Principal Propagation for ABAP senders

Similar Messages

• Principal propagation for IDoc...

  Hi,
  i'm aware that this feature is not supported in PI 7.1 but was wondering if there is any other way that an IDoc can be posted in ECC based on login details sent across to PI from an external system. Is it possible?

  i'm aware that this feature is not supported in PI 7.1
  You may use ABAP Proxy for achieving proncipal propagation and send the Idoc data inside proxy.
  Regards,
  Prateek

• Principal propagation question

  Hi All,
  We currently have a synchronous scenario:  SOAP -> PI 7.0 -> ABAP Proxy
  We now have a requirement that for the above scenario, the sender system (which does not
  know the password of its logged in user, only the userid), does its SOAP call to PI and PI
  invokes the ABAP Proxy system with the credentials of the user in the sender system.
  Can we use principal propagation for this?  Please correct me if I'm wrong but I see an issue
  with the sender system not knowing the password of its logged in user and therefore issuing
  a SOAP call to PI for that user.  Wouldn't authentication to PI fail without a userid/password
  via SOAP?
  Also, we are moving to PI 7.1.  If I am correct with the above statement, is there a way to
  achieve this requirement perhaps with the WS/SAML new feature?  Aologies but I have read
  countless documents on sdn on principal propagation and the new WS/SAML feature and I'm
  still not sure if it will do what I require.
  Any suggestions as to how I could achieve the scenario would be greatly appreciated.
  Regards,
  JM

  I see an issue with the sender system not knowing the password of its logged in user
  For using Principal Propagation, the user must be created at sender as well as receiver system.
  Does enabling principal propagation mean no passwords are needed to issue a SOAP call to PI and onward to the ABAP proxy?
  Incorrect. It just means that same user would be propagated to all the communicating systems using something called as Assertion Ticket.
  While using Assertion tickets to communicate, a trust relationship is established between various systems. For this an SAP client is associated and in the keystore the certificate should be imported for digital signature. So the authentication is certificate based.
  Regards,
  Prateek

• Error while configuring Principal Propagation

  Hi,
  I am trying to configure Principal Propagation for a Proxy -> PI -> RFC, sync scenario. I am working on PI 7.1 SP6 and when i am trying to configure the "Configuration Adapter" in JAVA stack i am not able to find the following config. properties:
  1.) login.ticket_keyalias = SAPLogonTicketKeypair.
  2.) login.ticket_keystore = TicketKeystore.
  I have checked in both NWA of PI 7.1 as well as the basis guys have checked the config. tool of the local server.
  Rest all the configuration have been done but i am getting the following error in the response message of the moni -
  "  com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized "
  Please help.
  Thanks!!!

  Hi,
  Plz check below parameters at R/3 side and set value as mentioned below.
  login/accept_sso2_ticket=1
  login/create_sso2_ticket=2
  then test Jco's.

• Principal Propagation Issue - J2EE_GUEST being used in some messages

  Hi guys !
          I have the following situation, my customer have a SAP PI 7.1 Ehp 1 and, some interfaces are configured to run under Principal Propagation.
          What is occurring is, for an interface that uses principal propagation and works correctly, the message enters in PI using an authenticated user for principal propagation(for example, USER0001) and this authentication is propagated until the receiver system(eg, SAP ECC), but in some cases, this same interface shows the following behavior: the authenticated user USER0001 send a message, the message starts to be processed in the PI pipeline propagating this user but, when the message will be delivered to RFC Adapter, we receive the following error:
  Adapter Framework caught exception: failed to generate ClientPoolcom.sap.aii.adapter.rfc.RfcAdapterException: error initializing RfcClientPool:com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: could not create JCO Pool com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: could not get JCOProperties com.sap.security.core.server.destinations.api.DestinationException: [_DestinationServiceAuthorization1004] User-based destination service access denied to principal J2EE_GUEST. Assign the UME action Destination_Service_Write_Permission if the user should have the permission to save, update or remove destinations. The action is available already to the Administrator role.
        And after one message stop with the error above, any message of any interface using principal propagation starts to show the following error, that is only solved running a full cache refresh:
  Delivering the message to the application using connection RFC_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get functiontemplate from repository: com.sap.mw.jco.JCO$Exception: (106) JCO_ERROR_RESOURCE: Repository pool 'RfcRepository[RfcClient[RFCReceiverAutoCommit_ECC]]f0264787314535c0a27cf29d108f5860' does not exist or was removed..
        The question is, why do PI pipeline is trying to use J2EE_GUEST in some task for an interface configured to use Principal Propagation ? Why this occurs in some cases and not in anothers(for the same interface) ? Why the cache is being lost ?? And of course, how can I solve this annoyng situation ?
        All configurations needed to run Principal Propagation was done according the help.sap.com documentation(http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/content.htm), and as I said, it works in most cases. All messages are sent using SOAP Adapter for the Sender System, and RFC Adapter for the receiver, and there are synchronous and asynchronous interfaces. Basically the interfaces that only read data from SAP, does not use principal propagation and, the ones that create/update/delete data in SAP, uses principal propagation.
        Somebody already saw something like this ?
        Thank you in advance, and best regards,
        Wilson

