Certificate to weblogic-user mapping using CertAuthenticator

In SSL scenario I have a two way aithentication setup and working.
Now I wanted to use an auto Certificate to weblogic user mapping.
I tried using the SimpleCertAuthenticator (part of examples), and
setup the required properties in weblogic.properties.
SimpleCertAuthenticator is not getting called by the server.
(I put debug statements in SimpleCertAuthenticator.java which are
not being reached).
can somebody who had it successfully running help.
thank you,
escher.

escher,
When connecting from a browser a similar problem arises which can be solved by a patch to sp6. Soon sp7 will fix it, but at the moment sp7 solves that problem but causes another.
I'm confident that the same fix will fix calls from a java client, and thus the example, but I haven't checked yet. If it doesn't I'll let you know.
"escher" <[email protected]> wrote:
>
In SSL scenario I have a two way aithentication setup and working.
Now I wanted to use an auto Certificate to weblogic user mapping.
I tried using the SimpleCertAuthenticator (part of examples), and
setup the required properties in weblogic.properties.
SimpleCertAuthenticator is not getting called by the server.
(I put debug statements in SimpleCertAuthenticator.java which are
not being reached).
can somebody who had it successfully running help.
thank you,
escher.

Similar Messages

Question about Logon ticket with user mapping at BI-JAVA environment

We're implementing BI 7.0 including BI Java and SAP EP for end user
access.
I have two question about SSO method when we're using BI Java.
I know we can simply configure SSO logon ticket with BI-Java(EP
included) and BI-ABAP through BI template installer and we already
succeeded in that case.
But the problem is we want to change it to user mapping SSO method for
some our internal reason.
After we configure user mapping SSO, we've got SSO failed error when we
call BI-Java stuff like BEx Web Application iView.
After many testing implemented, we found SSO Logon ticket with user
mapping (using SAP reference system). It seems working now.
But our question is "Is it no problem when we use SSO logon ticket with
user mapping?" Is there any restriction or issue?
One more question is we can ONLY use user base mapping when reference
system used. How can we assign BI-ABAP users to EP Group?

Using an SAP Reference system is allright. But if the reason u r going for this is because of different usernames in EP and BI, why dont you go for user mapping.
Anyways, on restriction of reference syetms is that you can have ONLY ONE reference system defined in portal. In you case you can only have the BI system defined.
Hope this helps!!

Step-by-step custom Credential Mapping using weblogic 10.3 SSPI

Folks,
I am trying to implement custom Credential Mapping using weblogic 10.3 SSPI. Am sure that few of you have already implemented the same. But here my questions in reagrds with the implementation
Right now, I have below
1.MyCredentialMapperImpl implements CredentialMapperV2
1.Overridden getCredential and gerCredentials method.But I am not sure what are all the other methods , I should implement here.
2.MyCredentialMapperProviderImpl implements CredentialProviderV2
Questions.
1.How to get ContextHandler to pass as param in MyCredentialMapperImpl -->gerCredentials method.
2.Should I need set up a database after deploying the MBean ?
3.How do I execute above implementation ?
4.Can I see the SAML Token in my client ?
If possible Please send me the step-by-step custom Credential Mapping implementation.
Thanks in advance.
Ravi

Hi John,
I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
Ideally, the flow is something like:
- user accesses an unprotected resource - resource is shown, no interaction with authentication provider
- user presses a link or button that takes him/her to a protected resource
- the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
- the application can access the subject and principals
- ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
If you more ideas to share - I would love to hear them.
best regards,
Lucas

User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
Situation:
We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
1.) It is possible to assign manually the user public key to every user --> But to much effort
2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
3.) In the distinguished name of the user certificate there is no information about the SAP username itself
--> you are not able to use any information of the DN to bind a user in the Login Module configuration.
Now my question:
Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
Thanks,
Tim

Problem about SSO using logon ticket with user mapping

Hi everyone ,
I had done SSO with Portal , BW and R/3 system.
I use logon ticket with user mapping .
When user name is same in Portal as in R/3 system, or user name is same in Portal as in BW , user can access R/3 transactions and BW report without logon.
There are some Portal users name which are different with R/3 user and BW user. And I done the user mapping for these user.
But some user mapping works fine,but most of them can't work,means that most of them need to enter mapped user ID and password.
What's the reason?
When SSO using logon ticket with user mapping, the Portal user which is different with R/3 user and BW user, can they access R/3 transaction iview and BW report iview without logon?

