ChaRM inconsistency check

Dear all,
Some changes were made to our SAP landscape and adjustments are made to logical components and projects.
However, now we always get an error when performing the 'Check' in the 'ChaRM'-tab in our project:
CTS projects in production systems for project
No clue what this means.
At the moment as only solution we see to close the maintenance cycle and create a new one. But we have plenty of none released transports. I know SolMan can cope with this, however the preference is to get the tasklist fixed without closing and recreating it.
We are using SolMan 7.0 SPS16.
Any help would be appreciated!
Thanks and best regards,
Roel

Hi Roel,
did you modify your tasklist by adding the new systems already ?
I made it several times and it worked.
If you didn't do yet please proceed like here :
How to add a target system in the tasklist of the project ? (the prerequisite is to do what you explained first)
Select the row target systems add click on the change task list button
Click on the folder Add system
You should get a pop-up asking to select the new system
Validate your choice and the system appears in your target systems list
save the task list
don't forget to refresh your change request tab to make sure all is ok
you need to unlock the taskl you need and adapt the project switch accordingly to your requirement
I hope it heps
best regards

Similar Messages

Errors in CHARM project check

Dear gurus,
After customizing of CHARM Scenario for 2 system landscape,
I have 2 errors in CHARM project checking:
Error in background job for program /TMWFLOW/CMSSYSCOL2 error message No active job found
Error in background job for program RSGET_SMSY error message No active job found 1
Where can I create this background jobs?
The logical component is created and assigned to project,
Task list & Maintanance Cycle created too.
The Change request checkbox is active...

Hello Thom,
Thank you for your advice, it help's %)
I think maybe we have a special transaction for this jobs...
Regards,
Oleg.

CHARM activation check failing on "consolidation system for development system SSA-200 in project ZTEST2

Hello,
We are implementing Charmlite and want to activate in project landscape.
We are Solution Manager 7.1 SP11 and testing this scenario in sandbox.
Steps completed:
1. in sandbox domain controller, created two virtual systems and made 3 system landscape, where, I can release the transport and see it in QA system (Virtual system buffer)
2. The LMDB has been updated with Virtual system and in SMSY, the entries of virtual system shows up. The logical components have the client information.
Issue:
in /nsolar_project_admin ->System landscape -> change management, When consistency check is performed, we get error message saying
Virtual RFC is miising (I am guessing, it should be okay)
The logical component is incosistent (This might be the reason the CHARM is not getting activated.
"No consolidation system for development system SSA-200 in project ZTEST2
No track for project ZTEST2 with log. system SSA/200"
For me, when i look in satellite system, the consolidation system is a virtual system and it should be fine.
Please advise
Regards,
Durga PK Saitana

Thank you Karthik. Still the problem persists
I went through the blog earlier. I created l ABAP instance manually in SLD and moved into LMDB and can see the entry in SMSY. (I did not see any option of putting virtual flag)
We were trying harmonization of RFC from note 1384598 and since we had virtual systems, went with domain links.
After domain links, the virtual systems are read. the Dev ABAP system is not able to find the consolidated system. In the satellite system, I can release transport and move the transport.
Not sure, why this issue is persistent.

[ChaRM] Phase Check "Current_Processor"

As explained in note 1031029
https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1031029
I configured Current_Processor check for a status of new TR-Type, but I get an error message
when docment is changed to the status in crmd_order.
Current_Processor is SAP standard check. Why does this happen?
My solution manager is 7.0 and SP16 is installed.
Error Message
Runtime Errors         UNCAUGHT_EXCEPTION
Except.                CX_SOCM_NOT_IMPLEMENTED
Date and Time          2009/03/03 11:57:40
Short dump has not been completely stored (too big)
Short text
     An exception occurred that was not caught.
What happened?
     The exception 'CX_SOCM_NOT_IMPLEMENTED' was raised, but it was not caught
      anywhere along
     the call hierarchy.
     Since exceptions represent error situations and this error was not
     adequately responded to, the running ABAP program
      'CL_CHM1_URGNT_CORR_INSTANCE===CP' has to be
     terminated.
Error analysis
     An exception occurred which is explained in detail below.
     The exception, which is assigned to class 'CX_SOCM_NOT_IMPLEMENTED', was not
      caught and
     therefore caused a runtime error.
     The reason for the exception is:
     An exception occurred

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If you mean by "upgrade" replace the switch's CPU, that's not done. Generally the whole switch would be upgraded (or on a chassis switch, perhaps a supervisor card).
If's very unusual to see a L2 or L3 switch with a very high CPU except when there's some "issue". The reason being, L2 and L3 switch off-load almost all data plane forwarding to dedicated ASICs, the CPU normally only deals with control plane needs.
On the 3560/3750 series, if TCAM resources are exceeded, some ASIC processing is then done by the CPU, which can overtax the latter.
What you might first do is search the main Cisco web site for troubleshooting high CPU utilization on the 3560/3750 series switches.