  Hi guys !
  I have continued with some tests in environment trying to understand what
  is happening and, I did the following, as the first error mentioned is
  "User-based destination service
  access denied to principal J2EE_GUEST. Assign the UME action
  Destination_Service_Write_Permission if the user should have the
  permission to save, update or remove destinations", I entered on UME Admin,
  created a new Role named J2EE_GUEST_ROLE, assigned the UME Action
  Destination_Service_Write_Permission to it, and assigned this new role to
  the user J2EE_GUEST, and ran new tests.
  After some executions, one message stopped with this error:
  Adapter Framework caught exception: error while processing message to
  remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException:
  could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (101)
  RFC_ERROR_PROGRAM: 'user' missing
  I have observed that, in all messages that stops in error, we have the
  following line in Audit Log:
  Processing child message of multi-message with message Id
  000c2936-6a89-1ed0-aebe-c262ae7d412e.
  And this interface doesn´t have multi-message to be processed, is a
  single message only.
  I checked on configuration and see that the interface determinations for all interfaces has the flag "Maintain order at runtime", what is usefull basically when a Interface Determination has more than one interface,
  what is not my case, so I will unmark this flag in all interfaces and run
  new tests trying to identify if this solves the problem.
  Any idea for this annoyng issue ?
  Thank you and regards !

• Principal Propagation SOAP Sender

  Hello,
  is it possible to use principal propagation for the following scenario:
  SOAP Sender (Basic auth) -> PI -> RFC
  so that the basic auth user from the incoming SOAP call is propagated to the RFC call
  br franz

  Hi Franz,
  Take a look at this: http://help.sap.com/saphelp_nw04/helpdata/EN/45/0f16bef65c7249e10000000a155369/frameset.htm
  Best Regards,
  Jose Nunes

• Where is "Propagate principal" checkbox for Principal Propagation

  Hi all,
  After having done all the configuration steps to enable Principal Propagation (PrincipalPropagation_SP20_SP12.pdf), I don't get that "Propagate principal" checkbox in the Sender Agreements of the RFC and SOAP adapter.  What could be the cause?
  PS: we're on SAP XI <b>SP20</b> (NW04) running on AIX
  Kind regards, Guy Crets

  Michel,
  I did follow the whole procedure as documented.  And of course, I ran RSXMB_CONFIG_PP to enable it.
  In the docs, I don't find any specific actions related to the Integration Directory.  But when I want to check the Principal Propagate checkbox in the Sender Agreement of the SOAP adapter, the check box is not shown.
  Kind regards, Guy Crets

• Avoid principal propagation in RFC_to_File scenario?