Hi Chen,
What you have done is correct. But the problem lies here.
Since you are using the same system object for accessing the iview, where the ticket method is set to SAPLOGONTICKET in the user Management property of the system object.
To avoid this create another system object like the previous one but set the logon method to UIDPW and select admin, user from the drop down box. Also create a system alias for this system.
Now create another iview like the previous one but link this iview to the new system. Now do the user mapping for the users which are different in portal compared with R/3. Now you should be able to login without any problems.
Another important point is login to portal with Fully qualified domain name. In the ITS property of the system object also give the FQDN.
Hope this helps
Regards
Arun

How can i use exisitng user data(Id, password) for user mapping

Hi All,
For User mapping , we can import user mapping data for many users from user administration. and for each user
we can maintain mapping data in the standard format.
eg:
[User]
uid=user2
$usermapping$:BCE:user=ext_user2
$usermapping$:BCE:mappedpassword=password
i am clear till this point.
this all works if we know the userid and passowrd on the system 'BCE'.the passwords on the system 'BCE', are encrypted . so there is no chance for me to know the passwords.
so how can i use the existed userid/passowrd on the system 'BCE' for the mapped user and mapped password on the portal while doing usermapping.
Thanks in Advance,
Lakshmi

Hi,
I think this should work.
1. Setup SSO with SAP logon tickets first. How to do this is described many places, e.g. http://help.sap.com/saphelp_nw04/helpdata/en/d3/41c8ecb31d11d5993800508b6b8b11/content.htm
This SSO will not work at first, because the username is different in the back-end system. So what you need to do is to get the back-end username into the ticket (don't need a password because that is done by the SAP logon ticket)
2. Create a portal component which uses the usermanagement API to create a usermapping which only consists of the username and a blank password. You can do this manually I think if you have no reference system defined.
IUserMappingService umap =(IUserMappingService)PortalRuntime.getRuntimeResources().getService(IUserMappingService.KEY);
//this is the currently logged in user. You might another user
IUserContext user = request.getUser();
//Get the existing data (think it can be null)
IUserMappingData userMapping=umap.getMappingData(systemAlias, user);
HashMap map = new HashMap();
                         map.put(IUserMappingService.UMAP_KEY_USER, backEndUserName);
//add blank password               map.put(IUserMappingService.UMAP_KEY_PASSWORD, "");
//store the values                    userMapping.storeLogonData(map);
Voila, this should allow you to do SSO using SAP logon tickets, but with another name that you use against the portal. I am uncertain if this will work if you have multiple usermappings in the sap logon ticket
PS since the sap logon ticket is issued at logon time, you need to relogon to get the changes done by the code
Regards
Dagfinn

Not able to start Managed server using nohup command and failed to authenticate weblogic user

Hi,
I stopped weblogic Admin server, managed server and opmnctl. and restarted Admin server successfully but I'm able to start managed start without nohup command. if I use nohup command then it's not able to get authenticate and faild to start managed server. I created boot.property file with weblogic user name and password still not working. is there anyother way to suppy login credentials for managed server?
how can I supply login credentials in below command?
nohup ./startManagedWebLogic.sh bi_server1 t3://machine:7001 > bis1_startup.log &
Appreciate you for your help
Thanks
Jay.

