Avoid principal propagation in RFC_to_File scenario?

Hi!
I am facing with the following error in sxmb_moni by retrieving the message from business system A.
Errror in part Call adapter
System_Error: Error exception retnr from pipeline processing
name = "CL_XMS_MAIN_WRITE_MESSAGE_TO_PERSIST"
I also detected the following additional error text:
<SAP:AdditionalText>com.sap.aii.af.ra.ms.api.ConfigException: Unauthorized: J2EE AE rejected user. Reason: Principal propagation is not active, but technical IS service user was not used (J2EE_ADMIN).</SAP:AdditionalText>
<SAP:ApplicationFaultMessage namespace="" /
The error tell me that the principal propagation is missing.
Unfortunately I cannot activate principal propagation on Sender system due to ABAP dump error.
Question:
Are there some alternative solutions without activating principal propagation?
If yes hwo can these be realize?
For example: is it possible to send messages as technical IS server user such as j2ee_admin from sender system without activating principal propagation?
Any helpful information will be very appreciated.
Thank you!
Holger

HI Holger
Looking at the error we can see its authorization issue. You can try using user like PISUPER to create and use principal propagation
Moreover other than this you have to go through normal RFC -> XI -> File procedure where you have different user involved at different services. No other choice
Thanks
Gaurav

Similar Messages

"Ticket authentication failed" error in Principal Propagation scenario

Hi All,
I am working on Principal Propagation, where the scenario is sync RFC-PI-RFC. I have followed all steps mentioned in the below blog. When I execute the scenario (with Principal propagation box checked in the sender agreement) I get dump while executing the RFC from sender system. The dump is:
"Ticket authentication failed"
Scenario works fine if I don't check Principal propagation check box in the sender agreement.
Principal Propagation blog: /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
Can anyone suggest what can be the reason for this dump?
Thanks,
Shweta.

Hi All,
Any inputs on this?
Thanks,
Shweta.

Principal Propagation SOAP - XI - RFC Scenario

Hi,
I am developing a synchronous scenario whereby a SOAP request posted by a non SAP system should be forwarded to an ECC system using RFC. Challenge I am facing is that I want to use the user, which was used for basic user authentification to post to XI, dynamically in the RFC call. I have been reading about Principal Propagation using assertion tickets, however only SOAP receiver adapter is spoken about. I am trying to configure this using SOAP Sender adapter.
As far as my understanding goes the sending system should be able to create these assertion tickets ?
Has anyone developed a similar interface ?
Scenario is: Non SAP SOAP Sending system = Client, Adapter engine = Server & Client, Integration Server = Server & client and Receiving ABAP system (ECC6.0) is Server.
Any help would be appreciated and awarded if helpfull.
Kind Regards, Jelmer Keuken
Ps. XI is version 7.0 SP18, Alreay read the Blogs of Alexander Bundschuh
Edited by: J. Keuken on Sep 9, 2009 4:04 PM

Hi,
This scenario is definately possible to implement with principal propagation.
1. Enable the PP on Integration server
2. Here you need not have to do anything on SOAP sender side to create the assertion ticket..
The assertion ticket is required on SAP side which will act as Web AS ABAP Server.
refer the settings --http://help.sap.com/saphelp_nw04/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm
3. And then follow further steps as it mentioned the blogs...
Thanks
Swarup

Error while configuring Principal Propagation

Hi,
I am trying to configure Principal Propagation for a Proxy -> PI -> RFC, sync scenario. I am working on PI 7.1 SP6 and when i am trying to configure the "Configuration Adapter" in JAVA stack i am not able to find the following config. properties:
1.) login.ticket_keyalias = SAPLogonTicketKeypair.
2.) login.ticket_keystore = TicketKeystore.
I have checked in both NWA of PI 7.1 as well as the basis guys have checked the config. tool of the local server.
Rest all the configuration have been done but i am getting the following error in the response message of the moni -
" com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized "
Please help.
Thanks!!!

Hi,
Plz check below parameters at R/3 side and set value as mentioned below.
login/accept_sso2_ticket=1
login/create_sso2_ticket=2
then test Jco's.

