Assertion Ticket Lifetime

How can we change the lifetime of an assertion ticket?
The default lifetime is set to 120 seconds.
We need to extend the tickets lifetime. Where can we define this?
Edited by: Urs Hürlimann on Jun 30, 2008 8:52 AM

trc file: "/var/log/suva/espresso/wlss1/sso_log.txt", trc level: 3, release: "640"
"Thr 14393" Thu Jul  3 11:20:46 2008
"Thr 14393" MySapEvalLogonTicketEx was called.
"Thr 14393" Unconverted Ticket is the following: AjExMDAgAA9wb3J0YWw6RTAwMDA0MDCIAAdkZWZhdWx0EAADV0xTDwADMDAxCAABAQEACEUwMDAwNDAwAgADMDAwAwADUzUwBAAMMjAwODA3MDMwOTE4BwAEAAAAAgoACEUwMDAwNDAw%2FwEFMIIBAQYJKoZIhvcNAQcCoIHzMIHwAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdAwgc0CAQEwIjAdMQwwCgYDVQQDEwNTNTAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA4MDcwMzA5MTg1MlowIwYJKoZIhvcNAQkEMRYEFPoQw28O4qu98dOGLjvU6FAdQ81DMAkGByqGSM44BAMELzAtAhQ5z0e6BOwCc9A9nDYayvSqun5PtgIVAIf1F7g1mpGZ1mHWse0c19HAgS3s
."Thr 14393" Initialized variables...
"Thr 14393" Preparing InContext...
"Thr 14393" *** ERROR => SAP Codepage is invalid! Uses UTF8 for output. "ssoxxext_mt. 331"
"Thr 14393" Ticket is the following: AjExMDAgAA9wb3J0YWw6RTAwMDA0MDCIAAdkZWZhdWx0EAADV0xTDwADMDAxCAABAQEACEUwMDAwNDAwAgADMDAwAwADUzUwBAAMMjAwODA3MDMwOTE4BwAEAAAAAgoACEUwMDAwNDAw%2FwEFMIIBAQYJKoZIhvcNAQcCoIHzMIHwAgEBMQswCQYFKw4DAhoFADALBgkqhkiG9w0BBwExgdAwgc0CAQEwIjAdMQwwCgYDVQQDEwNTNTAxDTALBgNVBAsTBEoyRUUCAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA4MDcwMzA5MTg1MlowIwYJKoZIhvcNAQkEMRYEFPoQw28O4qu98dOGLjvU6FAdQ81DMAkGByqGSM44BAMELzAtAhQ5z0e6BOwCc9A9nDYayvSqun5PtgIVAIf1F7g1mpGZ1mHWse0c19HAgS3s
."Thr 14393" Profile is the following: /usr/espresso/config/wlss1/sapcerts/h50a090.pse
."Thr 14393" Password is the following: (NULL)
"Thr 14393" Just before Validation...
"Thr 14393" Dump of InContext "ssoxxapi_mt.c 156"
"Thr 14393" 00000000  34 31 31 30 78 44 04 10  f2 1a 2c e8 78 44 06 68  4110xD..ò.,èxD.h
"Thr 14393" 00000010  00 00 01 ec 00 00 00 00  00 00 00 00              ...ì........   
"Thr 14393" Copies from InContext->Format: PKCS7 "ssoxxapi_mt.c 163"
"Thr 14393" Copies from InContext->pzcsProName: /usr/espresso/config/wlss1/sapcerts/h50a090.pse "ssoxxapi_mt.c 166"
"Thr 14393" DecodeB64Len returns 0. iDecLength=369
"Thr 14393" Dump of Decoded ticket: "ssoxxapi_mt.c 188"
"Thr 14393" 00000000  02 31 31 30 30 20 00 0f  70 6f 72 74 61 6c 3a 45  .1100 ..portal:E
"Thr 14393" 00000010  30 30 30 30 34 30 30 88  00 07 64 65 66 61 75 6c  0000400...defaul
"Thr 14393" 00000020  74 10 00 03 57 4c 53 0f  00 03 30 30 31 08 00 01  t...WLS...001...
"Thr 14393" 00000030  01 01 00 08 45 30 30 30  30 34 30 30 02 00 03 30  ....E0000400...0
"Thr 14393" 00000040  30 30 03 00 03 53 35 30  04 00 0c 32 30 30 38 30  00...S50...20080
"Thr 14393" 00000050  37 30 33 30 39 31 38 07  00 04 00 00 00 02 0a 00  7030918.........
"Thr 14393" 00000060  08 45 30 30 30 30 34 30  30 ff 01 05 30 82 01 01  .E0000400ÿ..0...
"Thr 14393" 00000070  06 09 2a 86 48 86 f7 0d  01 07 02 a0 81 f3 30 81  ..*.H.÷.... .ó0.
"Thr 14393" 00000080  f0 02 01 01 31 0b 30 09  06 05 2b 0e 03 02 1a 05  ð...1.0...+.....
"Thr 14393" 00000090  00 30 0b 06 09 2a 86 48  86 f7 0d 01 07 01 31 81  .0...*.H.÷....1.
"Thr 14393" 000000A0  d0 30 81 cd 02 01 01 30  22 30 1d 31 0c 30 0a 06  Ð0.Í...0"0.1.0..
"Thr 14393" 000000B0  03 55 04 03 13 03 53 35  30 31 0d 30 0b 06 03 55  .U....S501.0...U
"Thr 14393" 000000C0  04 0b 13 04 4a 32 45 45  02 01 00 30 09 06 05 2b  ....J2EE...0...+
"Thr 14393" 000000D0  0e 03 02 1a 05 00 a0 5d  30 18 06 09 2a 86 48 86  ...... "0...*.H.
"Thr 14393" 000000E0  f7 0d 01 09 03 31 0b 06  09 2a 86 48 86 f7 0d 01  ÷....1...*.H.÷..
"Thr 14393" 000000F0  07 01 30 1c 06 09 2a 86  48 86 f7 0d 01 09 05 31  ..0...*.H.÷....1
"Thr 14393" 00000100  0f 17 0d 30 38 30 37 30  33 30 39 31 38 35 32 5a  ...080703091852Z
"Thr 14393" 00000110  30 23 06 09 2a 86 48 86  f7 0d 01 09 04 31 16 04  0#..*.H.÷....1..
"Thr 14393" 00000120  14 fa 10 c3 6f 0e e2 ab  bd f1 d3 86 2e 3b d4 e8  .ú.Ão.⫽ñÓ..;Ôè
"Thr 14393" 00000130  50 1d 43 cd 43 30 09 06  07 2a 86 48 ce 38 04 03  P.CÍC0...*.HÎ8..
"Thr 14393" 00000140  04 2f 30 2d 02 14 39 cf  47 ba 04 ec 02 73 d0 3d  ./0-..9ÏGº.ì.sÐ=
"Thr 14393" 00000150  9c 36 1a ca f4 aa ba 7e  4f b6 02 15 00 87 f5 17  .6.Êôªº~O¶....õ.
"Thr 14393" 00000160  b8 35 9a 91 99 d6 61 d6  b1 ed 1c d7 d1 c0 81 2d  ¸5...ÖaÖ±í.×ÑÀ.-
"Thr 14393" 00000170  ec                                                ì              
"Thr 14393" Read version.
"Thr 14393" Read Codepage.
"Thr 14393" Read InfoUnit (0x20).
"Thr 14393" Read length (15).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x88).
"Thr 14393" Read length (7).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x10).
"Thr 14393" Read length (3).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x0F).
"Thr 14393" Read length (3).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x08).
"Thr 14393" Read length (1).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x01).
"Thr 14393" Read length (8).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x02).
"Thr 14393" Read length (3).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x03).
"Thr 14393" Read length (3).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x04).
"Thr 14393" Read length (12).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x07).
"Thr 14393" Read length (4).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0x0A).
"Thr 14393" Read length (8).
"Thr 14393" Read contents.
"Thr 14393" Read InfoUnit (0xFF).
"Thr 14393" ParseTicket returns 0. "ssoxxapi_mt.c 200"
"Thr 14393" Bytes processed: 106 "ssoxxapi_mt.c 203"
"Thr 14393" Argument Dump for ticket verification:
"Thr 14393" Content byte stream:
"Thr 14393" 00000000  02 31 31 30 30 20 00 0f  70 6f 72 74 61 6c 3a 45  .1100 ..portal:E
"Thr 14393" 00000010  30 30 30 30 34 30 30 88  00 07 64 65 66 61 75 6c  0000400...defaul
"Thr 14393" 00000020  74 10 00 03 57 4c 53 0f  00 03 30 30 31 08 00 01  t...WLS...001...
"Thr 14393" 00000030  01 01 00 08 45 30 30 30  30 34 30 30 02 00 03 30  ....E0000400...0
"Thr 14393" 00000040  30 30 03 00 03 53 35 30  04 00 0c 32 30 30 38 30  00...S50...20080
"Thr 14393" 00000050  37 30 33 30 39 31 38 07  00 04 00 00 00 02 0a 00  7030918.........
"Thr 14393" 00000060  08 45 30 30 30 30 34 30  30                       .E0000400      
"Thr 14393"
Signature byte stream:
"Thr 14393" 00000000  30 82 01 01 06 09 2a 86  48 86 f7 0d 01 07 02 a0  0.....*.H.÷....
"Thr 14393" 00000010  81 f3 30 81 f0 02 01 01  31 0b 30 09 06 05 2b 0e  .ó0.ð...1.0...+.
"Thr 14393" 00000020  03 02 1a 05 00 30 0b 06  09 2a 86 48 86 f7 0d 01  .....0...*.H.÷..
"Thr 14393" 00000030  07 01 31 81 d0 30 81 cd  02 01 01 30 22 30 1d 31  ..1.Ð0.Í...0"0.1
"Thr 14393" 00000040  0c 30 0a 06 03 55 04 03  13 03 53 35 30 31 0d 30  .0...U....S501.0
"Thr 14393" 00000050  0b 06 03 55 04 0b 13 04  4a 32 45 45 02 01 00 30  ...U....J2EE...0
"Thr 14393" 00000060  09 06 05 2b 0e 03 02 1a  05 00 a0 5d 30 18 06 09  ...+...... "0...
"Thr 14393" 00000070  2a 86 48 86 f7 0d 01 09  03 31 0b 06 09 2a 86 48  .H.÷....1....H
"Thr 14393" 00000080  86 f7 0d 01 07 01 30 1c  06 09 2a 86 48 86 f7 0d  .÷....0...*.H.÷.
"Thr 14393" 00000090  01 09 05 31 0f 17 0d 30  38 30 37 30 33 30 39 31  ...1...080703091
"Thr 14393" 000000A0  38 35 32 5a 30 23 06 09  2a 86 48 86 f7 0d 01 09  852Z0#..*.H.÷...
"Thr 14393" 000000B0  04 31 16 04 14 fa 10 c3  6f 0e e2 ab bd f1 d3 86  .1...ú.Ão.⫽ñÓ.
"Thr 14393" 000000C0  2e 3b d4 e8 50 1d 43 cd  43 30 09 06 07 2a 86 48  .;ÔèP.CÍC0...*.H
"Thr 14393" 000000D0  ce 38 04 03 04 2f 30 2d  02 14 39 cf 47 ba 04 ec  Î8.../0-..9ÏGº.ì
"Thr 14393" 000000E0  02 73 d0 3d 9c 36 1a ca  f4 aa ba 7e 4f b6 02 15  .sÐ=.6.Êôªº~O¶..
"Thr 14393" 000000F0  00 87 f5 17 b8 35 9a 91  99 d6 61 d6 b1 ed 1c d7  ..õ.¸5...ÖaÖ±í.×
"Thr 14393" 00000100  d1 c0 81 2d ec                                    ÑÀ.-ì          
"Thr 14393" Encoded content byte stream:
"Thr 14393" 00000000  30 78 06 09 2a 86 48 86  f7 0d 01 07 01 a0 6b 04  0x..*.H.÷.... k.
"Thr 14393" 00000010  69 02 31 31 30 30 20 00  0f 70 6f 72 74 61 6c 3a  i.1100 ..portal:
"Thr 14393" 00000020  45 30 30 30 30 34 30 30  88 00 07 64 65 66 61 75  E0000400...defau
"Thr 14393" 00000030  6c 74 10 00 03 57 4c 53  0f 00 03 30 30 31 08 00  lt...WLS...001..
"Thr 14393" 00000040  01 01 01 00 08 45 30 30  30 30 34 30 30 02 00 03  .....E0000400...
"Thr 14393" 00000050  30 30 30 03 00 03 53 35  30 04 00 0c 32 30 30 38  000...S50...2008
"Thr 14393" 00000060  30 37 30 33 30 39 31 38  07 00 04 00 00 00 02 0a  07030918........
"Thr 14393" 00000070  00 08 45 30 30 30 30 34  30 30                    ..E0000400     
"Thr 14393" Verify returns 0 "ssoxxsgn_mt.c 189"
"Thr 14393" Certificate is:
"Thr 14393" 00000000  30 82 02 3b 30 82 02 26  02 01 00 30 09 06 07 2a  0..;0..&...0...*
"Thr 14393" 00000010  86 48 ce 38 04 03 30 1d  31 0c 30 0a 06 03 55 04  .HÎ8..0.1.0...U.
"Thr 14393" 00000020  03 13 03 53 35 30 31 0d  30 0b 06 03 55 04 0b 13  ...S501.0...U...
"Thr 14393" 00000030  04 4a 32 45 45 30 1e 17  0d 30 37 30 37 30 32 31  .J2EE0...0707021
"Thr 14393" 00000040  31 34 32 33 34 5a 17 0d  32 37 30 37 30 32 31 31  14234Z..27070211
"Thr 14393" 00000050  34 32 33 34 5a 30 1d 31  0c 30 0a 06 03 55 04 03  4234Z0.1.0...U..
"Thr 14393" 00000060  13 03 53 35 30 31 0d 30  0b 06 03 55 04 0b 13 04  ..S501.0...U....
"Thr 14393" 00000070  4a 32 45 45 30 82 01 b6  30 82 01 2b 06 07 2a 86  J2EE0..¶0..+..*.
"Thr 14393" 00000080  48 ce 38 04 01 30 82 01  1e 02 81 81 00 82 7d d4  HÎ8..0........}Ô
"Thr 14393" 00000090  9c a2 05 69 84 e9 83 71  b1 34 0d 5d 71 83 92 85  .¢.i.é.q±4."q...
"Thr 14393" 000000A0  b2 5a ca a3 82 d7 ac 38  6e 94 40 84 3f 0a 46 7a  ²ZÊ£.׬8n.@.?.Fz
"Thr 14393" 000000B0  a8 75 a8 c1 ca 3b 70 ba  6a 97 07 12 f6 b1 99 ed  ¨u¨ÁÊ;pºj...ö±.í
"Thr 14393" 000000C0  3e ec 53 13 f3 94 0a 67  bb d6 9f 38 72 29 61 ab  >ìS.ó..g»Ö.8r)a«
"Thr 14393" 000000D0  02 3d 17 a1 33 3c 52 23  5d 9f b7 d1 0e 95 e3 a5  .=.¡3<R#".·Ñ..ã¥
"Thr 14393" 000000E0  5e f9 b0 4f c7 c9 20 c5  72 da 7a c3 d5 0f 24 0d  ^ù°OÇÉ ÅrÚzÃÕ.$.
"Thr 14393" 000000F0  bb 8e 54 da 9e bb 70 21  11 c5 35 82 e5 35 85 2e  ».TÚ.»p!.Å5.å5..
"Thr 14393" 00000100  9f 59 39 79 b3 32 50 c8  86 83 96 19 17 02 15 00  .Y9y³2PÈ........
"Thr 14393" 00000110  fa 50 79 da fa 3f 3a b1  e8 0a 6d f5 bd 16 f2 24  úPyÚú?:±è.mõ½.ò$
"Thr 14393" 00000120  d8 f8 d7 1b 02 81 80 4f  bd f5 2e 33 04 f0 51 c1  Øø×....O½õ.3.ðQÁ
"Thr 14393" 00000130  7c a5 5c 93 81 b5 c1 7d  4c 20 50 76 85 34 50 cf  |¥..µÁ}L Pv.4PÏ
"Thr 14393" 00000140  d9 fc 72 b2 e1 b2 b1 6f  a0 10 48 b8 ff 17 e7 a9  Ùür²á²±o .H¸ÿ.ç©
"Thr 14393" 00000150  0a e1 e0 18 05 3e 34 d9  d5 61 df 71 4c c8 dc 92  .áà..>4ÙÕaßqLÈÜ.
"Thr 14393" 00000160  b1 51 b5 df 66 59 70 6b  5e 57 c3 19 a2 d6 58 3b  ±QµßfYpk^WÃ.¢ÖX;
"Thr 14393" 00000170  7d 32 d2 e9 e1 f1 66 3e  aa ac 46 0d cd 4e 67 70  }2Òéáñf>ª¬F.ÍNgp
"Thr 14393" 00000180  36 f7 f9 be 0b 2e 16 a0  5d 69 5d 5b 81 13 a9 03  6÷ù¾... "i""..©.
"Thr 14393" 00000190  cb 38 63 56 1a bd 36 4a  5d 6c 15 66 17 fa 10 a3  Ë8cV.½6J"l.f.ú.£
"Thr 14393" 000001A0  20 99 e1 d2 34 77 13 03  81 84 00 02 81 80 5c a5   .áÒ4w........\u00A5
"Thr 14393" 000001B0  41 c8 31 99 f2 ff a7 20  be 01 2d 80 4b 7e e9 45  AÈ1.òÿ§ ¾.-.K~éE
"Thr 14393" 000001C0  80 72 c9 59 52 28 af 76  57 0b 08 ae ec 75 db 19  .rÉYR(¯vW..®ìuÛ.
"Thr 14393" 000001D0  dc 06 db e8 2a 2e 0b 55  11 09 76 ff a9 ad f3 5c  Ü.Ûè*..U..vÿ©ó
"Thr 14393" 000001E0  f3 c5 bf 23 db 6e fd ea  85 81 78 ad 2a 05 2d 83  óÅ¿#Ûnýê..x*.-.
"Thr 14393" 000001F0  12 91 ff f0 a0 bb 79 c3  0e cb 37 f8 dc 05 31 38  ..ÿð »yÃ.Ë7øÜ.18
"Thr 14393" 00000200  c3 1b 5b 61 64 19 4e b1  60 d2 7e b7 a8 51 d6 6e  Ã."ad.N±`Ò~·¨QÖn
"Thr 14393" 00000210  36 1e fc ce 6a 78 20 c3  e6 54 1f 0d 68 c0 db 61  6.üÎjx ÃæT..hÀÛa
"Thr 14393" 00000220  c5 84 63 15 d4 19 36 94  56 03 2f 2e 3b 89 30 0c  Å.c.Ô.6.V./.;.0.
"Thr 14393" 00000230  06 08 2a 86 48 86 f7 0d  02 05 05 00 03 01 00     ..*.H.÷........
"Thr 14393" ValidateTicket returns 0. "ssoxxapi_mt.c 226"
"Thr 14393" Validation succeeded...
"Thr 14393" Got date 200807030918 from ticket.
"Thr 14393" Cur time = 200807030920.
"Thr 14393" Computing validity in hours.
"Thr 14393" Computing validity in minutes.
"Thr 14393" CurTime_t = 1215163200, CreTime_t = 1215163080
"Thr 14393" validity: 120, difference:    120.000.
"Thr 14393" Evaluating user...
"Thr 14393" Evaluating Client ...
"Thr 14393" Evaluating Sysid ...
"Thr 14393" Evaluating Portal User...
"Thr 14393" Evaluating AuthSchema...
"Thr 14393" Evaluating creation time...
"Thr 14393" Computing validity in minutes.
"Thr 14393" validity: 120, difference:   3720.000.
"Thr 14393" *** ERROR => MySapEvalLogonTicketEx returns 4. "ssoxxext_mt. 665"
"Thr 14393" End of function MySapEvalLogonTicketEx.