/app/obiee_11g/Oracle_BI1/jdk/bin/java -server -Xms256m -Xmx1024m -XX:MaxPermSize=512m -XX:-UseSSE42Intrinsics -Dweblogic.Name=bi_server1 -Djava.security.policy=/app/obiee_11g/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true -Dweblogic.security.SSL.trustedCAKeyStore=/app/obiee_11g/wlserver_10.3/server/lib/cacerts -da -Dplatform.home=/app/obiee_11g/wlserver_10.3 -Dwls.home=/app/obiee_11g/wlserver_10.3/server -Dweblogic.home=/app/obiee_11g/wlserver_10.3/server -Dcommon.components.home=/app/obiee_11g/oracle_common -Djrf.version=11.1.1 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Ddomain.home=/app/obiee_11g/user_projects/domains/bifoundation_domain -Djrockit.optfile=/app/obiee_11g/oracle_common/modules/oracle.jrf_11.1.1/jrocket_optfile.txt -Doracle.server.config.dir=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/fmwconfig/servers/bi_server1 -Doracle.domain.config.dir=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/fmwconfig -Digf.arisidbeans.carmlloc=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/fmwconfig/carml -Digf.arisidstack.home=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/fmwconfig/arisidprovider -Doracle.security.jps.config=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/fmwconfig/jps-config.xml -Doracle.deployed.app.dir=/app/obiee_11g/user_projects/domains/bifoundation_domain/servers/bi_server1/tmp/_WL_user -Doracle.deployed.app.ext=/- -Dweblogic.alternateTypesDirectory=/app/obiee_11g/oracle_common/modules/oracle.ossoiap_11.1.1,/app/obiee_11g/oracle_common/modules/oracle.oamprovider_11.1.1 -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.jdbc.remoteEnabled=false -Dbi.oracle.home=/app/obiee_11g/Oracle_BI1 -DEPM_ORACLE_HOME=/app/obiee_11g/Oracle_BI1 -Dweblogic.MaxMessageSize=50000000 -DEPM_ORACLE_HOME=/app/obiee_11g/Oracle_BI1 -DHYPERION_HOME=/app/obiee_11g/Oracle_BI1 -DEPM_ORACLE_INSTANCE=novalue -Dhyperion.home=/app/obiee_11g/Oracle_BI1 -DEPM_REG_PROPERTIES_PATH=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/fmwconfig -Depm.useApplicationContextId=false -Doracle.biee.search.bisearchproperties=/app/obiee_11g/Oracle_BI1/bifoundation/jee/BISearchConfig.properties -Dweblogic.management.clearTextCredentialAccessEnabled=true -Doracle.notification.filewatching.interval=2000 -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enableJSSE=true -Dfile.encoding=utf-8 -Doracle.ecsf.security.service=oracle.biee.search.security.BISearchSecurityService -Doracle.ecsf.configuration.class=oracle.biee.search.services.BISearchServiceConfiguration -Dxdo.server.config.dir=/app/obiee_11g/user_projects/domains/bifoundation_domain/config/bipublisher -DXDO_FONT_DIR=/app/obiee_11g/Oracle_BI1/common/fonts -Drtd.instanceName=RTD_bi_server1 -Dem.oracle.home=/app/obiee_11g/oracle_common -Djava.awt.headless=true -Dweblogic.management.discover=false -Dweblogic.management.server=01scqabi01.natusmed.natus.com:7001 -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/app/obiee_11g/patch_wls1035/profiles/default/sysext_manifest_classpath weblogic.Server
<Nov 17, 2013 12:24:00 AM PST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Nov 17, 2013 12:24:00 AM PST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Nov 17, 2013 12:24:01 AM PST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 20.10-b01 from Sun Microsystems Inc.>
<Nov 17, 2013 12:24:07 AM PST> <Info> <Security> <BEA-090065> <Getting boot identity from user.>
Enter username to boot WebLogic server:Error: Failed to get value from Standard Input
Enter password to boot WebLogic server:
<Nov 17, 2013 12:24:07 AM PST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 >
<Nov 17, 2013 12:24:09 AM PST> <Error> <Configuration Management> <BEA-150021> <The admin server failed to authenticate the identity of the user starting the managed server. The reason for the error is .>
<Nov 17, 2013 12:24:09 AM PST> <Emergency> <Management> <BEA-141151> <The admin server could not be reached at http://01scqabi01.natusmed.natus.com:7001.>
<Nov 17, 2013 12:24:09 AM PST> <Info> <Configuration Management> <BEA-150018> <This server is being started in managed server independence mode in the absence of the admin server.>
<Nov 17, 2013 12:24:09 AM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Nov 17, 2013 12:24:09 AM PST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Nov 17, 2013 12:24:09 AM PST> <Notice> <Log Management> <BEA-170019> <The server log file /app/obiee_11g/user_projects/domains/bifoundation_domain/servers/bi_server1/logs/bi_server1.log is opened. All server side log events will be written to this file.>
<Nov 17, 2013 12:24:19 AM PST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Nov 17, 2013 12:24:20 AM PST> <Critical> <Security> <BEA-090403> <Authentication for user denied>
<Nov 17, 2013 12:24:20 AM PST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user denied
weblogic.security.SecurityInitializationException: Authentication for user denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User javax.security.auth.login.LoginException: [Security:090301]Password Not Supplied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Truncated. see log file for complete stacktrace
>
<Nov 17, 2013 12:24:20 AM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 17, 2013 12:24:20 AM PST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 17, 2013 12:24:20 AM PST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

