Issue in parsing MYSAPSSO2 Cookie -Certificate Serial no is in Hexadecimal

Similar Messages

• Issue while parsing the MYSAPSSO2 Cookie

  Hi All,
  We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
  Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
  Following Libraries are used:
  logging.jar
  i18n_cp.jar
  iaik_jce.jar
  com.sap.security.api.jar
  com.sap.security.core.jar
  rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
  Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
  The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
  Following is the code which we are using.
  //Instantiate the rpovider
  IAIK provider = new IAIK();
  Security.addProvider(provider);
  //Instantiate the ticket
  tv  =   new com.sap.security.core.ticket.imp.Ticket();
  //set teh certificates
  tv.setCertificates(certificates);
  //set the MYSAPSSO2 cookie
  tv.setTicket(strCookie);
  if (!tv.isValid()){
       System.out.println("Ticket is not valid");
  //Verify the ticket
  tv.verify();
  isValid method is working fine - it is returning true or false exactly based on the validity.
  ISSUE:
  tv.verify();--->Raises the following exception:
  java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
  When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
  but the portal is providing the serial number in hexadecimal format.
  So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
  The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
  Could anyone help resolve this issue?
  Thanks in advance.

  Hi,
  im facing the exact same problem, and I think I found the reason for the behavior described above.
  The Problem seems to be located at
  [http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]
  from com.sap.security.api.jar, just like mentioned.
  But the Problem seems to be the issuer, not the serial number.
  When decompiling  com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),
  you can see the following:
       public static java.security.cert.X509Certificate[] findCertificates(
                 java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
            if ((certificates == null) || (certificates.length == 0)) {
                 return null;
            ArrayList certificateList = new ArrayList();
            for (int i = 0; i < certificates.length; i++) {
                 java.security.cert.X509Certificate certificate = certificates<i>;
                 if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
                      certificateList.add(certificate);
            if (certificateList.size() == 0) {
                 return null;
            java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
                      .size()];
            certificateList.toArray(matchedCertificates);
            return matchedCertificates;
  As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the  issuer-parameter contains an issuer like
  "OU=J2EE,CN=EXAMPLE"
  the issuer retrieved from the certificate is
  "OU=J2EE, CN=EXAMPLE"
  (see toString() of the java.security.cert.X509Certificate)
  You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like
  java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.
  A workaround (a really UGLY one, I admit), is the following:
  1. Open  com.sap.security.api.jar with a ZIP-tool and delete
  /com/sap/security/api/ticket/TicketVerifier.class
  2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java
  3. Change
  for (int i = 0; i < certificates.length; i++) {
       java.security.cert.X509Certificate certificate = certificates<i>;
       if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
            certificateList.add(certificate);
  to
  for (int i = 0; i < certificates.length; i++) {
       X509Certificate certificate = certificates<i>;
       String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
       BigInteger serialNumberFromCert = certificate.getSerialNumber();
       if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
            certificateList.add(certificate);
  4. Package this class into a jar and make it available in your classpath.
  5. Enjoy
  To me, this is a huge bug in the SAP-Library and has to be fixed.
  Regards
  Matthias
  Edited by: Matthias82 on Sep 29, 2011 12:47 PM

• MYSAPSSO2 cookie format in J2ee and ABAP - NW7

  Hello
  I installed NW7 with ABAP + Java with system id DV1. I was able to configure the java and abap to issue ticket and to be accepted by other systems (DV2).
  If I login to the DV1 abap host using webgui url(integrated ITS), I am getting the MYSAPSSO2 cookie in the browser IE.  With this I am able to login to DV2 j2ee and also to ABAP.
  If I login to DV1 j2ee engine using the portal link, I am not seeing the MYSAPSSO2 cookie in the browser, but seeing JSESSIONID and with it still I am able to login to DV2.
  My question : Is the JSESSIONID exactly equal to MYSAPSSO2 ? If not how can I make the DV1 J2ee to issue MYSAPSSO2 cookie ? Thanks.
  SAPLearner