Similar Messages

  • Invalid ticket lifetime in default trace

    Hi,
    I keep getting the following invalid lifetime error messages. What can I do to get rid of the messages?
    Br,
    Johan
    #2.0 #2011 01 26 10:37:14:441#+0100#Error#com.sap.engine.services.security.authentication.loginmodule.ticket#
    #BC-JAS-SEC#security#1CC1DE05B10C02660000000000001890#6538650000000004#sap.com/me~ear#com.sap.engine.services.security.authentication.loginmodule.ticket#Guest#0##DB806784292F11E0B15700000063C59A#c2379401292f11e08c4400000063c59a#c2379401292f11e08c4400000063c59a#0#Thread[HTTP Worker [@1590167589],5,Dedicated_Application_Thread]#Plain##
    Parsing UME property: Invalid ticket lifetime in hours: ''. '8' hours will be used.
    [EXCEPTION]
    java.lang.NumberFormatException: For input string: ""
         at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
         at java.lang.Integer.parseInt(Integer.java:468)
         at java.lang.Integer.parseInt(Integer.java:497)
         at com.sap.security.core.server.jaas.UMEAdapter.<init>(UMEAdapter.java:160)
         at com.sap.security.core.server.jaas.UMEAdapter.<init>(UMEAdapter.java:76)
         at com.sap.security.core.server.jaas.EvaluateTicketLoginModule.initialize(EvaluateTicketLoginModule.java:179)
         at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.initialize(LoginModuleLoggingWrapperImpl.java:170)
         at com.sap.engine.services.security.login.LoginContextFactory.initializeLoginContext(LoginContextFactory.java:196)
         at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:208)
         at com.sap.engine.services.servlets_jsp.server.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:109)
         at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:73)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:461)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:298)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:397)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:48)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:83)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:243)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:78)
         at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
         at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
         at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
         at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:43)
         at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:42)
         at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
         at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
         at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:428)
         at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:247)
         at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:45)
         at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
         at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
         at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:327)

    Hi Johan,
    property 'login.ticket_lifetime' may have been destroyed somehow. You may try to set it back to 8 hours (default) manually and avoid exceptions.
    To check the property and reset it to default if necessary, go to configtool, switch to the Configuration Editor mode, then go to cluster_config -> system ->
    custom_global -> cfg -> services -> com.sap.security.core.ume.service, switch to Edit mode, open Propertysheet properties and find the property 'login.ticket_lifetime'.
    Check if 'custom' checkbox is checked, also check custom value and if empty, set it to default (8). Save your changes, restart will be required.
    Regards,
    Anton
    Edited by: Anton Shabinskyi on Jan 26, 2011 1:22 PM