Problem in installation of free SSL certificate on Weblogic using keytool

We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
Steps followed:-
1) To generate keystore and private key and digital cerficate:-
keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
2) To generate CSR
keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
4) Same certificate is put into same keystore using following command
keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
(intermediateCa.cer file is downloaded from verisign site)
keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
6) After this configuration we used weblogic admin module to configure Keystore and SSL.
7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:-
Private key alias: mykey2
PassKeyphrase: webconkeystorepassword
Location of keystore: location of webconkeystore.jks file on server
8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations.
Error on console:
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
<Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
If anyone knows the solution ,please help us out.Thanx in advance.
I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

Thanx all guys for your interest and support.
I have solved this issue.
We have weblogic 9 on unix env.
Following steps which I followed:
#generate private key
keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
#generate csr
keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
We copied that text file in "ert4nov2009.crt" rt file used below.
Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
roo ca in "root4nov2009.cer" file.
intermediate ca in "intermediateca4nov2009.cer"
both these files used in
#import root certificate
keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
#import intermediate ca certificate
keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
#install free ssl certifiate
keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
#after this admin configuration
In weblogic admin console module, we did following settings:-
1. under Configuration tab
a. Under KeyStore tab
For keystore , we selected "Custom identity and Custom Trust"
Under Identity,
Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
Same we copied Under "Trust", as we have not created separate keystore for trust.
Save setting.
b. Under SSL tab
Identity and Trust Locations: select "Keystores"
Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
Save setting.
c. Under General tab
Check checkbox "SSL Listen Port Enabled"
and mention ssl port "SSL Listen Port"
Save setting.
After this activate changes.You might see error on admin module.
Using command prompt, stop the server and again restart and then try to access using https and port ...
you will definately get output...
in our case issue might be due to key size..we used 1024 key size ..it solve problem.
for your further reference plz find link below..it is also helpful.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