  Hi!
  I am facing with the following error in sxmb_moni by retrieving the message from business system A.
  Errror in part Call adapter
  System_Error: Error exception retnr from pipeline processing
  name = "CL_XMS_MAIN_WRITE_MESSAGE_TO_PERSIST"
  I also detected the following additional error text:
  <SAP:AdditionalText>com.sap.aii.af.ra.ms.api.ConfigException: Unauthorized: J2EE AE rejected user. Reason: Principal propagation is not active, but technical IS service user was not used (J2EE_ADMIN).</SAP:AdditionalText>
  <SAP:ApplicationFaultMessage namespace="" /
  The error tell me that the principal propagation is missing.
  Unfortunately I cannot activate principal propagation on Sender system due to ABAP dump error.
  Question:
  Are there some alternative solutions without activating principal propagation?
  If yes hwo can these be realize?
  For example: is it possible to send messages as technical IS server user such as j2ee_admin from sender system without activating principal propagation?
  Any helpful information will be very appreciated.
  Thank you!
  Holger

  HI Holger
  Looking at the error we can see its authorization issue. You can try using user like PISUPER to create and use principal propagation
  Moreover other than this you have to go through normal RFC -> XI -> File procedure where you have different user involved at different services. No other choice
  Thanks
  Gaurav

• Principal Propagation SOAP - XI - RFC Scenario

  Hi,
  I am developing a synchronous scenario whereby a SOAP request posted by a non SAP system should be forwarded to an ECC system using RFC. Challenge I am facing is that I want to use the user, which was used for basic user authentification to post to XI, dynamically in the RFC call. I have been reading about Principal Propagation using assertion tickets, however only SOAP receiver adapter is spoken about. I am trying to configure this using SOAP Sender adapter.
  As far as my understanding goes the sending system should be able to create these assertion tickets ?
  Has anyone developed a similar interface ?
  Scenario is: Non SAP SOAP Sending system = Client, Adapter engine = Server & Client, Integration Server = Server & client and Receiving ABAP system (ECC6.0) is Server.
  Any help would be appreciated and awarded if helpfull.
  Kind Regards, Jelmer Keuken
  Ps. XI is version 7.0 SP18, Alreay read the Blogs of Alexander Bundschuh
  Edited by: J. Keuken on Sep 9, 2009 4:04 PM

  Hi,
  This scenario is definately possible to implement with principal propagation.
  1. Enable the PP on Integration server
  2. Here you need not have to do anything on SOAP sender side to create the assertion ticket..
  The assertion ticket is required on SAP side which will act as Web AS ABAP Server.
  refer the settings --http://help.sap.com/saphelp_nw04/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm
  3. And then follow further steps as it mentioned the blogs...
  Thanks
  Swarup

• Principal Propagation / SAP Assertion Ticket

  Hi Experts,
  i m planning a synchronous scenario
  3rd party (SOAP) -> PI -> SAP ECC (RFC)
  PI is on 7.1, ECC on 7.00
  I would like to run Principal Propagation. At the moment i m struggling with Assertion Ticket to be issued by the SOAP sender. From [SAP Help: Princ Prop / Configuring the Sender|http://help.sap.com/saphelp_nw04/helpdata/EN/45/3418a0eabe072fe10000000a155369/content.htm]: "The SOAP client itself must be able to issue SAP assertion tickets."
  - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
  - Or is there a way to issue the SAP assertion ticket from 3rd party SOAP sender?
  - If yes, how does that work?
  I found two interesting threads:
  [Principal Propagation SOAP - XI - RFC Scenario   |Re: Principal Propagation SOAP - XI - RFC Scenario]:
  I do not understand Swarups answer 100%. He wrote: "Here you need not have to do anything on SOAP sender side to create the assertion ticket.The assertion ticket is required on SAP side which will act as Web AS ABAP Server"
  Can anybody illuminate that? Is he right?
  [Issuing SAP assertion Tickets |Issuing SAP assertion Tickets]: The last post of Anthony stayed unansered, unfortunately. "How does the sender system do that? Is it somethign embedded in the header of the SOAP message? This really is unclear to me"
  Thanks for your help,
  Udo

  Hi Udo,
  > - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
  Principle propagation supports XI, SOAP and RFC adapters.
  http://help.sap.com/saphelp_nw04/helpdata/en/45/0f16bef65c7249e10000000a155369/frameset.htm
  Before using the principle propagation you have to active the configuration, but you can only activate the configuration if you have kernel patch 149 installed.
  Regards
  Ramesh

• Principal Propagation: User needs to be defined in PI???