  • Principal Propagation / SAP Assertion Ticket

    Hi Experts,
    i m planning a synchronous scenario
    3rd party (SOAP) -> PI -> SAP ECC (RFC)
    PI is on 7.1, ECC on 7.00
    I would like to run Principal Propagation. At the moment i m struggling with Assertion Ticket to be issued by the SOAP sender. From [SAP Help: Princ Prop / Configuring the Sender|http://help.sap.com/saphelp_nw04/helpdata/EN/45/3418a0eabe072fe10000000a155369/content.htm]: "The SOAP client itself must be able to issue SAP assertion tickets."
    - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
    - Or is there a way to issue the SAP assertion ticket from 3rd party SOAP sender?
    - If yes, how does that work?
    I found two interesting threads:
    [Principal Propagation SOAP - XI - RFC Scenario   |Re: Principal Propagation SOAP - XI - RFC Scenario]:
    I do not understand Swarups answer 100%. He wrote: "Here you need not have to do anything on SOAP sender side to create the assertion ticket.The assertion ticket is required on SAP side which will act as Web AS ABAP Server"
    Can anybody illuminate that? Is he right?
    [Issuing SAP assertion Tickets |Issuing SAP assertion Tickets]: The last post of Anthony stayed unansered, unfortunately. "How does the sender system do that? Is it somethign embedded in the header of the SOAP message? This really is unclear to me"
    Thanks for your help,
    Udo

    Hi Udo,
    > - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
    Principle propagation supports XI, SOAP and RFC adapters.
    http://help.sap.com/saphelp_nw04/helpdata/en/45/0f16bef65c7249e10000000a155369/frameset.htm
    Before using the principle propagation you have to active the configuration, but you can only activate the configuration if you have kernel patch 149 installed.
    Regards
    Ramesh

  • SAP Logon Ticket VS SAP Assertion Ticket?

    SAP Logon Ticket VS SAP Assertion Ticket in SAP Enterprise Portal?
    I want SAP Logon Ticket VS SAP Assertion Ticket.
    When use SAP Logon Ticket?
    When use SAP Assertion Ticket?
    SAP Logon Ticket advantage / disadvantatge?
    SAP Assertion Ticket Ticket advantage / disadvantatge?

    Hi James,
    Please go through the link for Integration in Single Sign-On Environments.
    http://help.sap.com/saphelp_nw04s/helpdata/en/96/a75742b6081053e10000000a155106/frameset.htm
    Thanks n Regards
    Santosh
    Reward if helpful !!!

  • Read Userid from SAML Assertion Ticket

    Hi,
    I have following queries:
    1)  I need to read userid from SAML assertion ticket. If so, pls share the process/code ?
    2)  Can i send authorization data as part of SAML assertion ticket. if so, pls share the process.
    Thanks,
    Mano.

    Hi Mano,
    I am not sure what you mean by User id as output. But I know you can configure an SAP server as a service provider which can initiate an authentication to an Identity provider.
    Here is the documentation. Hopefully this helps.
    Using SAML2.0 in SAP for ABAP #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm
    Using SAML2.0 in SAP for Java #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm?frameset=/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
    SAP As a Service provider for ABAP #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htm
    Including Legacy System in your SAML2.0 Landscape #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b4f01285376d61e10000000a42189c/content.htm?frameset=/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm
    Dhee

  • Creating destinations in CAF using SSO Logon Ticket/Assertion Ticket

    Hi Experts,
    Am using ECC 6.0 & CE 7.1 EP06
    I have a Composite Application(CAF, using Java) which consumes BAPIs and Enterprise Service.
    For connecting the CAF(Java) layer to communicate with ECC I need to perform mapping between the destinations of the BAPI(RFC destination) and the Web Service destination.
    We have created the Logon Ticket and is working fine, this we can say so because there is a SAP Transaction iView and is running fine. The only problem occurs for RFC and destinations of type 'wsdl'(created for Enterprise Service)
    For authentication, in the case of
    RFC destination if I use Logon ticket I get the error " Error while creating assertion ticket on demand. No logged in user found."
    but when I used the assertion ticket it works fine.
    But for the Web Service Destination, when I try using the Logon Ticket I get the error
    " Error while creating assertion ticket on demand. No logged in user found. "
    and when using the Assertion Ticket I get this error
    " Properties not set:
    NS: http://www.sap.com/webas/630/soap/features/transportguarantee/ Name: IncludeTimestamp "
    Please help me in this issue. Any information is appreciated.
    Thanks
    --- Brian

    Do not cross post in the different forums.

  • Consume WebService with Assertion Ticket in CE 7.2

    Hi masters
    I am using netweaver ce 7.2 and the problem is that I just can consume webservices with User ID/Password (Basic), but I need to do that with something like Assertion Ticked (like RFC connections)
    Does anybody could say me how to configure a WS connection with assertion ticked ?

    I solved by myself

  • Authentication Ticket Type setting in BI Portal

    In the BI Portal's System definition for the backend BI ABAP system, is there any harm in using the SAP Logon Ticket as the "Authentication Ticket Type" instead of SAP Assertion ticket?
    I have a federated portal configuration where the BI Portal is a producer.  I configured the consumer portal's UME to use LDAP as the user store and the ABAP user mappings are defined in the consumer portal only.  The BI producer portal is also setup to use the LDAP as the user store and is also configured to use SPNEGO -- the reason for this is so that the user doesn't have to login when he's accessing the BI reports through bookmarks in the browser favorites.  The BI Portal doesn't have any user mapping to the backend ABAP system.  It relies on the consumer portal's MYSAPSSO2 ticket's user mapping.  In this configuration, I can run BI Bex reports iviews from the consumer portal through federated portal delta links to the BI producer portal.  This only works however if on the BI Portal I set the "Authentication Ticket Type" setting to SAP Logon Ticket.  The Bex reports stop working if I set the "Authenticaion Ticket Type" to SAP Assertion ticket.   The SAP Assertion ticket does work however if I setup user mapping on the BI producer portal -- I really want to avoid setting up user mapping in both the consumer and producer portals.
    Thanks in advance.
    Mel Calucin
    SAP Portal Architect
    Bentley Systems, Inc.

    Mel, I am not 100% sure, but I think the federated portal requires both consumer and producer to use the same data source.
    Whoops! Misread your message. As to your question, I do not know why you could not use logon tickets.
    -Michael
    Edited by: Michael Shea on Dec 1, 2008 11:53 AM

  • Web service Logon ticket

    Hi,
    Is there a way to generate a logon ticket in an EJB?
    I face the following problem: on server A(SAP ABAP) there is a web service, which I consume on server B(SAP Java AS) and create a REST, which is called from an UI5 application on server C(SAP Gateway).
    When I call the consumed service from server B via WSNavigator or EJB explorer its working. BUT when the service is called by the REST its throwing the following exception:
    Error while creating assertion ticket on demand. No logged in user found.
    Assertion ticket could not be retrieved. Error was No logged in user found.. [EXCEPTION] java.lang.IllegalStateException: No logged in user found. at com.sap.security.core.server.jaas.SAPLogonTicketHelper.createAssertionTicket(SAPLogonTicketHelper.java:496) at com.sap.security.core.server.jaas.AssertionTicketFactoryImpl.createAssertionTicket(AssertionTicketFactoryImpl.java:67) at com.sap.engine.services.wssec.srt.protocols.GetAssertionTicketPrivAction.run(GetAssertionTicketPrivAction.java:36) at com.sap.engine.services.wssec.srt.protocols.GetAssertionTicketPrivAction.run(GetAssertionTicketPrivAction.java:20) at java.security.AccessController.doPrivileged(Native Method)...
    I think it is working from WSNavigator/EJBExplorer because there I'm logged in and Logon Ticket is generated and sent to server A, but because server C communicate with server B via REST(jsonp ajax call), there is no generated Logon Ticket on server B.
    Is there a way to generate a Logon ticket or set credentials to the web service. I tried the following but its not working:
    ZCUUTLI0016BPMTYPEDOWNL test = downloadService.getZCUUTLI0016_BPM_TYPE_DOWNL();   
      Mapreq_ctx = ((BindingProvider)test).getRequestContext();
           Map> headers = new HashMap>();
    headers.put("Username", Collections.singletonList("user"));   
    headers.put("Password", Collections.singletonList("password"));
    req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);
    Note: Other possible solutions are also welcome.
    Thanks,
    Ivan

    hi ivan,
    for your scenario - does the abap backend call require a real user or is a technical user sufficient? if only a technical user is required you can define one in the single service administration/ application communication configuration of your portal System.
    in order to use the logon ticket of your ajax call i think you need to configure/setup the correct sso - environment. checkout this link
    http://help.sap.com/saphelp_nw74/helpdata/en/7a/9ad1882c244de0a3a99c1e46095ab3/content.htm?frameset=/en/c4/81215150e92414e10000000a44176d/frameset.htm&current_toc=/en/ad/612bb3102e4f54a3019697fef65e5e/plain.htm&node_id=87
    regards,
    christian