User mapping issue using SAP net weaver developer studio

Dear All,
I am getting below error when updating user mapping in SAP Enterprise Portal. I was able to update the data through SAP portal but not through the below code.
Code:
userMapData.setSystemAlias(“WebEx”);
mappingData.put(UmeConstants.USERNAME, "user id");
 mappingData.put(UmeConstants.PASSWORD, "pasword");
if (!userMapData.setMappingData(newUser, mappingData,logger)) {
errorMessage = new ErrorMessage("Set user maaping data for + " + newUser.getDisplayName() + " failed.", "ApolloUMECreateUser.setUserMappingData()");
public boolean setMappingData(IUser iUser, Map logonData, UmeLog logger) {
 //logonData needs to be able to be null to clear the user mapping!
 if (iUser != null) {
 try {
 IUserMappingData mappingData = iUserMapping.getUserMappingData(systemAlias, iUser, logonData);
 //IUserMappingService iums = (IUserMappingService)PortalRuntime.getRuntimeResources().getService(IUserMappingService.KEY);
 //IUserMappingData mappingData = iums.getMappingData (systemAlias, iUser);
 mappingData.storeLogonData(logonData);
 return true;
 catch (IOException ioe) {
return false;
 catch (Exception e) {
 return false;
 return false;
Error:
#1.5#00155D007802007D0000417100000B480004F636722D1228#1396613610296#com.sap.security.core.umap.imp.UserMappingDataImp#ibm.com/ibm.com.tivoli.im.umeagent#com.sap.security.core.umap.imp.UserMappingDataImp.saveLogonDataInternal(Map, boolean)#Guest#0##n/a##88b1fdb2bbf211e3a6ac00000032f136#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Java###Cannot save logon data for principal {0} because there is no mapped backend user ID in the logon data map to save.#1#"user id, password" (unique ID: "USER.PRIVATE_DATASOURCE.un:aujastest31")#
#1.5#00155D00780200740000411600000B480004F636722D12D8#1396613610296#System.err#ibm.com/ibm.com.tivoli.im.****umeagent#System.err#Guest#0##n/a##88cc4ee9bbf211e3b0a300000032f136#SAPEngine_Application_Thread[impl:3]_33##0#0#Error##Plain###Apr 4, 2014 5:43:30 PM com.ibm.tim.agents.UmeAgent [SAPEngine_Application_Thread[impl:3]_33] Info: Created the Writer
#1.5#00155D007802007D0000417200000B480004F636722D18DA#1396613610296#com.sap.security.core.umap.imp.UserMappingDataImp#ibm.com/ibm.com.tivoli.im.umeagent#com.sap.security.core.umap.imp.UserMappingDataImp#Guest#0##n/a##88b1fdb2bbf211e3a6ac00000032f136#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Java###storeLogonData(Map)
[EXCEPTION]
{0}#1#com.sap.security.api.UMException: Mapped backend user ID not specified.
 at com.sap.security.core.umap.imp.UserMappingDataImp.saveLogonDataInternal(UserMappingDataImp.java:280)
 at com.sap.security.core.umap.imp.UserMappingDataImp.saveLogonData(UserMappingDataImp.java:251)
 at com.sap.security.core.umap.imp.UserMappingDataImp.storeLogonData(UserMappingDataImp.java:223)
 at com.ibm.tivoli.integration.im.agents.umeagent.sap.usermapping.UserMapData.setMappingData(UserMapData.java:106)
 at com.ibm.tivoli.integration.im.agents.umeagent.sap.UMECreateUser.setUserMappingData(UMECreateUser.java:381)
 at com.ibm.tivoli.integration.im.agents.umeagent.sap.UMECreateUser.UMECreateSAPUser(UMECreateUser.java:118)
 at com.ibm.tim.agents.UmeAgent.UMEProcessAddRequest(UmeAgent.java:207)
 at com.ibm.tim.agents.UmeAgent.processRequest(UmeAgent.java:134)
 at com.ibm.tim.agents.UmeAgent.doPost(UmeAgent.java:89)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
 at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
 at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

Thanks Rodrigo for you reply.
In Data Base user is exist and manually user mapping is working only through code i am getting error. Using code user is creating but mapping is not happening. I am sending ep6User user as iUser please find requested code.
Please suggest Thanks in advanced!!!
public UmeUser processRequest(com.ibm.dsml2.parser.AddRequest addRequest) {
 UmeUser ep6User = null;
 try {
 Enumeration enumAddRequestAttr = addRequest.enumerateAttr();
 Properties userAttributes = new Properties();
 while (enumAddRequestAttr.hasMoreElements()) {
 com.ibm.dsml2.parser.Attr attr = (com.ibm.dsml2.parser.Attr) enumAddRequestAttr.nextElement();
 if (attr.getValueCount() == 1) {
 userAttributes.put(attr.getName(), getAttributeValue(attr));
 else {
 List list = new ArrayList(attr.getValueCount());
 for (int i = 0; i < attr.getValueCount(); i++) {
 list.add(getAttributeValue(attr, i));
 userAttributes.put(attr.getName(), list);
 ep6User = new UmeUser(userAttributes, logger);
 catch (Exception e) {
 logger.log(this.getClass().getName(), e);
 return ep6User;

Using SSO and user mapping with WebDav Repository

Hi guys,
I have a WebDav Repository in portal and i configured SSO with SSO22KerbMap in IIS server. All is ok, but i have some UME users than don't have user in our Active Directory, i need use user mapping with this users. Do it's possible?
Currently i have a KMWebDav system (with same alias name that http system) and i mapped one of my UME user (with name 'umeuser' for example) with one Active Directory user (with name 'aduser' for example), if i try access to my webdav repository from KM Content with 'umeuser' i can see in SSO22KerbMap log a message like:
10:48:57 6756/4652 i OnPreprocHeaders: Determined account umeuser from cookie MYSAPSSO2
10:48:57 6756/4652 E OnPreprocHeaders: Found 0 UserPrincipalNames for ADSI Filter...
Can somebody help me?
Thanks in advanced.