CHARM - Activation - Check   Error

Hi Experts
When I activate the Change Request Management for PI landscape, I am getting the below error
Client-specific transport control (CTC=1): No Import single method: Yes
Message no. /TMWFLOW/CM_CHECK028
Could you please tell me how i can resolve the issue
Thanks & Regards
Venkat

Dear Venkat,
Please follow th below steps.
1. got the sattilite target system developement client (Ex;_ if u are doing charm for R3 system login to R3 dev system ).
2. go to Tcode STMS press SHFT+F7 it will show the TMS configuration .
     double click on the each boxes in the TMS route
      go to -
SYSTEM ATTRIBUTES TAB in that TRANSPORT STARTERGY PART QUEUE CONTROLLED TRANSPORT SHOULD BE SINGLE TRANSPORT.
DO THE ABOV EFOR ALL THE BOXES IN THE TMS ROUTE EX:- QA , REGRESSION , AND PRODUCTION SYSTE,
Hope this will solve this issue.
Regards,
Umesh

System copy R3 inconsistency check

Hello,
I am making a copy of a system R3 Enterprise, I did the installation in a machine with win203 x64 and SQL.He made the installation of the central body and then I attach the BD, upon entering the system I get a message "Can´t execute sap_check_if_sick. Severe problems were detected during initial system check.Please, do not use that system before fixing these problems". What can I do? Process is correct?
Thank you very much

Hi
As per my understanding, you are doing data migration, rather than system copy.
There is the difference of versions in database in the source and target system. You need to upgrade your source system database to SQL 2005 before database copy/restore to the target system database.
You can find your solution in the SAPnote 799058, check point number 3.
<removed_by_moderator>
Please read the "Rules of Engagement"
Regards
Satyabrat
Edited by: Satyabrat Mohanty on Jul 29, 2008 10:21 AM
Edited by: Juan Reyes on Jul 29, 2008 9:28 AM

Forecast accuracy and Inconsistency check reports in APO-BW

Hi Guru's,
Can some of you provide some info on How I can go ahead with Forecast accuracy report to compare actulas and planned versions . This info we have to receive from APO demand planner . What shold I consider befroe proceeding to these reports . How can I generate data sources and transfer into BW .
Any useful docs please send to [email protected] .
Thanks ,
Ananth.

Hi Ananth,
Check Business content Query -
http://help.sap.com/saphelp_nw04s/helpdata/en/43/25b2946b3e0d24e10000000a1553f7/frameset.htm
and other available query, if you find some thing relevant, activate the relevant objects and start extracting data.
hope it helps
Regards
Vikash<a href="http://http://help.sap.com/saphelp_nw04s/helpdata/en/43/25b2946b3e0d24e10000000a1553f7/frameset.htm">http://http://help.sap.com/saphelp_nw04s/helpdata/en/43/25b2946b3e0d24e10000000a1553f7/frameset.htm</a>

Charm Status Check

Hi
Could anybody explain me the best approach to restrict document change based on user status?
I know that B_USERSTAT is the authorization object to control secutrity.
But I am facing the following situation.
Status   Auth key
E0001   SDCR_001
E0002   SDCR_002
E0003   SDCR_003
E0004   SDCR_004
I want a user who has SDCR_001 only to allow E0001 actions, but for changing status (SET_STATUS) to E0002, authrization is checked and rejected because the user does not have SDCR_002. (This is technically understandable.....)
For resolving this situation, what settings are most recommended?
BR