  • Error Runging the Transaction iview using SSO logon ticket

    Hi I am getting the follwoing error  in log file. when i am running the Transaction iview using SAP Loggon ticket.
    #1.5 #005056A33F2000840000000500000600000456BC1060683F#1221265635404#com.sap.security.core.umap.imp.UserMappingDataImp#sap.com/irj#com.sap.security.core.umap.imp.UserMappingDataImp.getAuthenticationTicket()#Guest#0##n/a##28a92320812111ddb972005056a33f20#Thread[UWL Pooled Thread:2,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Usermanagement#Java###The attribute "" of the backend system with alias "" has the invalid value "".
    Cannot generate an SAP authentication assertion ticket for user and the specified backend system.
    Please adjust the value of the system attribute. Supported values are "" and "".#6#AuthenticationTicketType#"KPMGVM005_ALIAS"##"Stokkeland, Pauline" (unique ID: "USER.PRIVATE_DATASOURCE.un:P00024384")#SAP Logon Ticket#SAP Assertion Ticket#
    I have imported the .der file of the portal in to the SAP ECC sytem.using STRUSTSSO2
    Created the profile parameters using rz10 trnsaction.
    login/create_sso2_ticket
    login/accept_sso2_ticket
    restarted the ECC system.
    Created the system object using the follwoing parameters
    WAS
    Connector
    Usermanagement
    Under usermanagement
    Authentication Ticket Type - SAP Logon TicketSAP 
    Logon Method -SAPLOGONTICKET 
    User Mapping Fields  :<not selected>
    User Mapping Type    :<not selected>
    when i test the sytem object under connection test:showing the following error.
    Test Details:
    The test consists of the following steps:
    1. Retrieve the default alias of the system
    2. Check the connection to the backend application using the connector defined in this system object
      Results
    Retrieval of default alias successful
    Connection failed. Make sure that Single Sign-On is configured correctly
    But WAS, ITS, Connector are successfull. but above message is showing.
    what could be the problem.
    When i run one transaction iview with this system it is showing following error.
    com.sap.portal.appintegrator.sap.Transaction::Transaction/WebGuiSSOITS640Layer
    Parameter Dump
    $DebugAction  
    $TimeStamp  1221268987126
    ALLOW_BROWSER  Yes
    Alias  
    ApplicationParameter  
    ApplicationVariants  GuiType
    AuthScheme  default
    Authentication  ******
    AutoStart  false
    CachingLevel  
    ClassName  com.sapportals.portal.appintegrator.layer.SingleSignOnLayer
    ClientWindowID  
    CodeLink  com.sap.portal.appintegrator.sap.Transaction
    CommandField  YTIME
    CurrentWindowId  WID1221260007272
    CustomerExit.ParameterProvider  
    DR.TargetIDPropertyName  TCode
    DebugMode  false
    DynamicParameter  
    DynproFields  
    ExecutionLocation  KPMGVM005_ALIAS
    ExportParameters  Authentication, LogonUser, RequestMethod
    FederationAlias  
    ForcedRequestLanguage  
    ForwardParameters  
    ForwardParameters.Always  sap-config-mode
    ForwardParameters.Excluded  
    ForwardParameters.Forbidden  ClientWindowID, Command, DebugSet, DynamicParameter, Embedded, InitialNodeFirstLevel, SerAttrKeyString, SerKeyString, SerPropString, SessionKeysAvailable, iview_id, iview_mode, windowId, sap-pp-producerid, sap-pp-consumerBaseURL, sap-pp-returnToConsumer, login_submit, j_user, j_password, j_authscheme, uidPasswordLogon, MappedUser, MappedPassword
    GUSID  
    GuiType  WebGui
    GuiType.default  WebGui
    ITSVersion  640
    JREPluginDownloadLocation  
    JREPluginMimeType  application/x-java-applet;version=1.4.1_02
    JavaGuiCodeBase  
    JavaGuiTraceFile  
    JavaGuiTraceKey  
    LAF  
    LoadingCacheKey  <Portal.Version><LAF.Theme>
    LogonMethod  SAPLOGONTICKET
    MandatoryParameters  System
    NavMode  1
    NavigationTarget  navurl://21635c17e11df05c58e1c07deaf5bed1
    NextLayer  Transaction/WebGuiESIDLayer
    OkCode  
    OkCodeField  
    OptionalParameters  
    ParameterTemplate  <ApplicationParameter[PROCESS_RECURSIVE]>;<ForwardParameters[QUERYSTRING]>;<DynamicParameter[PROCESS_RECURSIVE]>;
    Portal  
    ProducerLocation  Remote
    REFRESH_CONTENT  -1
    ReuseWinguiConnection  false
    RoundtripURL  
    SSO2Template  
    SessionManagementVersion  
    SupportedUserAgents  (MSIE, >=5.5, *) (Netscape, *, ) (Mozilla,,*)
    SupportsUnicodeCodePages  false
    System  KPMGVM005_ALIAS
    System.type  lookup:com.sapportals.portal.appintegrator.lookup.SystemLookup
    TCode  YTIME
    Technique  Standard
    TopLayer  Transaction/DragAndRelateLayer
    Transactions_Require_SSF  RRMX,RRMXP
    URL  
    UnsupportedUserAgents  
    UseFrog  true
    UseSPO1  false
    UserMappingTemplate  sap-user=<MappedUser>&sap-password=<MappedPassword>
    ValidityPeriod  -1
    Wizard.ApplicationVariantPane.Description  
    Wizard.ApplicationVariantPane.Title  
    Wizard.MandatoryParameters  System, TCode, GuiType
    Wizard.OptionalParameters  ApplicationParameter, UseFrog, Technique
    Wizard.ParameterPane.Description  
    Wizard.ParameterPane.Title  
    X509Template  
    com.sap.application_integration.ConfigurationServiceID  Transaction_Configuration
    com.sap.portal.ComponentType  com.sapportals.portal.iview
    com.sap.portal.activityreport.MonitorHits  true
    com.sap.portal.admin.propertyeditor.categoryName  
    com.sap.portal.iview.AccessibilitySupport  
    com.sap.portal.iview.Availability  VISIBLE
    com.sap.portal.iview.DisableChildrenDYN  
    com.sap.portal.iview.DisableChildrenRL  
    com.sap.portal.iview.DisableChildrenTC  
    com.sap.portal.iview.DragAndRelate  false
    com.sap.portal.iview.ExpansionMode  Open
    com.sap.portal.iview.HasContentPadding  true
    com.sap.portal.iview.Height  80
    com.sap.portal.iview.HeightScale  PIXELS
    com.sap.portal.iview.HeightType  FIXED
    com.sap.portal.iview.HelpURL  
    com.sap.portal.iview.IsTemplate  false
    com.sap.portal.iview.MainObject  
    com.sap.portal.iview.MaxAutoHeight  1000
    com.sap.portal.iview.MinAutoHeight  0
    com.sap.portal.iview.SMiViewURL  com.sap.portal.epsolman.EPSolman
    com.sap.portal.iview.ShowDetails  true
    com.sap.portal.iview.ShowExpand  true
    com.sap.portal.iview.ShowHelp  false
    com.sap.portal.iview.ShowMinimize  true
    com.sap.portal.iview.ShowPersonalize  true
    com.sap.portal.iview.ShowRefresh  false
    com.sap.portal.iview.ShowRemove  true
    com.sap.portal.iview.ShowSMiView  false
    com.sap.portal.iview.ShowTitle  true
    com.sap.portal.iview.ShowTray  true
    com.sap.portal.iview.TitleURL  
    com.sap.portal.iview.TrayType  PLAIN
    com.sap.portal.iview.Width  400
    com.sap.portal.iview.WidthScale  PIXELS
    com.sap.portal.iview.WidthType  FIXED
    com.sap.portal.iview.family  
    com.sap.portal.navigation.DragRelate  0
    com.sap.portal.navigation.ExtWindowHeight  710
    com.sap.portal.navigation.ExtWindowWidth  1014
    com.sap.portal.navigation.Invisible  false
    com.sap.portal.navigation.JScript  
    com.sap.portal.navigation.MergeId  
    com.sap.portal.navigation.MergePriority  100.0
    com.sap.portal.navigation.Mergible  true
    com.sap.portal.navigation.NavigationHierarchyMetadata  Cacheable
    com.sap.portal.navigation.Priority  100.0
    com.sap.portal.navigation.QuickLink  
    com.sap.portal.navigation.ShowAddToFavorites  true
    com.sap.portal.navigation.ShowType  1
    com.sap.portal.navigation.WindowName  
    com.sap.portal.navigation.view  
    com.sap.portal.pcd.gl.Collection  IP_PTL_INITIAL_CONTENT
    com.sap.portal.pcd.gl.CreatedAt  Sat Sep 22 11:32:17 EDT 2007
    com.sap.portal.pcd.gl.CreatedBy  Administrator
    com.sap.portal.pcd.gl.DeltaLinkState  -1
    com.sap.portal.pcd.gl.Domain  EP
    com.sap.portal.pcd.gl.LastChangedAt  Fri Sep 12 19:24:19 EDT 2008
    com.sap.portal.pcd.gl.LastChangedBy  ksingh
    com.sap.portal.pcd.gl.ObjectClass  com.sapportals.portal.iview
    com.sap.portal.pcd.gl.OriginalCountry  
    com.sap.portal.pcd.gl.OriginalLanguage  en
    com.sap.portal.pcd.gl.Responsible  Administrator
    com.sap.portal.pcd.gl.TransportDependencies  pcd:com.sap.portal.system/archives/com.sap.portal.appintegrator.sap.par
    com.sap.portal.pcd.role.EntryPoint  false
    com.sap.portal.pcm.Description  VRB_com.sap.portal.pcm.Description
    com.sap.portal.pcm.Title  myTime
    com.sap.portal.pcm.admin.Capabilities  com.sap.portal.capability.delete,com.sap.portal.capability.link,com.sap.portal.capability.copy,com.sap.portal.capability.edit,com.sap.portal.capability.cut,com.sap.portal.capability.transportable,com.sap.portal.capability.launch,com.sap.portal.capability.editpermissions
    com.sap.portal.pcm.admin.UseDefaultCapabilities  true
    com.sap.portal.private.iview.PropertiesUrl  pcd:com.sap.portal.system/applications/com.sap.portal.appintegrator.sap/components/Transaction
    com.sap.portal.reserved.iview.ButtonsURL  
    com.sap.portal.reserved.iview.EditorURL  pcd:portal_content/com.sap.pct/admin.templates/iviews/editors/com.sap.portal.pcmEditor
    com.sap.portal.reserved.iview.IconName  
    com.sap.portal.reserved.iview.IsolationMode  URL
    com.sap.portal.reserved.iview.NavPanelStatus  Automatic
    com.sap.portal.reserved.iview.ParamList  *
    com.sap.portal.reserved.iview.WizardURL  com.sap.portal.appintegrator.iViewWizard
    com.sap.portal.workDistributionTopic  
    com.sapportals.portal.navigation.FolderEntry  false
    com.sapportals.portal.navigation.Pictogram  
    com.sapportals.portal.navigation.WinFeatures  resizable=yes,toolbar=no,menubar=no
    propertyIdMapping  
    com.sap.portal.appintegrator.sap.Transaction::Transaction/WebGuiSSOITS640Layer
    MandatoryParameters
    System   SAP_LocalSystem KPMGSBBW_alis KPMGVM005_ALIAS SAP_BW SAP_CRM SAP_ECC SAP_RPM SAP_WEBDYNPRO_CRM_ALIAS TestECC_Alias Test_CRM_Alias WebEx XBICLNT100 XCRCLNT100 XECCLNT100 
    Is it required to add  ECC certificate to Portal sytem?
    we have created the same user id in both the sytems.
    Please let me know what could be the error.
    Regards