Hi Guys,
Any takers?
Suggestions would be appreciated.
Cheers
Ian Henderson

How to detect if the user is using SSL

I use weblogic 5.1 sp6and NES 4.1. Netscape plug-in connects them together.
I also install the verisign certificate on the NES 4.1.
I want my JSP code to detect if the user is using http or https to visit my
site. However, isSecure() will return false and getSchema will return https
and getServerPort will return 80, even when the user is using https:// . I
guess the reason is when the NES forwards the request to the weblogic, it is
not using https.
Then how can I detect the protocol the user is using? I use getHeaderNames()
method to print out all the infomration in the HEADER. However, I find that
it only includes client header information. Is it true that NES plug-in only
fowards part of the HEADER information to the weblogic server?
Thanks

Comments inline....
"Lan Jiang" <[email protected]> wrote in message
news:3a74d511$[email protected]..
I use weblogic 5.1 sp6and NES 4.1. Netscape plug-in connects themtogether.
I also install the verisign certificate on the NES 4.1.
I want my JSP code to detect if the user is using http or https to visitmy
site. However, isSecure() will return false and getSchema will returnhttps
and getServerPort will return 80, even when the user is using https:// . I
guess the reason is when the NES forwards the request to the weblogic, itis
not using https.getServerPort should return 443. It's a bug. Fixed already in the later
service packs.
Workaround: run the server in a port other than 443.
>
Then how can I detect the protocol the user is using? I usegetHeaderNames()
method to print out all the infomration in the HEADER. However, I findthat
it only includes client header information. Is it true that NES plug-inonly
fowards part of the HEADER information to the weblogic server?No, it forwards all except the Connection header because it doesn't support
http 1.1
Vinod.

Authenticating to weblogic web service using a client cert with webserver

I am trying to think of how to authenticate a client to a weblogic web service
using a client certificate. The wrinkle is that a Web Server (iis or whatever)
will be handling the ssl part and forwarding non-secure to weblogic. The cert
will still be accessable in the request using: HttpServletRequest req.getAttribute("javax.net.ssl.peer_certificates).
At this point it is not clear to me what I can do. When does CertAuthenticator
get called? Can I even use it? Will I have to write my own version of the weblogic.soap.server.servlet.StatelessBeanAdapter
class?
Any help will be appreciated, even explaining why it can't be done.
Thanks,
Scott

I am trying to think of how to authenticate a client to a weblogic web service
using a client certificate. The wrinkle is that a Web Server (iis or whatever)
will be handling the ssl part and forwarding non-secure to weblogic. The cert
will still be accessable in the request using: HttpServletRequest req.getAttribute("javax.net.ssl.peer_certificates).
At this point it is not clear to me what I can do. When does CertAuthenticator
get called? Can I even use it? Will I have to write my own version of the weblogic.soap.server.servlet.StatelessBeanAdapter
class?
Any help will be appreciated, even explaining why it can't be done.
Thanks,
Scott

Kerberos to JDBC user mapping

Hi,
I have a requirement to map a kerberos authenticated user through to the JDBC connection username.
This is well outside my comfort zone and I don't even know where to start looking. Can anyone suggest the topics / products I need to familiarize myself with.
Thanks.

Hi,
Thanks for the reply. I think I wasn't quite clear in my own head what I was asking for! I've chatted to our DBA and am a little clearer now.
So, I'd like Weblogic to authenticate a user against active directory. I'm pretty happy with that process (I've done Kerberos before, it's painful but that's more Kerberos system config than the application software).
I've then got two options:
1. Map the Weblogic user (from the Kerberos authentication) to a proper database user with a separate username and password. I've done this with X509 authentication, so I guess it's a similar process. Enable identity-based connection pooling on the data-source and set-up a JDBC credential mapping. As here: [http://docs.oracle.com/cd/E21764_01/web.1111/e13737/jdbc_datasources.htm#i1204171]
One thing I'm not clear about is how to automate configuring the credential mappings - I wouldn't want to have to create mappings for each of the users of the system.
2. The same, but use a database proxy user. I can see how this is possible on Weblogic 12.1.1 - [http://docs.oracle.com/cd/E24329_01/web.1211/e24367/ds_oracledriver.htm#CJAFCGGB] , but this option isn't available on Oracle datasources in 10.3.5.
Many thanks.
Edited by: 913882 on 18-Feb-2012 03:30