IDOC sender Principal Propagation

Hi experts,
I've a scenario IDOC to JDBC, it give me a error. I could have seen in others threads this error can be relationed with 'Principal Propagation' but i don' understand this concept, also in this scenario i haven't a sender agreement (because it is a IDOC),
the error is:
- <Trace level="1" type="B" name="CL_XMS_PLSRV_IE_ADAPTER-ENTER_PLSRV">
<Trace level="3" type="T">Channel for adapter engine: JDBC</Trace>
- <Trace level="1" type="B" name="CL_XMS_PLSRV_CALL_XMB-CALL_XMS_HTTP">
<Trace level="2" type="T">return fresh values from cache</Trace>
<Trace level="2" type="T">Get logon data for adapter engine (SAI_AE_DETAILS_GET):</Trace>
<Trace level="3" type="T">URL = http://sapdes:50300/MessagingSystem/receive/AFW/XI</Trace>
<Trace level="3" type="T">User = PIISUSER</Trace>
<Trace level="3" type="T">Cached = X</Trace>
<Trace level="3" type="T">Creating HTTP-client</Trace>
<Trace level="3" type="T">HTTP-client: creation finished</Trace>
<Trace level="3" type="T">Security: Basic authentication</Trace>
<Trace level="3" type="T">Serializing message object...</Trace>
<Trace level="1" type="T">HTTP Multipart document length: 5223</Trace>
<Trace level="3" type="T">HTTP-client: sending http-request...</Trace>
<Trace level="3" type="T">HTTP-client: request sent</Trace>
<Trace level="3" type="T">HTTP-client: Receiving http-response...</Trace>
<Trace level="3" type="T">HTTP-client: response received</Trace>
<Trace level="3" type="T">HTTP-client: checking status code...</Trace>
<Trace level="3" type="T">HTTP-client: status code = 503</Trace>
<Trace level="3" type="System_Error">HTTP-client: error response= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Error Report</title> <style> td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;} A:link A:visited A:active </style> </head> <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0" rightmargin="0"> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"> 503 &nbsp Service Unavailable</td> </tr> <tr bgcolor="#3F73A3"> <td height="23" width="84"><img width=1 height=1 border=0 alt=""></td> <td height="23"><img width=1 height=1 border=0 alt=""></td> <td align="right" height="23">SAP J2EE Engine/7.00 </td> </tr> <tr bgcolor="#9DCDFD"> <td height="4" colspan="3"><img width=1 height=1 border=0 alt=""></td> </tr> </table> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"> The requested application, AFW, is currently unavailable.</td> </tr> <tr bgcolor="#FFFFFF"> <td align="left" valign="top" height="48"> Details:</td> <td align="left" valign="top" height="48"><pre> No details available</pre></td> </tr> </body> </html></Trace>
<Trace level="3" type="T">HTTP-client: closing...</Trace>
</Trace>
</Trace>
</Trace>
- <Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_LOG_TO_PERSIST">
<Trace level="3" type="T">Persisting message after plsrv call</Trace>
<Trace level="3" type="T">Message-Version = 007</Trace>
<Trace level="3" type="T">Message version 007</Trace>
<Trace level="3" type="T">Pipeline CENTRAL</Trace>
</Trace>
<Trace level="3" type="System_Error">Error exception return from pipeline processing!</Trace>
<Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_TO_PERSIST" />
- 
<Trace level="3" type="T">Persisting message Status = 014</Trace>
<Trace level="3" type="T">Message version 008</Trace>
<Trace level="3" type="T">Pipeline CENTRAL</Trace>
</SAP:Trace>
very thanks,

Hi
Check this blog & the SAP notes in it
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
Regards
Vishnu

SOAP to SOAP principal propagation with logon tickets

I have configured a scenario using soap sender to soap receiver with an integrated configuration on PI 7.1. It is synchronous CE 7.11<->PI 7.10<->ECC 6.0. The scenario works with basic authentication. If I enable principal propagation on the sender side it still works fine. Now I have activated principal propagation on the receiver side and I get the following error in the message audit log:

<pre>
2010-05-07 09:01:50 Information MP: entering1
2010-05-07 09:01:50 Information MP: processing local module localejbs/sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean
2010-05-07 09:01:50 Information SOAP: request message entering the adapter with user DAMZOG.JOCHE 
2010-05-07 09:01:50 Information SOAP: request message leaving the adapter (call)
2010-05-07 09:01:50 Information The application tries to send an XI message synchronously using connection SOAP_http://sap.com/xi/XI/System.
2010-05-07 09:01:50 Information Trying to put the message into the call queue.
2010-05-07 09:01:50 Information Message successfully put into the queue.
2010-05-07 09:01:50 Information The message was successfully retrieved from the call queue.
2010-05-07 09:01:50 Information The message status was set to DLNG.
2010-05-07 09:01:50 Information Delivering to channel: SOAP_MRByID_In5_R
2010-05-07 09:01:50 Information SOAP: request message entering the adapter with user J2EE_GUEST
2010-05-07 09:01:50 Fehler SOAP: call failed: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
2010-05-07 09:01:50 Fehler SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
2010-05-07 09:01:50 Fehler Adapter Framework caught exception: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
2010-05-07 09:01:50 Fehler The message was successfully transmitted to endpoint com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found. using connection SOAP_http://sap.com/xi/XI/System.
2010-05-07 09:01:50 Fehler The message status was set to FAIL.
</pre>

Any ideas what could be wrong?
Edited by: Jochen Damzog on May 7, 2010 9:02 AM
Edited by: Jochen Damzog on May 7, 2010 9:06 AM
Edited by: Jochen Damzog on May 7, 2010 9:22 AM

The problem was due to the channels being not in the most recent state. A simple restart of the soap sender channel did the job.

Principal propagation

hi, all.
i have scenario:
HTTP <-> XI <-> SAP.
between HTTP and XI i use http adapter. between XI and SAP i use proxy. i have to propagate useres from HTTP system to SAP system.
Can I create all needed users in XI, and connect from HTTP to XI using any of this user, but for connecting from XI to SAP can I use principal propagation?

Hi Mikhail
refre this Blog for to get details about principal propagation
Principal Propagation with SAP NetWeaver Process Integration 7.1
/people/alexander.bundschuh/blog/2007/08/06/principal-propagation-with-sap-netweaver-process-integration-71
Principal Propagation in SAP XI
/people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
Thanks!!
Regards
Abhishek Agrahari

Principal Propagation Issue

Hi,
We are using PI 7.1 and have a SOAP - XI - ECC(RFC) scenario where we need to use Principal Propagation in order to send the user parameters who has invoked the webservice (using SOAP Adapter) on XI and the same user needs to be propagated to ECC system via RFC call.
We did all the settings as per the guidelines setup in P.P guide. The issue here is once we enable Single Signon (P.P) on our XI server the local service user created in XI, which is given to Source system for invoking WS on XI stops working.
In other words we have some other systems also which are sending webservice request to XI but with local service userid/pwd we have provided to them as they do not support Single Sign On. This stops working once we enable Single Sign On in XI. Does it mean at one time only one thing will work, either Service user/pwd or Single sign on user?
Is there any alternate way of achieving the same? Has anyone used P.P feature? It does not seem to be working at Adapter Level.
Thanks
amit

Dear Amit,
Either of the one will work either SSO user or Service user . You cant have both working simultaneously. Because your SSO user is nothing but where one system logs on to another system using the user & pwd maintained on host system.
The way out is to separate SSO user and Service users.
Also refer https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
Rgds
joel
Edited by: joel trinidade on Mar 4, 2009 10:30 AM

Principal Propagation / SAP Assertion Ticket

Hi Experts,
i m planning a synchronous scenario
3rd party (SOAP) -> PI -> SAP ECC (RFC)
PI is on 7.1, ECC on 7.00
I would like to run Principal Propagation. At the moment i m struggling with Assertion Ticket to be issued by the SOAP sender. From [SAP Help: Princ Prop / Configuring the Sender|http://help.sap.com/saphelp_nw04/helpdata/EN/45/3418a0eabe072fe10000000a155369/content.htm]: "The SOAP client itself must be able to issue SAP assertion tickets."
- Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
- Or is there a way to issue the SAP assertion ticket from 3rd party SOAP sender?
- If yes, how does that work?
I found two interesting threads:
[Principal Propagation SOAP - XI - RFC Scenario |Re: Principal Propagation SOAP - XI - RFC Scenario]:
I do not understand Swarups answer 100%. He wrote: "Here you need not have to do anything on SOAP sender side to create the assertion ticket.The assertion ticket is required on SAP side which will act as Web AS ABAP Server"
Can anybody illuminate that? Is he right?
[Issuing SAP assertion Tickets |Issuing SAP assertion Tickets]: The last post of Anthony stayed unansered, unfortunately. "How does the sender system do that? Is it somethign embedded in the header of the SOAP message? This really is unclear to me"
Thanks for your help,
Udo