  Hi All,
  We have a major SRM implementation using Principal Propagation(PP) for most of the interfaces. We are currently in design state. One of the things that were brought to my attention was that the user to be propagated from Sender needs to be maintained in both PI and Receiver System. As we have about 35000 users(Suppliers/internal Employees) that will be using the SRM funtionality. Does that mean i have to maintain all 35,000 users in PI also???
  Is there any other way that we can implement PP without creating these users in PI??? but create these in Receiver and Sender system only.
  Regards,
  XIer

  Hi ,
  I don't know much about PP, but was going through the [guide|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59?quicklink=index&overridelayout=true]
  which specifies that this model has weakness with respect to user credentials.(page4).
  When application users are propagated to the IS (ABAP proxies only), each application user must be maintained with the corresponding execution
  rights in the IS.
  I think  you might have  already referred this:)
  Regards,
  Srinivas

• Principal Propagation with SOAP sender

  Hello
  I've already read some blogs and SAP help about configuring the principal propagation (PP), those blogs explains details about the configuration with SAP (ABAP and Java) system.
  However in my case I have the third party SOAP sender application. I jsut wonder how to configure or write the soap Java program. Basically 2 things need to be done for hte soap sender:
  1) Force the soap sender to send message along with a SAP assertion ticket
  2) Sign the assertion ticket with private key (Public key/certification will be installed in PI Java AE)
  I have no idea how step 1 works (Take Java soap client program as example)
  Once a private key / public key is generated, how to use it to sign the assertion ticket?
  Basically our soap sender could be from any platform (.net, java program, oracle, etc.), I need to know how to configure the soap sender for PP generally.
  Anybody configured PP for soap sender?
  Thank you so much

  Hi Jayson,
  With the amount of questions asked in one single question , i feel things are not clear at your end.
  i suggest you going through:
  Prinicipal propogation:
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
  Principal Propagation in SAP XI
  /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Configuring adapters for principal propogation
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/cf9e199bf23e49e10000000a421937/frameset.htm
  Regards
  joel

• SSO and Principal Propagation in SUP

  Hi all,
  I am wondering how SSO and Principal Propagation work in SUP.
  Ideally, users should be able to logon on their device application and the same user/pwd should be used to perform backend SAP invocations.
  I have seen that personalization keys exists which can store users/passwords to use later in backend invocations.
  However:
  how can I perform login if my device is offline?
  is the password used for login from device the same as the SAP system's?
  do SUP and SAP have to share the same user engine (i.e. LDAP)?
  Any help or pointers to best practices/manuals are really appreciated
  Thanks, regards
  Vincenzo

  Hi
  how can I perform login if my device is offline?
  Once the device logs into the SUP once every-time thereafter the client app doesn't perform an online authentication.
  The credentials are stored on the device securely and authenticated with the user supplied credentials. When the device is online it will perform the online authentication.
  is the password used for login from device the same as the SAP system's?
  You can have the same credentials on both the systems. The SAP connectivity credentials are however stored in SUP.
  do SUP and SAP have to share the same user engine (i.e. LDAP)?
  Yes currently SUP for development purposes has the openDS ldap service. but in  production we can use the LDAP provider of your company.
  Thanks

• "Ticket authentication failed" error in Principal Propagation scenario

  Hi All,
  I am working on Principal Propagation, where the scenario is sync RFC-PI-RFC. I have followed all steps mentioned in the below blog. When I execute the scenario (with Principal propagation box checked in the sender agreement) I get dump while executing the RFC from sender system. The dump is:
  "Ticket authentication failed"
  Scenario works fine if I don't check Principal propagation check box in the sender agreement.
  Principal Propagation blog: /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Can anyone suggest what can be the reason for this dump?
  Thanks,
  Shweta.

  Hi All,
  Any inputs on this?
  Thanks,
  Shweta.