No User Mapping Defined for the system

Hi,
I am trying to create the transcation iView ,here in this i want to run the BW transcation..
For this i have created the transaction iView with the transaction code in that iview properties i have given the system alias which i have created for the BW system..
The system which i have created for this is SAP R/3 dedicated...
when i try to see the preview for this transaction iview it is giving the Error"No user Mapping defined in the system...
i have done the user mapping also...
Plz can any one help me in this..
useful solution will be rewarded...
Thanks
Shashank
Message was edited by: shashank moharana

Hi Shashank
the follwoing is total soln for connect EP AND BW and for ITS as well as SSO
Creating BW system in Portal
From the portal top-level navigation, choose System Administration -> System Configuration -> System Landscape
Navigate to Portal Content -> Your SAP Ssytem Folder i.e SAP BW
Right-click on the SAP BW folder, then choose New -> System
Select SAP system using dedicated application server
from System Template
Make the following entries for the BW system you want to connect to the Enterprise Portal
System Name -
SAP_BW
System ID -
Any ting u want like SAP_BW or SID of BW
System ID Prefix -
com.mycompany
Master Language -
English
Description -
NEXT -> Summary, review the options you selected for the new page.To make changes, choose Back to return to the appropriate screen. Then choose Next till you reach the Summary page, review, and choose Finish
Choose Open the object for editing and choose OK
The Property Editor iView will open
Select Connector in the Property Category dropdown
Enter the fields below according to your SAP system
Application Host -
IP Address of BW system or Host name ( FQDN required for SSO )
SAP Client --- BW system client
SAP System ID -
SID of BW
Server Port -
3200 default for system number 00
SAP System Number -
00 or ur instance number
System Type -
SAP_BW
NOW,
Select User Management from the Property Category dropdown list
Enter the fields below
Logon Method -
 UIDPW
User Mapping Type --- Admin,user
Note -: IF u want to use SSO for BW system first selct above and test it with BW system if it's ok than change to following
Logon Method -
 SAPLOGONTICKET
User Mapping Type --- Admin,user
choose SAVE.
Select System Aliases in the Edit dropdown list. This opens the System Alias Editor
In Alias, enter SAP_BW. Choose the Add button
Choose Save to save your changes and close the page
Connect With ITS
For BW
In Property Catalog, use the dropdown to select ITS.
Set your SAP system properties according to Following
ITS Description -
Description
ITS Host Name -
Host name : Port for BW system
If u want to use SSO use FQDN instead of host name
ITS Path -
/scripts/wgate
ITS Protocol -
http
Save your settings.
u can check its for BW by following
Find a port for BW using IIS manager
Administrator tools -> Internet Service Manager - >
extend the HOST
Find the site created for BW system same like SID of BW system -> right click -> Properties
TCP Port -- this is used for ur BW system
in IE http://host_for_its:Port_for_bw/scripts/wgate/webgui/!
WAS for BW System
Select Web Application Server (WAS) in the Property Category dropdown list
WAS Description -
BW WAS
WAS Host Name -
Host name : Port for BW system
use FQDN for SSO
WAS Path -
/SAP/BW/Bex
WAS Protocol -
http
Save ur entry.
User Management For BW and EP
Befor u start if u don't use SAP Secu lib during installation
change the following
system Administration -> System configuration -> Um configuration -> Direct editing
find out follwoing
ume.usermapping.unsecure=False
change to
ume.usermapping.unsecure=TRUE
Save and restart portal server
ther are so many option available for DATA source u have required doc for using that
if u have any query for that msg me back
Mapping Users in the Portal
if u want to use UIDPW than user must be map to BW system
go by following
User Administration -> User Mapping
select the user u want to map by serch or entering a name
Choose the Alias for your backend system, for example SAP_BW
Enter the user id and password for BW user
save ur changes.
SSO configuration
make sure ur Portal ITS and BW WAS system belong to Same
domain.
i.e
portal.mycompany.com
its.mycompany.com
bw.mycompany.com
if not, u can do by creating a alias into host file for corresponding system
for SSO follwoing parameter must be set in profile parameter using RZ10 in BW system
login/accept_sso2_ticket -
1
login/create_sso2_ticket -
1
login/ticket_expiration_time --- desired value default 60
now download the portal certificate form follwoing
System administration -> System configuration -> Keystore
Administration
donload verify.der file save it it's like verify.der.zip
extract it than u can get verify.der
now in BW system using trans. STRUSTSSO2
in the certificate section choose import certificate
choose the file tab enter the path of the portal's verify.der file
set the file format to DER coded
in the trust manager choose ADD to PSE and Choose
ADD to ACL
in the dialog box enter the portal system's id (SID) and client
by default portla system ID is the common name (CN) and client is 000
save ur entry and restart the BW server
this are the basci configuration if u have any query related to it msg me back
regards,
kaushal