Hi Udo,
> - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
Principle propagation supports XI, SOAP and RFC adapters.
http://help.sap.com/saphelp_nw04/helpdata/en/45/0f16bef65c7249e10000000a155369/frameset.htm
Before using the principle propagation you have to active the configuration, but you can only activate the configuration if you have kernel patch 149 installed.
Regards
Ramesh

Principal Propagation using SOAP Adapter

Hi,
Can anybody please explain Principal Propagation concept in SOAP adapter?
I have no idea at all about this, so it will be good if you can explain with an example scenario.
Thankyou.

Hi Anita,
Did you check the below doc and blog?
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50d07121-07a5-2c10-5280-a081de9b851c?QuickLink=index&…
Principal Propagation in SAP XI
sap help page
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/fe95b02f2e4d2baddc39196c827c51/content.htm
regards,
Harish

Principal propagation question

Hi All,
We currently have a synchronous scenario: SOAP -> PI 7.0 -> ABAP Proxy
We now have a requirement that for the above scenario, the sender system (which does not
know the password of its logged in user, only the userid), does its SOAP call to PI and PI
invokes the ABAP Proxy system with the credentials of the user in the sender system.
Can we use principal propagation for this? Please correct me if I'm wrong but I see an issue
with the sender system not knowing the password of its logged in user and therefore issuing
a SOAP call to PI for that user. Wouldn't authentication to PI fail without a userid/password
via SOAP?
Also, we are moving to PI 7.1. If I am correct with the above statement, is there a way to
achieve this requirement perhaps with the WS/SAML new feature? Aologies but I have read
countless documents on sdn on principal propagation and the new WS/SAML feature and I'm
still not sure if it will do what I require.
Any suggestions as to how I could achieve the scenario would be greatly appreciated.
Regards,
JM

I see an issue with the sender system not knowing the password of its logged in user
For using Principal Propagation, the user must be created at sender as well as receiver system.
Does enabling principal propagation mean no passwords are needed to issue a SOAP call to PI and onward to the ABAP proxy?
Incorrect. It just means that same user would be propagated to all the communicating systems using something called as Assertion Ticket.
While using Assertion tickets to communicate, a trust relationship is established between various systems. For this an SAP client is associated and in the keystore the certificate should be imported for digital signature. So the authentication is certificate based.
Regards,
Prateek

Principal Propagation SOAP-PI-RFC not working

Hi experts,
I have designed on PI 7.0 SP16 a SOAP->PI->RFC scenario enabling the call of
RFC_READ_TABLE (from ECC) through a webservice. For tests purpose, I have deployed WSDL file on IIS server and I call it from SAP Web Services Navigator. Tests are OK if we do not activate principal propagation on sender and receiver agreements.
But we need to activate it in order to manage authorizations for people calling the webservice.
So, I have followed all the required steps described in OSS note 974873.
In addition, on PI Java Visual Administrator, I added CreateAssertionTicketLoginModule to com.sap.aii.af.soapadapter*XISOAPAdapter (Service u2018Security Provideru2019 -> runtime -> policy configurations ) in order to create an assertion ticket when SOAP adapter is called.
When calling the webservice, the response contains : "Received HTTP response code 401 : Unauthorized". In RWB I can see that the communication channel is in error, not even displaying the content of the message.
The security.log file contains : u201CAttempting to create outgoing ssl connection without trusted certificatesu201D
My test user (and PIAFUSER) has SAP_XI_APPL_SERV_USER role, are not locked and PI Caches have been cleared.
In addition, I have not set SSO in PI, thinking it is not a prerequisite to principal propagation.
Does anyone could help me ?
Thanks for your help,
Philippe
Edited by: IBM France CONSEIL on Feb 19, 2010 9:48 AM

Stefan,
what I understand from the comments is that I have to use SAML, but this is coming with PI 7.1 and I am working on PI 7.0.
However, when I read the beginning of this thread [Principal Propagation - PIAFUSER in Assertion Ticket] it proves it can work without SAML, isn't it ?