    Vijay,
    Please follow these steps and lemme know what you observe.
    Go to system administration->support->sap application-> under test and configuration tools choose sap transaction
    under the mandatory fields choose the system that you have created, choose a tcode (se16) and choose sap gui for windows and click go.
    If you are able to logon to your ecc system, your sso works!
    P.S Make sure the user name with which you are testing this, exists in the backend as well.
    Good luck
    Cheers,
    Sandeep Tudumu

  • Deleting Logon Ticket

    Hi all,
    I am using EP6 here and ECC5. I am using SSO with logon tickets.
    My logon ticket has expired. So i have to make a new one in visual administrator.
    But it is not letting me delete that or not even rename that.
    It gives an error message. I cant copy the error mesage that comes. And I cant find the same error in any file. may be i missed some file. Tell me where can i find that error so that i can paste the error message here.
    Please tell me how too delete the logon ticket
    Thanks
    Tajinder

    hi tajiinder,
    Configuring the J2EE Engine to Accept Logon Tickets
    Use
    The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user’s Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user.
    For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.
    Prerequisites
    To check the validity of a user’s logon ticket, the J2EE Engine must be able to verify the issuing server’s digital signature.
    &#9679;      If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.
    &#9679;      If the ticket-issuing server is a different one, then this server’s public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.
    Procedure
    The Trusted Systems ® SSO Wizard configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the J2EE Engine.
           1.      Open the SSO Wizard.
    Note the following:
    &#9675;       If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by following the path System Management ® Configuration ® Trusted Systems.
    &#9675;       If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, first you must deploy the SSO Wizard. More information: SAP note 1083421.
    The system which you configure is displayed in the Selected Accepting System section.
    There are two ways to add a trusted system:
    &#9675;       By connecting to the system and requesting its certificate.
    If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. More information: SAP note 1083421.
    &#9675;       By manually uploading the certificate of the system.
    Adding a Trusted System by Connecting to It
                                a.      In the Trusted Systems section, choose Add Trusted System ® By Querying Trusted System.
                                b.      The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
    If you cannot find the system you want to add, choose Cancel and provide the connection details:
                                                      i.       Select the type of the system from the System Type dropdown list.
                                                    ii.       Enter the necessary connection details.
    If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system by its license key which you received from SAP.
                                c.      Enter your user name and password in the provided fields and choose Next.
                                d.      The details about the selected system’s certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.
    Adding a Trusted System by Manually Uploading its Certificate
    Before you start the following procedure, you must export the trusted system’s certificate. More information: Exporting the Ticket-Issuing Server's Public-key Certificate.
                                a.      In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
                                b.      Enter the System ID and Client in the provided fields.
                                c.      Browse to the location of the system’s certificate. Select the certificate and choose Open.
                                d.      Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.
           2.      Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.
                                a.      In the Security Provider Service choose Runtime ® Policy Configurations ® Authentication tab.
                                b.      Select the policy configuration for the application component to accept logon tickets from the Components list.
                                c.      Choose the Switch to edit mode button.
                                d.      Choose Add New. The list of available login modules for the component appears.
                                e.      Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.
    If you change the options of a login module in the user store, the changes will be inherited by all policy configurations that use this login module.
    If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case the login module will no longer inherit its options from the user store. To restore the inheritance change the options in the policy configuration or in the user store so that they are identical.
    Result
    After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.
    if you have douts pls go thru the following urls
    help.sap.com/saphelp_nw04/helpdata/en/71/c3d53a60ad204ce10000000a114084/content.htm - 30k
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
    thanks karthikeya
    dont forget to reawrd me if it helps you

  • THE LOGON TICKETS COOKIES do not seem right

    hi:
    when i check the logon tickets cookies, it will expire at 'end of session', but i have set the SessionExpirationPeriod, it should expire on an precise time, not depend the session!  is there something i should config?
    thanks! waiting for your help!