HI,
USER Authorization
Administrator
SAP_CM_SMAN_ADMINISTRATOR
Change Manager
SAP_CM_SMAN_CHANGE_MANAGER
IT Operator
SAP_CM_SMAN_OPERATOR
Developer
SAP_SOCM_DEVELOPER
     Developer     Tester     Prod. Manager     Operator     Administrator
Display     X       X                     X                X                       X
Create     X       ---                     ---                ---                       X
Change     ---       ---                     ---                ---                       X
Delete     ---       ---                     ---                ---                       X
Run              X        X                      X                 X                       X
Change status     X     X                X                  X                   X
Regards
Sreedhar Reddy

Activate CHaRM using Virtual Systems in Landscape

Is it possible to activate a CHaRM project against a landscape that
contains virtual systems?
We currently have a Development system (DEV) with a virtual Test system
(QAS) and virtual Production system (PRD). These systems are marked as
Virtual in TMS and SMSY System Landscape. We have added these systems t
o
the Logical Components and created a new Solution Manager project and
want to activate CHaRM against this scenario. .
The TMS routes are defined with Dev -> QAS(virtual) -> PRD(virtual). Is
this scenario possible? Do the standard CHaRM activation checks (RFC's,
Authorizations, etc) get bypassed because these systems are virtual?
When activating CHaRM, we still receive the error that no consolidation
system exists for our Dev system even though the TMS routes have been
defined properly. However, since these systems are virtual, we cannot
add client information to them.
Thanks

Hi,
>
Thiago Luttig wrote:
> Is it possible to activate a CHaRM project against a landscape that
> contains virtual systems?
> The TMS routes are defined with Dev -> QAS(virtual) -> PRD(virtual). Is
> this scenario possible?
A virtual system cannot export any TR. So any request imported to QAS cannot be exported
So
>
Thiago Luttig wrote:
> The TMS routes are defined with Dev -> QAS(virtual) -> PRD(virtual). Is
> this scenario possible?
is not possible.
Hope this answers your question.
Feel free to revert back.
--Ragu

Deleting all special GL can cause Database inconsistency?

Hi Expert,
With reference to the subject, I wonder deleting special GL indicators can cause database inconsistency.
My Case:
I deleted all of the SAP special GL indicator, and recreated those I want with my own naming convention, which some of them same with the standard come with SAP. I did it in client 100, and not yet SCC1 to sandbox (client 120).
After the deletion, when I run FB01, FB03, etc, I faced error: Inconsistency in the length of DDIC data type "FBSEG ...
I faced both problem in client 100 and 120 (I have not changed anything here).
Question:
Is it my deletion cause the database inconsistency?
Why client 120 also have same error?
Now, basis is figuring the problem, and suspect also the database issue, and not my special GL deletion.
Kindly advise.
Thanks and regards,
sbmel

Dear expert
Instead of deleting special G/l indicator you can follow "use transaction FB00, under Document Entry tab there is General Entry Option where select No Special G/L transaction"
1329034 - "Correcting inconsistency
check notes 707715, 929259
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21f0d1446011d189700000e8322d00/frameset.htm
Regards
Ajeesh.s

Exception message 62 - Master Data Inconsistant

I'm getting the referenced exception message when generating an MRP run with scheduling value of "lead time scheduling and capacity planning". I've done consistency checks on all master records - routings, work centers, etc - and all have come back clean. Anyone have any idea why this may be happening?
Thanks!
Bob

Hi,
62 Scheduling: Master data inconsistent Check master data !
Remove "In House Processing Time" from the Material Master MRP2
view. Ensure that the Production Version & Routing are correct. Run
MPS/MRP manually once corrected.
Regards
Sunil

Org model - org unit consistency check warning.

Hello,
I am not familiarize with org model. when i tried to create one org. strucuture, every thing went fine. But when i did an inconsistency check i got the warning message " 'IS_SA_ORG' hierarchy maintenance incorrect "
Can anybody help me get the incinsistency check corrected.
Please help me out.

Pramod,
This is a typical org model issue..
here is the solution. "Make changes to table T77OMATTUS,
field PRIOX value to be made 0 for fields - IS_SA_ORG, IS_SA_GRP, IS_SA_OFF"
Do let us know if your check still fails...
Julius

MB5B - Closing Value for Posting Date inconsistently reported.