  Hi
  I am able to test and able to login to the other j2ee or abap system. But still not able to see the MYSAPSSO2 cookie issued by EP j2ee.
  DV1 - NW7 SP12 system ABAP + J2ee(with portal on it)
  DV2 - NW7 SP12 system ABAP + J2ee(with BI java)
  I have exported DV1's java and abap certificate to DV2, made it trusted and the the connection is working.
  When I login to DV1 j2ee using the url  http://<DV1fullhostname>.com:52200/irj/portal
  and getting the below in my browser
  SignOnDefault=<windows id>; JSESSIONID=(DV1host_DV1_22)ID2068173650DB0050916542928689590End; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse; GWS_AUTO_LOGIN=FALSE; AbxUserLocale=en_US_STAFF; PortalAlias=portal; saplb_*=(DV1host_DV1_22)613943650
  With this above cookie I am able to login to DV2 j2ee http://<DV2fullhostname>.com:52500/nwa
  or abap http://<DV2fullhostname>.com:8025/sap/bc/gui/sap/its/webgui
  without any issue. In my browser I do not see MYSAPSSO2 cookie. Why is that?
  My login stack in j2ee is defined as below.
             1. Evaluate ticket
             2. Basic login modele
             3. Create ticket
  At the same time if I login to DV1 abap http://<DV1fullhostname>.com:8022/sap/bc/gui/sap/its/webgui  I can see the cookie MYSAPSSO2 in the browser and still able to login to DV2.
  Dont understand why my DV1 j2ee is not issuing MYSAPSSO2 cookie and issueing JSESSIONID ?
  Appreciate your reply
  SAPLearner

• Error on Invalid certificate serial number while configuring mutual SSL

  Hi Guys,
  I encounter this error(refer below) while running the EAI Outbound Body proxy.I'm currently trying to do outbound web service with a third party who uses SSL.
  Base on oracle support I have followed on how to import the CA certs and also I have added this two parameters in my outbound body proxy.
  siebel_transport_param:HTTPCertAuthority  = "CN=Siebel Test,OU=Oracle"
  siebel_transport_param:HTTPCertSerialNo =11223344
  I hit error:SBL-EAI-04116: HTTP Internet Exception during 'Data Send': 'The connection with the server was reset', code: '12031'
  When I check log file it says,
  Switched transport service direction to: 'Outbound'
  Error     Error     1     0000069e4f9a4e03:0     2012-04-27 19:55:30     Invalid certificate serial number ?11223344
  EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Could not load the client certificate
  EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     *** HTTP Transport Parameters:
  EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Request URL = https://Uknown/Uknown.asmx
  EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Request Method = POST
  EAITransport     EAITransportGeneric     3     0000069e4f9a4e03:0     2012-04-27 19:55:30     Dropped old connection and creating new connection for 'Request'
  Error     Error     1     0000069e4f9a4e03:0     2012-04-27 19:55:30     Invalid certificate serial number ?11223344
  EAITransport     EAITransportDebug     4     0000069e4f9a4e03:0     2012-04-27 19:55:30     Could not load the client certificate
  I try verify again the cert I imported and it says
  Serial Number : 11 22 33 44
  Issuer : CN=Siebel Test,OU=Oracle
  Guys, do you know what I'm missing?
  1) I have already check my inbound parameter do not have white spaces like this => 11223344
  2) I have added this double quatation in my HTTPCertAuthority because I suspected is required for Issuer with space value.
  3) When I try import from Siebel it put the cert into intermediate certificaiton tab but when I import to IE it went to other people tab. Is this expected ?
  The cert is working when I try import it to IE and when to this URL:https://Uknown/Uknown.asmx
  Thanks for reading,
  I hope some guys put some light
  Regards,
  Joey , MY

  See here:
  Audition 3 and the activation service
  and here:
  Error: Activation Server Unavailable | CS2, Acrobat 7, Audition 3