Principal Propagation SOAP Sender

Hello,
is it possible to use principal propagation for the following scenario:
SOAP Sender (Basic auth) -> PI -> RFC
so that the basic auth user from the incoming SOAP call is propagated to the RFC call
br franz

Hi Franz,
Take a look at this: http://help.sap.com/saphelp_nw04/helpdata/EN/45/0f16bef65c7249e10000000a155369/frameset.htm
Best Regards,
Jose Nunes

SSO and Principal Propagation in SUP

Hi all,
I am wondering how SSO and Principal Propagation work in SUP.
Ideally, users should be able to logon on their device application and the same user/pwd should be used to perform backend SAP invocations.
I have seen that personalization keys exists which can store users/passwords to use later in backend invocations.
However:
how can I perform login if my device is offline?
is the password used for login from device the same as the SAP system's?
do SUP and SAP have to share the same user engine (i.e. LDAP)?
Any help or pointers to best practices/manuals are really appreciated
Thanks, regards
Vincenzo

Hi
how can I perform login if my device is offline?
Once the device logs into the SUP once every-time thereafter the client app doesn't perform an online authentication.
The credentials are stored on the device securely and authenticated with the user supplied credentials. When the device is online it will perform the online authentication.
is the password used for login from device the same as the SAP system's?
You can have the same credentials on both the systems. The SAP connectivity credentials are however stored in SUP.
do SUP and SAP have to share the same user engine (i.e. LDAP)?
Yes currently SUP for development purposes has the openDS ldap service. but in production we can use the LDAP provider of your company.
Thanks

RFC_to_File scenario: error in request message mapping

Hi!
I am configuring RFC_to_File scenario.
The error at the begining is:
com.sap.aii.utilxi.misc.api.BaseRuntimeException thrown during application mapping com/sap/xi/tf/_MM_Z_RFB_MATERIALEINGABE_PBU_zu_MT
: Fatal Error: com.sap.engine.lib.xml.parser.Parser
Exception of class CX_XMS_SYSERR_MAPPING
When I display the request message mapping are of the message I can see:
<Trace level="1" type="T">Interface-Mapping http://www.sap-press.de/xi/training/PBU_00 IM_Z_RFB_MATERIALEINGABE_PBU_zu_MI_Material_Async_In</Trace>
<Trace level="1" type="T">RuntimeException during appliction Java mapping com/sap/xi/tf/_MM_Z_RFB_MATERIALEINGABE_PBU_zu_MT_Material_</Trace>
<Trace level="1" type="T">com.sap.aii.utilxi.misc.api.BaseRuntimeException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser : #0 not allowed in Character data sections(:main:, row:1, col:202) at com.sap.aii.mappingtool.tf3.Transformer.checkParserException(Transformer.java:187) at com.sap.aii.mappingtool.tf3.Transformer.start(Transformer.java:151) at com.sap.aii.mappingtool.tf3.AMappingProgram.execute(AMappingProgram.java:105) at com.sap.aii.ibrun.server.mapping.JavaMapping.executeStep(JavaMapping.java:64) at com.sap.aii.ibrun.server.mapping.Mapping.execute(Mapping.java:92) at com.sap.aii.ibrun.server.mapping.MappingHandler.run(MappingHandler.java:90) at com.sap.aii.ibrun.sbeans.mapping.MappingRequestHandler.handleMappingRequest
Can some one help me to solve this problem?
Thank you very much!
regards
Holger

Holger,
Message Mapping Failed.
>com.sap.engine.lib.xml.parser.ParserException: XMLParser : #0 not allowed in Character data >sections(:main:, row:1, col:202) at com.sap.aii.mappingtool.tf3.Transformer.checkParserException
You are Passing Char to a field, which is not as per the Message Mapping rule
Cheers
Agasthuri Doss

Avoid principal propagation in RFC_to_File scenario?

Similar Messages

Maybe you are looking for