Accepting runtime-specified SSL certificates in WebLogic 11g

Hi all!
In our application we need to call several Web Servervices based on URL's and trusted SSL certificates that are stored in database. Those certificates are self-signed but we cannot add them in the WebLogic truststore (we only want to accept them for those specific web service calls). This is 2-way SSL but our server refuses the remote certificate.
What is the right way to do this?
In WebLogic 10g we used to do the following:
 WlsSSLAdapter adapter = new WlsSSLAdapter();
 try {
 // setup for client certificate
 adapter.setKeystore(…);
 adapter.setClientCert(…);
 // setup for accepting the remote certificate
 adapter.setTrustManager(new TrustManager() {
 @Override
 public boolean certificateCallback(X509Certificate[] paramArrayOfX509Certificate, int paramInt) {
 return paramArrayOfX509Certificate[0] == expectedCertificate;
 } catch (Exception e) {
 throw new RuntimeException(e);
 ((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(weblogic.wsee.jaxrpc.WLStub.SSL_ADAPTER, adapter);However in WebLogic 11g it appears that even if the <tt>TrustManager</tt> is called (which we checked by using a debugger), WebLogic refuses the certificate:
<validationCallback: validateErr = 16>
< cert[0] = Serial number: 9232073310112809071929676484517784211
 Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
 Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
 Not Valid Before:Tue Nov 01 14:33:31 CET 2011
 Not Valid After:Sun Nov 02 14:33:31 CET 2031
 Signature Algorithm:MD5withRSA
 >
<weblogic user specified trustmanager validation status 16>
<Certificate chain received from mestoudi2 - 10.142.0.23 was not trusted causing SSL handshake failure.>
<Validation error = 16>
<Certificate chain is untrusted>
<SSLTrustValidator returns: 16>
<Trust status (16): CERT_CHAIN_UNTRUSTED>
<NEW ALERT with Severity: FATAL, Type: 42
 java.lang.Exception: New alert stack
 at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
 at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
 at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
…I think the first difference occurs on the line "+weblogic user specified trustmanager validation status 16+" where in WebLogic 10g the value was 0 instead of 16.
If we check "Use JSSE SSL" in the WebLogic administration console (which switches the implementation to com.sun.net.ssl instead of com.certicom.tls), the <tt>TrustManager</tt> is not called at all.
We also tried to configure the <tt>TrustManager</tt> by implementing a <tt>javax.net.ssl.X509TrustManager</tt> that we set on a <tt>weblogic.wsee.connection.transport.https.HttpsTransportInfo</tt> passed to the stub using
((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(TRANSPORT_INFO, transportInfo);But it is not called either – however it works for setting up a proxy for example. We are generating the stubs using the clientgen Ant task (<tt>weblogic.wsee.tools.anttasks.ClientGenTask</tt>).
We are a little bit stuck, any idea of what we should do? Is the WebLogic 11g behavior a regression or is there something else we should configure to get back the old behavior?

Hello,
Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
I suggest that you change the default configuration (not using the demo one),
then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
once your certificated is added to your trust store it should work.
I hope it will help.

Certificate to weblogic-user mapping using CertAuthenticator

Similar Messages

Maybe you are looking for