• MYSAPSSO2 Cookie not found in IE

  Hi Everyone,
  I am trying to implement SSO between a third party Java application and the SAP EP 7.0. As a test procedure, I log in to my portal and then run my code to see if I can retrieve and decrypt the MYSAPSSO2 cookie.
  My code works perfectly when I log in to the portal using Mozilla Firefox (2.0.0.1); I can see the MYSAPSSO2 cookie and decrypt it (Log file output below). However, when I use IE (6.0.3790.1830) to log in to the portal, I can not retrieve the MYSAPSSO2 cookie. It seems as if this cookie does not even exists. I am thinking the cookie is somehow hidden and therefore my code can't see it.
  Has anyone faced this issue before? I have tried to decrease the security settings on IE but that doesn't help things. Any help on this issue would be really appreciated!
  Pasted below is a snippet of my code.
  //request is a HttpServletRequest object
  Cookie[] allCookies = request.getCookies();
                      int allCookiesLength = allCookies.length;
                      for (int i = 0 ; i<allCookiesLength; i++)
                           Log.debug("Cookie Name at " + i + " = " + allCookies<i>.getName());
                           if(allCookies<i>.getName().compareToIgnoreCase("MYSAPSSO2")==0)
                                SAP_SSO_COOKIE =  allCookies<i>;
                                                  Log.debug("Cookie Found!");
                                cookieFound = true;
                                break;
                                          Log.debug("Cookie NOT Found!");
                           cookieFound = false;
  <u><b>Log file Output with IE</b></u>
  2007.02.07 13:05:31 Cookie Name at 1 = saplb_*
  2007.02.07 13:05:31 Cookie Name at 2 = JSESSIONID
  2007.02.07 13:05:31 Cookie NOT Found!
  <u><b>Log file Output with Firefox</b></u>
  2007.02.07 13:54:15 Cookie Name at 0 = saplb_*
  2007.02.07 13:54:15 Cookie Name at 1 = PortalAlias
  2007.02.07 13:54:15 Cookie Name at 2 = JSESSIONID
  2007.02.07 13:54:15 Cookie Name at 3 = MYSAPSSO2
  2007.02.07 13:54:15 Cookie Found!
  Thanks
  MOY

  Michael,
  I changed the parameter "httponlycookie" to FALSE and this works. My issue was that when I set the parameter to FALSE, I restarted my J2EE engine. For some odd reason, after the restart this parameter was set back to TRUE. Whats even worse, or maybe even cool, depends how you look at it, is that this parameter is set back to TRUE even if I closed down Visual Admin and fire it up again (without restarting the server). However, in this case SSO still works because the J2EE settings are not updated with this TRUE value. Is there a security setting which sets back this parameter to TRUE every time the server is restarted or when Visual Admin is fired up?
  Thanks
  MOY

• Getting the MYSAPSSO2 cookie in the application running in tomcat server

  Hi All
  I am trying to integrate the java application running in tomcat in to portal ...for this i have developed a servlet and trying to get the MYSAPSSO2 cookie in this so that i can vlaidate this ticket...
  can any one plz help in solving this issue
  Thanks & Regards
  Ajay

  Hi Ajay,
  Did you solve this problem? how? I need to do this too.
  thanks,
  Daniel Arakawa

• Information of the MYSAPSSO2 Cookie

  Hello everybody,
  I am working with SSO and I've instaled analyzer tool to look how the cookies are, on "Information of the MYSAPSSO2 Cookie". The other day worked but now it seems like doesn't works because all parameters shows as null.
  How can i known if my portal sends cookies or not?
  Thanks
  Guillermo

  Hi,
  Michael, my portal certificate has not expired the date shows from Mon Mar 06 20:30:28 CET 2006 to Thu Mar 06 20:30:28 CET 2008 (i didnt want to be rude, but the button was obvious one for me, thank you)
  I suspect my portal doesn't generates that cookie and probably I have anything wrong in the UM configuration...i've read that the parameter ume.usermapping.unsecure=FALSE has to be TRUE but this parameter is to do with the user mapping method isn't it?
  Maybe another thing in UM configuration that i dont realize?
  Thanks again.

• Sequential Certificate Serial Numbers using Windows 2008 R2

  It appears that Windows Server 2003 Certificate Services supports sequential certificate serial numbers.  This was an undocumented feature that could be turned on using the certutil command or modifying the CA registry. 
  The certutil command line is: certutil –setreg ca \HighSerial “nn” where ’nn’ is a two digit hex number where at least one of the digits is an alpha character.
  We are standing up OCSP and the ramdon serial numbers are causing difficulty in setting up the OCSP responder. 
  Is this configuration supported on 2008 R2?  Can the same certutil command be used? 