Greetings,
I am executing transaction MB5B in ECC 6.0 for a single Posting Date in November of 2008. The parameters include 3000 ROH materials (selected by MIN/MAX material number ranges) in 30 plants within 3 different companies (selecting all by leaving these values blank). The problem I am having is that I am getting a different total USD valuation each time I run the report. If I run the report 3 times in 15 minutes I will get 3 different USD totals. Difference is usually small (.006%).
At times I will get exact matches. Yesterday, 3 out of 5 runs were exactly the same result.
Can anyone advise what might be causing this variability? And how it might be corrected. Either by using different selection parameters of another more reliable transaction code.
Regards,
Joe

Hi,
If you post in the previous period and the material price in the previous period differs from the current price, the system generates a stock posting and revaluation line with the same value but opposite signs.
You can ran an inconsistency check report using SE16: MBEW
Go through SAP Note 518368
Bye,
Muralidhara

VPC Type-2 inconsistency problem

Hi there.
Now I'm facing Type-2 inconsistency problem. I don't know what's the problem.
Here is the output.
what should i do to fix this ?
Thank you in advance : )
[7K_1]
switch# show vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 inconsistency reason : Consistency Check Not Performed
vPC role : secondary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po1 up 1,101
vPC status
id Port Status Consistency Reason Active vlans
10 Po10 up success success 1
switch#
switch# show vpc consistency-parameters global
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
STP Mode 1 Rapid-PVST Rapid-PVST
STP Disabled 1 None None
STP MST Region Name 1 "" ""
STP MST Region Revision 1 0 0
STP MST Region Instance to 1
VLAN Mapping
STP Loopguard 1 Disabled Disabled
STP Bridge Assurance 1 Enabled Enabled
STP Port Type, Edge 1 Normal, Disabled, Normal, Disabled,
BPDUFilter, Edge BPDUGuard Disabled Disabled
STP MST Simulate PVST 1 Enabled Enabled
Allowed VLANs - 1,101 1,101
Local suspended VLANs - - -
switch#
switch# show port-ch sum
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
Group Port- Type Protocol Member Ports
Channel
1 Po1(SU) Eth NONE Eth3/1(P) Eth3/2(P)
10 Po10(SU) Eth LACP Eth3/11(P)
switch#
switch# sh vlan
VLAN Name Status Ports
1 default active Po1, Po10, Eth3/1, Eth3/2
101 VLAN0101 active Po1, Eth3/1, Eth3/2
VLAN Type Vlan-mode
1 enet CE
101 enet CE
Remote SPAN VLANs
Primary Secondary Type Ports
switch#
[7K_2]
switch# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 inconsistency reason : Consistency Check Not Performed
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po1 up 1,101
vPC status
id Port Status Consistency Reason Active vlans
10 Po10 up success success 1
switch# show vpc consistency-parameters global
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
STP Mode 1 Rapid-PVST Rapid-PVST
STP Disabled 1 None None
STP MST Region Name 1 "" ""
STP MST Region Revision 1 0 0
STP MST Region Instance to 1
VLAN Mapping
STP Loopguard 1 Disabled Disabled
STP Bridge Assurance 1 Enabled Enabled
STP Port Type, Edge 1 Normal, Disabled, Normal, Disabled,
BPDUFilter, Edge BPDUGuard Disabled Disabled
STP MST Simulate PVST 1 Enabled Enabled
Allowed VLANs - 1,101 1,101
Local suspended VLANs - - -
switch#
switch# sh run vpc
!Command: show running-config vpc
!Time: Tue Nov 25 07:48:04 2014
version 6.1(2)
feature vpc
vpc domain 1
peer-keepalive destination 1.1.1.1
interface port-channel1
vpc peer-link
interface port-channel10
vpc 10
switch#
switch# show port-ch summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
Group Port- Type Protocol Member Ports
Channel
1 Po1(SU) Eth NONE Eth3/1(P) Eth3/2(P)
10 Po10(SU) Eth LACP Eth3/11(P)
switch#
5K
switch# sh vlan
VLAN Name Status Ports
1 default active Po1, Po10, Eth3/1, Eth3/2
101 VLAN0101 active Po1, Eth3/1, Eth3/2
VLAN Type Vlan-mode
1 enet CE
101 enet CE
Remote SPAN VLANs
Primary Secondary Type Ports
switch#

Hi, as you can see from the output of "show vpc" the Type-2 consistency check not performed. It is probably due to you have not configured any type-2 consistency check related features on your devices that would triggers the type-2 inconsistency check to perform.
You can read more about type-2 consistency parameters here:
www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
Regards,
Peter

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

ChaRM inconsistency check

Similar Messages

Maybe you are looking for