    Hi,
    The SessionExpirationPeriod determines the time to live for a session in server memory. Normally, session data is removed from memory when a user clicks the logoff button, but quite often users do not use this button and automatic cleanup is needed to reduce unnecessary memory usage.
    You want to set the login.ticket_lifetime property:
    http://help.sap.com/saphelp_nw04s/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm
    If I recall correctly, this will not change the cookie expiration but the validity of the ticket (lifetime is encoded in the ticket data itself), which is what I think you really want...
    With kind regards,
    Thijs Janssen
    Edited by: T. Janssen on Jul 10, 2009 3:05 PM

  • SSO is not working - User is missing credentials for connecting to alias

    Dear Experts,
    I am facing a strange problem in SSO with reference system user mapping.  I have configured reference system user mapping for accessing R/3 for ESS/MSS and transactional iviews along with UWL.  The SSO was configured 2 months ago and was working fine till yesterday.
    Since this Monday, (2 days), the system connection tests are failing on connector.  But, ESS/MSS & Transaction iviews with SAP Logon tickets are working fine. But, while trying to access UWL tasks, SSO is failing. Following is the error message -
    "Exception occured Exception type:com.sap.netweaver.bc.uwl.connect.ConnectorException Message:Tue Aug 11 09:46:58 CEST 2009
    (Connector) :com.sap.portal.connectivity.destinations.PortalDestinationsServiceException:User is missing credentials for connecting to alias <Aliassystem>. Contact your system administrator. "
    I have created a destination for the respective backend in Visual Admin > node >  services > Destinations as some tasks are not visible in UWL as per Note-  1133821, 2 weeks ago.It was working fine till yestreday. While testing from destinations, for Connected User(SAP Logon ticket Assertion ticket) , getting the error message  -
    Error During ping operation:Ticket contain no/an  emplty ABAP user id(refer note 1159962). The destination is successfully connected with configured user.
    But from the Tracecollector logs, I can see that the mapped user is set in the SAP Logon ticket and the User <ABCD> is existing in the target ECC system. More over, the SSO with refence system user mapping is working fine for ESS/MSS and Transaction based iviews. It is failing only for UWL tasks and also in system connection tests for connector. ITS was failing since the beginning.WAS is successful even now.
    Trace file info -
    Mapped user [ABCD] set in SAP Logon Ticket. The authenticated user is [<portaluserid>]. Authentication stack: [ticket]..
    The created ticket is:
    [Ticket [initialized]
      Ticket Version  = 0
      Ticket Codepage =  (Encoding=1100)
      User = <ABCD>
      Issuing System ID    = EPD
      Issuing System Client = 000
      Creation Time = 200908110746
      Valid Time    = 8 h 0 min
      Signature (length=261 bytes)
    I checked tcode SSO2 in ECC system and it is ready for accepting the logon tickets.  The strange thing is single sign on is working for ESS/Transactional iviews and not for UWL. Second thing is UWL was working fine till yesterday morning and stopped working now with SSO problems.
    Can you pls advise where to look for fixing the SSO - missing user details for UWL destination?
    regards,
    Isvarya

    <title>reporting the text as formatted text - Dear Experts,</title>
    <!--[if gte mso 9]><xml>
    <o:DocumentProperties>
      <o:Author>Isvarya Bolisetti</o:Author>
      <o:LastAuthor>Isvarya Bolisetti</o:LastAuthor>
      <o:Revision>2</o:Revision>
      <o:TotalTime>1</o:TotalTime>
      <o:Created>2009-08-11T11:21:00Z</o:Created>
      <o:LastSaved>2009-08-11T11:21:00Z</o:LastSaved>
      <o:Pages>1</o:Pages>
      <o:Words>385</o:Words>
      <o:Characters>2195</o:Characters>
      <o:Company>Bekaert N.V</o:Company>
      <o:Lines>18</o:Lines>
      <o:Paragraphs>5</o:Paragraphs>
      <o:CharactersWithSpaces>2575</o:CharactersWithSpaces>
      <o:Version>11.9999</o:Version>
    </o:DocumentProperties>
    </xml><![endif]><![if gte mso 9]><![endif]><![if gte mso 9]>
    <!--
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
         {mso-style-parent:"";
         margin:0cm;
         margin-bottom:.0001pt;
         mso-pagination:widow-orphan;
         font-size:12.0pt;
         font-family:"Times New Roman";
         mso-fareast-font-family:"Times New Roman";}
    @page Section1
    div.Section1
    -->
    </style>
    <!--[if gte mso 10]>
    <style>
    /* Style Definitions */
    table.MsoNormalTable
         {mso-style-name:"Table Normal";
         mso-tstyle-rowband-size:0;
         mso-tstyle-colband-size:0;
         mso-style-noshow:yes;
         mso-style-parent:"";
         mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
         mso-para-margin:0cm;
         mso-para-margin-bottom:.0001pt;
         mso-pagination:widow-orphan;
         font-size:10.0pt;
         font-family:"Times New Roman";
         mso-ansi-language:#0400;
         mso-fareast-language:#0400;
         mso-bidi-language:#0400;}
    </style>
    <![endif]><![if gte mso 9]><![endif]><![if gte mso 9]>Mapped user set in SAP Logon Ticket. The
    authenticated user is . Authentication stack: ..
    The created ticket is:
    [Ticket

  • SSO and User Mapping at same time

    Hi,
    Can we use SSO and User mapping at same time between Portal and SAP Backend system?
    For some of the users the user id is different in both end.
    After implementing the SSO... Will it affect the existing user mapping? and the system alias created for that?
    If not, Can we use both SSO and user Mapping same time?
    Thanks,
    VB

    Hi VB,
    In this case I suggest you create 2 systems one you might have created for users who are having common user ids in portal & at the backend system.
    For the users whose ids are defeering you can create reference system and in user managemant property of that system
    Authentication Ticket Type - Select -SAP Logon TicketSAP Assertion Ticket
    Logon Method -  UWPW
    User Mapping Fields -  {100,200,300}Client;Language
    where 100,200,300 are the clients of the backend system.
    Assign this system in the ivews.
    Thanks,
    Vishal