  Thanks for the responses.
  I completed quite a bit of testing on this since posting the question.  Here is what I found:
  Our 2008 R2 CA was upgraded/migrated from 2003 Enterprise Edition (32-bit).  There was a registry setting of 'ca\HighSerial = 00'.  The CA was issuing certificates with 10 byte serial numbers.  The serial numbers had a random component. 
  Example:'4d8e5068000000000794'
  Changing the registry to 'ca\HighSerial = 3f' and restarting resulted in a 19 byte certificate serial number that began with '3f'.  This did not correct the problem I was working because there was a random 10 bytes in the middle of the cert serial number. 
  Example: '3F0000079C594AB5A5DB42C09D00000000079C'
  Changing the registry to 'ca\HighSerial = 10' and restarting also resulted in a 19 byte certificate serial number.  Same result as '3f' but the certificate SN started with '10'. Example: '10000007AA9C90775F1967F8D30000000007AA'
  I then used certutil.exe.  This time I  ran 'Certutil -setreg ca\HighSerial 0xffffffff'.  This updated the registry to 'ffffffff'.  After restarting certificate services and issuing a certificate, the serial numbers were shorter (only
  14 bytes).  I also noticed that the registry setting was changed to a random 8 byte string.  The registry setting was changed from 'ffffffff' to 'e07c453ae9d4131a’
  and the certificate serial numbers were similar.  Additionally, the last 6 bytes were sequential.  Example: '607c453ae9d4131a0000000007b0'
  From there, I shortened the registry entry to 4 bytes (removing pairs of characters from the middle).  This resulted is a 10 byte certificate serial number where the first 4 bytes were the same and the last 6 bytes were sequential.  Example: '607c3a1a0000000007c4'

• I own acrobat 9 pro and had to re-download the program from a computer issue but when i get the serial code from the adobe website it give me serial code invalid error.  i am using copy and paste to prevent miss typing the code.

  i own acrobat 9 pro and had to re-download the program from a computer issue but when i get the serial code from the adobe website it give me serial code invalid error.  i am using copy and paste to prevent miss typing the code.

  Hi Lawrence,
  Please try the steps mentioned in the KB: https://helpx.adobe.com/creative-suite/kb/error-invalid-serial-number-acrobat.html
  Regards,
  Rave

• Terminate Portal User Login with JSessionID or MYSAPSSO2 Cookie

  Dear All,
  I know using Visual Administrator , we can terminate the session.
  Is it possible for the administrator to terminate a logged in portal user with his/her  JsessionID or MYSAPSSO2 cookie value or User Id programmatically.?
  Is it possible for portal admin to forcibly exit (logoutl) an active user login  without logging onto visual administrator?
  Regards,
  Eben Joyson

  The only complete mitigation for session hijacking is to run the entire site as SSL. This is Oracle's recommendation if you need a complete mitigation solution. And example of an ATG site running in full SSL is Dennis Kirk (denniskirk.com).
  The problem with doing so is that SSL (a) takes more processing power in the system running the client's browser and (2) incurs latency that degrades the perceived page performance. This is particularly true for consumers running Internet Explorer, where speed-up measures like SPDY are either incomplete or don't work. And for a hard core eComemrce site, slower page performance means that you make less money.
  Most sites, including those that you mention, use a mixture of SSL and non-SSL pages to overcome this. They use non-SSL for those areas of the site where penetration does not have a material negative impact. Browsing catalog pages as an anonymous user, for example. If someone hijacks my session and I'm browsing the catalog anonymously, they're welcome to it. There's nothing private in my session. Even robots can access that content.
  Once I login or go to pages where private information is being exchanged, then you have to secure the session. That's where the protocol switcher servlet comes in. As you authenticate, you switch the user to SSL.
  I've tried a number of additional mitigation steps. Unfortunately I can't discuss them here at this time.
  And none of the servlets that you mention have any benefit with mitigating session hijacking.