• IDOC sender Principal Propagation

  Hi experts,
  I've a scenario IDOC to JDBC, it give me a error. I could have seen in others threads this error can be relationed with 'Principal Propagation' but i don' understand this concept, also in this scenario i haven't a sender agreement (because it is a IDOC),
  the error is:
  - <Trace level="1" type="B" name="CL_XMS_PLSRV_IE_ADAPTER-ENTER_PLSRV">
    <Trace level="3" type="T">Channel for adapter engine: JDBC</Trace>
  - <Trace level="1" type="B" name="CL_XMS_PLSRV_CALL_XMB-CALL_XMS_HTTP">
    <Trace level="2" type="T">return fresh values from cache</Trace>
    <Trace level="2" type="T">Get logon data for adapter engine (SAI_AE_DETAILS_GET):</Trace>
    <Trace level="3" type="T">URL = http://sapdes:50300/MessagingSystem/receive/AFW/XI</Trace>
    <Trace level="3" type="T">User = PIISUSER</Trace>
    <Trace level="3" type="T">Cached = X</Trace>
    <Trace level="3" type="T">Creating HTTP-client</Trace>
    <Trace level="3" type="T">HTTP-client: creation finished</Trace>
    <Trace level="3" type="T">Security: Basic authentication</Trace>
    <Trace level="3" type="T">Serializing message object...</Trace>
    <Trace level="1" type="T">HTTP Multipart document length: 5223</Trace>
    <Trace level="3" type="T">HTTP-client: sending http-request...</Trace>
    <Trace level="3" type="T">HTTP-client: request sent</Trace>
    <Trace level="3" type="T">HTTP-client: Receiving http-response...</Trace>
    <Trace level="3" type="T">HTTP-client: response received</Trace>
    <Trace level="3" type="T">HTTP-client: checking status code...</Trace>
    <Trace level="3" type="T">HTTP-client: status code = 503</Trace>
    <Trace level="3" type="System_Error">HTTP-client: error response= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Error Report</title> <style> td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;} A:link A:visited A:active </style> </head> <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0" rightmargin="0"> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"><font face="Arial, Verdana, Helvetica" size="4" color="#666666"><b>  503 &nbsp Service Unavailable</b></font></td> </tr> <tr bgcolor="#3F73A3"> <td height="23" width="84"><img width=1 height=1 border=0 alt=""></td> <td height="23"><img width=1 height=1 border=0 alt=""></td> <td align="right" height="23"><font face="Arial, Verdana, Helvetica" size="2" color="#FFFFFF"><b>SAP J2EE Engine/7.00 </b></font></td> </tr> <tr bgcolor="#9DCDFD"> <td height="4" colspan="3"><img width=1 height=1 border=0 alt=""></td> </tr> </table> <br><br><br><br><br><br> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"><font face="Arial, Verdana, Helvetica" size="3" color="#000000"><b>  The requested application, AFW, is currently unavailable.</b></font></td> </tr> <tr bgcolor="#FFFFFF"> <td align="left" valign="top" height="48"><font face="Arial, Verdana, Helvetica" size="2" color="#000000"><b>  Details:</b></font></td> <td align="left" valign="top" height="48"><font face="Arial, Verdana, Helvetica" size="3" color="#000000"><pre>  No details available</pre></font></td> </tr> </body> </html></Trace>
    <Trace level="3" type="T">HTTP-client: closing...</Trace>
    </Trace>
    </Trace>
    </Trace>
  - <Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_LOG_TO_PERSIST">
    <Trace level="3" type="T">Persisting message after plsrv call</Trace>
    <Trace level="3" type="T">Message-Version = 007</Trace>
    <Trace level="3" type="T">Message version 007</Trace>
    <Trace level="3" type="T">Pipeline CENTRAL</Trace>
    </Trace>
    <Trace level="3" type="System_Error">Error exception return from pipeline processing!</Trace>
    <Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_TO_PERSIST" />
  - <!--  ************************************
    -->
    <Trace level="3" type="T">Persisting message Status = 014</Trace>
    <Trace level="3" type="T">Message version 008</Trace>
    <Trace level="3" type="T">Pipeline CENTRAL</Trace>
    </SAP:Trace>
  very thanks,

  Hi
    Check this blog & the SAP notes in it
  /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  Regards
  Vishnu