  • Calling to BPM via PI

    Basically I have already found a solution by trial and error, but I still don't understand what's going on, maybe someone can help me understand.
    I am trying to make a web service call
    from a CRM system (CRM 7.0 EhP3 SP 3), outbound interface {http://sap.com/xi/CRM/FS/Global2}NewLoanBoardingFSCreateRequest_Out
    via PI (double-stack, PI 7.31 SP 3)
    to a NW Java BPM system (NW 7.40 SP 4, inbound interface {http://sap.com/xi/FS-AO/Global}NewLoanBoardingProcessingNewLBrdngIn. The host name of the system is ilbnknw1 and the port is 50300.
    I created an EJB for the implementation of the service provider NewLoanBoardingProcessingNewLBrdngIn and a BPM process according to note 1891861 in NW Developer Studio and deployed all of it to the NW Java BPM server.
    There is a web service end point for NewLoanBoardingProcessingNewLBrdngIn on the NW Java BPM server the URL looks like this: http://ilbnknw1:50300/bpm/testsapcom/polnlbv0/start?wsdl&mode=ws_policy (visible in WS Administrator > Configuration > Connectivity > Single Service Administration > (stay on tab Service Definitions) > search for WSDL Port Type Name: NewLoanBoardingProcessingNewLBrdngIn ... I don't remember if it was created automatically during the deployment or I created it manually.)
    The security settings for the end point are set like this:
    Transport protocol: HTTP (not HTTPs)
    HTTP Authentication: Checkmarks for Login with User ID/Password and for Logon ticket are set. (X.509 is not set and also grayed out.)
    Message Authentication: No checkmarks are set.
    I can test the above WSDL URL (http://ilbnknw1:50300/bpm/testsapcom/polnlbv0/start?wsdl&mode=ws_policy) from WS Navigator and it works - I don't get an error message, and in WS Administrator I see that the process is started (at Operations > Processes and Tasks > Manage Processes).
    Now I wanted to test it from CRM. One possibility would be to go into SOAMANAGER and create a port that connects to the end point. But we prefer to go via PI. So I set up a receiver determination, interface determination and receiver agreement. The first two have no problems, the correct receiver (a business system referring to the NW Java BPM system) and the correct receiver interface are found. With the receiver agreement I was not so sure what to do and I tried different things.
    First I thought: It's a call to a web service, let me use a web service receiver channel, i.e. Adapter Type = WS of version SAP BASIS 7.31 (I tried 7.40 because the NW Java BPM server is 7.40, but the PI doesn't like that because it's only 7.31).
    I entered:
    WSDL Access URL: I used the complete URL (http://ilbnknw1:50300/bpm/testsapcom/polnlbv0/start?wsdl&mode=ws_policy).
    Authentication Method for WSDL Access: Basic Authentication using HTTP. (The other option No authentication and SSO using SAP Assertion ticket don't seem to fit.)
    User name for WSDL access: A user in the NW Java BPM system.
    Password for WSDL access: Password of the user
    Security
    Communication Security: None
    Authentication Method: User ID/Password (Transport Channel Authentication)
    Technical Transport Settings
    Target Host: ilbnknw1
    Service Name/Port: 50300
    URL Access Path: /bpm/testsapcom/polnlbv0/start (this can be selected with the value help button and that was the only choice int he value help)
    Then in the receiver agreement I chose this channel and entered the user and password on the NW Java system that should be used for the actual WS call (while the other one in the channel is only for accessing the WSDL) ... actually I used the same user and password for both, it has enough authorizations.
    Result: Didn't work at all, PI showed a red flag for the message with the error WS_ADAPTER_SYS_ERROR and text System error while calling Web service adapter: Error when initializing SOAP client application: &#39;Error when initializing SOAP client application: &quot;SRT: Unexpected failure in SOAP processing occurre&quot;&#39;
    Question: Is this totally the wrong adapter to call to a NW Java system, or were my parameters wrong?
    Then I found some things in the forum that said: Just use SOAP adapter, not WS adapter! And for communication between (newer releases of) PI and (new releases of) NW Java BPM it's best to use the SOAP adapter with the XI 3.0 protocol.
    So I tried a SOAP receiver channel with XI 3.0 protocol, i.e. Adapter type SOAP with version SAP BASIS 7.31,
    Transport Protocol: HTTP,
    Message Protocol: change from SOAP 1.1 to XI 3.0,
    Adressing Type: URL address (HTTP destination was the alternative),
    Target URL: I used the whole URL (http://ilbnknw1:50300/bpm/testsapcom/polnlbv0/start?wsdl&mode=ws_policy),
    Authentication Mode: Use Logon Data for Non-SAP system (because Logon Data for SAP system wanted a client and language, so I think it refers to ABAP systems only),
    User Name: A user in the NW Java BPM system,
    User Password: the matching password
    (No settings in receiver agreement, just chose the channel.)
    Result: The PI didn't show any error anymore, the flag was black-white. But on NW Administrator (Operations > Processes and Tasks > Manage Processes) I could not see the process starting!
    Question: How is this possible? Where else could the error be seen? Are my parameters wrong? Probably not, otherwise PI should already show the error.
    Next try: SOAP receiver channel with SOAP 1.1 protocol, i.e. Adapter type SOAP with version SAP BASIS 7.31,
    Transport Protocol: HTTP,
    Message Protocol: SOAP 1.1 (the default, instead of XI 3.0 in the previous attempt)
    Adressing Type: URL address (HTTP destination was the alternative),
    Target URL: I used the URL just up to the ? for the parameters, i.e. only http://ilbnknw1:50300/bpm/testsapcom/polnlbv0/start,
    Checkmark for Configure User Authentication,
    User Name: A user in the NW Java BPM system,
    User Password: the matching password
    At the bottom:
    Checkmark for Use Query String,
    SOAP Action: wsdl&mode=ws_policy
    (No settings in receiver agreement, just chose the channel.)
    Result: Success in PI (black-white flag) - and now two processes were started shortly after each other (within 15 seconds)!
    I tested again to see if it would always trigger two process starts, but now it only started one as expected.
    So it looks like the other process start "pushed out" a hanging previous process start? Is such a thing possible? Where could I monitor this? (Apparently not in NW Administrator > Operations > Processes and Tasks > Manage Processes).
    So now I have a solution, I use a SOAP receiver channel with SOAP 1.1 protocol, not with XI 3.0 protocol, and certainly not thw WS adapter. But I still wonder why it's not working with the XI 3.0 protocol, even though this seems to be the most recommended way for PI and BPM to communicate in recent releases that support this, and what exactly happened there, where the first process start was "hiding" in the meantime.

    Hi Monika,
    did you choose the URL
    http(s)://<hostname>:<port>/MessagingSystem/receive/JPR/XI
    in the XI 3.0 communication channel as described in the SAP Help? As far as I understand your description you didn't. Maybe this is the reason that it was not working with XI 3.0.
    Please check this link for proper setup:
    http://help.sap.com/saphelp_nw73ehp1/helpdata/en/99/0d45d39bb442bc96925f4a5db8b7ee/content.htm?frameset=/en/f1/24e6e6f548480b85197bde372d13c9/frameset.htm
    Best Regards
    Harald

Maybe you are looking for

  • Region Observer to help jQuery issues

    So I have been working on this for a bit and can't seem to get anywhere. I have read multiple posts about issues with SPRY regions conflicting with jQuery and other javascript inside of SPRY regions. I can't seem to get it to fly. I my region observe

  • How to populate BAM 11g TP4 data objects directly from jms?

    Anyone knows how to do it? Is there any step by step document for this? Any help will be apreciated. tks

  • SXMB_MONI of file2file

    Hi All, I am not able to see any message in SXMB_MONI. I given all the selection creteria,but no message is displayed. i gone through the component monitoring in RWB, there i tested the CC monitoring, if's fine. how can i access the pipeline services

  • Accordion Problem in Internet Explorer

    Hi, This is the scenario, i developed a small framework and gave it to the developer, which included a Accordion, which i accomplished via using Spry Widget in dreamweaver. Now the problem is, everything works fine when viewed in Firefox and where as

  • CUPC video call issue

                       Hi there,                              i am facing the issue ,CUPC 8.5 video call is not working ..i have cucm 8.0. and CUP 8.0 ..any help will be higly appreciated.. Thanks Shib