• Calling an Abap Web Service from IBM WebSphere with a MYSAPSSO2 Cookie

  Hello,
  I have the following problem :
  I have to develop a proof of concept between IBM Web Sphere 5.1 and SAP AS JAVA 7.0.
  I have created an IBM sevlet in Web Sphere, I use a specific redirect from an SAP AS Java to call it, this way I can have a SAP Logon Ticket, and I manage to call an ABAP module function with JCO with SSO.
  Scenario 1 : browser  + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap module function (ECC5)
  This scenario works fine.
  I have to do the same scenario with a Web Service and I don't know what to do.
  I try to use jax-rpc handlers but I don't know how to pass my cookie from my servlet to my handler.
  Scenario 2 : browser + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap Web Service (ECC5)
  Has someone already done that  ?
  Regards,  Julien.

  Julien,
  Why are you using 5.1....go for 6.0 and its cake walk, i have integrated WebSphere 6.0 with R/3 uysing xi.....in a week.
  Scenario changed to:--
  Browser+ authentication --> WebSphere AS servlet request --> XI --> RFC/bapi --> abap webService
  Hope that helps
  Regards
  Ravi

• SRM and MYSAPSSO2 cookie

  Hello,
  we are using SRM 4.0 (standalone scenario) with integrated ITS 6.40. The SRM application is accessed directly through browser (without any SAP portal encapsulation). We would like to customize the lifetime of cookie MYSAPSSO2 which is set after user authentication. I have noticed that this cookie is still located at browser level as long as this browser is open : there is no time validity for this cookie. As user's session, at application server level, is submited to timeout, we would like to be able to set such timeout for MYSAPSSO2 cookie too.
  Do you know a way to achieve this ?
  Thank you for your help.
  Regards.
  Fabrice

  Hi Fabrice.
  I am using Single Sign On for SRM Add on ERP without portal.
  I have set up the following tickets with value 1 but after 8 hours this tickets resets to 0 and have to put value as 1 again via RZ11 so that user can sign on properly in SRM as SSO.
  login/create_sso2_ticket and login/accept_sso2_ticket
  In our system, the default value for login/ticket_expiration_time is 8 hrs.
  Please advise what i shoud do so that the single sign on works properly and the value of parameters does reset to 0.
  Thanks,
  Sagar

• How to generate MYSAPSSO2 cookie?

  Hello!
  Is it possible to generate MYSAPSSO2 cookie in WebDynpro or J2EE/JSP applications? These apps running as standalone, not in the SAP Portal. Also WD apps not using sap.authentificate property since I have to use my own login algorithm for it.
  If yes could you give a code snippets for this? I've tried to find it but found snippets only for reading such cookie.
  P.S. I'm working with SAP Web AS 7.0
  regards, Lev

  hi Lev
  check this
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/17be8b32-0a01-0010-51bc-8fe5e11d204e
  http://help.sap.com/saphelp_nw04s/helpdata/en/ac/ce417acc9a4d48aa52fa562cb9b194/content.htm
  http://www.scribd.com/doc/6558564/HOWTO-Create-Custom-Application-for-Handling-J2EE-Engine-Multi
  let me know ami got it or not
  bvr
  Edited by: bvr on Apr 7, 2009 2:56 PM

• MYSAPSSO2 Cookie renaming?

  Hello.
  Out of several reasons we would like to rename the MYSAPSSO2 identifier of the MYSAPSSO2-Cookie. Is that possible or is the name of that cookie fixed?
  Best regards,
  Michael Kijek

  Hello Michael,
  I think it is impossible because you had to adapt every SAP component which is using the Cookie. But try to open an OSS Message in EP-PIN-SEC. What are your reasons to rename the Cookie?
  Regards
  Gregor

• MYSAPSSO2 cookie - difference user versus portaluser

  Hi all,
  I recognized that the MYSAPSSO2 cookie contains 2 fields for a user id.
  1) the user
  2) the portalUser
  does anybody the difference / use cases for those fields
  any help is appreciated
  regards Karin

  Hi Paul,
  thanks for your answer.
  We use a abap mandant as user store for sap ep.
  if the user is stored in the abap mandant (which is almost for all users the case,
  except of some special users)
  portaluser and user field are used.
  if the user is just stored in the local user database of the portal (this is only for some admin users the case) then the user field is empty, only the portaluser field is used.
  If I would like to use the MYSAPSSO2 cookie to propagate the user to NON
  SAP systems. According to your answer, it would make sense, to use the user field (and not the portaluser field).
  Regards
  Karin