SHA512        

[GSS         ][  1332]           Pseudo random functions[2]: PHASH-SHA256    PHASH-SHA512  

[GSS         ][  1332]               Data encoding modes[2]: DataHeaderV1    NoDataHeader  

[GSS         ][  1332]                Key exchange modes[1]: cl-rsa        

[GSS         ][  1332] Cli-40000000: --> Msg ClientHello         create  successful

BUT: When I try this on a machine where the Secure Login Client is NOT installed, it does not work and this is what happens:

[GSS	][  8236] Try get Kerberos ticket from SBUS (Kerberos-CN=xxx, O=YYY, C=DE)

[sbusps.dll  ][  8236] { PSEProxy::readApplObject

[sbusps.dll  ][  8236] }	1
[GSS	][  8236] Cli-40000000: Searching key
[GSS	][  8236]   Type   : EncOrSig
[GSS	][  8236]   Name   : CN=ZZZ, O=SYYY, C=DE
[GSS	][  8236]   Target : CN=xxx, O=YYY, C=DE
[GSS	][  8236]   PeerCAs: Not specified

[sbusps.dll  ][  8236] { PSEProxy::getOwnCertificate

[sbusps.dll  ][  8236] }

0

[sbusps.dll  ][  8236] { PSEProxy::getOwnCertificate

[sbusps.dll  ][  8236] }	0
[GSS	][  8236] Cli-40000000: No own key found
[GSS	][  8236] Have no certificate and got no kerberos ticket
[GSS	][  8236] Cli-40000000: --> Msg ClientHello	create  failed : errval=70000, minor_status=0

Any help is welcome.

Thanks,

Oliver