Principal Propagation / SAP Assertion Ticket

Similar Messages

• SAP Logon Ticket VS SAP Assertion Ticket?

  SAP Logon Ticket VS SAP Assertion Ticket in SAP Enterprise Portal?
  I want SAP Logon Ticket VS SAP Assertion Ticket.
  When use SAP Logon Ticket?
  When use SAP Assertion Ticket?
  SAP Logon Ticket advantage / disadvantatge?
  SAP Assertion Ticket Ticket advantage / disadvantatge?

  Hi James,
  Please go through the link for Integration in Single Sign-On Environments.
  http://help.sap.com/saphelp_nw04s/helpdata/en/96/a75742b6081053e10000000a155106/frameset.htm
  Thanks n Regards
  Santosh
  Reward if helpful !!!

• SOAP to SOAP principal propagation with logon tickets

  I have configured a scenario using soap sender to soap receiver with an integrated configuration on PI 7.1. It is synchronous CE 7.11<->PI 7.10<->ECC 6.0. The scenario works with basic authentication. If I enable principal propagation on the sender side it still works fine. Now I have activated principal propagation on the receiver side and I get the following error in the message audit log:
  <p/>
  <pre>
  2010-05-07 09:01:50 Information MP: entering1
  2010-05-07 09:01:50 Information MP: processing local module localejbs/sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean
  2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user DAMZOG.JOCHE </b>
  2010-05-07 09:01:50 Information SOAP: request message leaving the adapter (call)
  2010-05-07 09:01:50 Information The application tries to send an XI message synchronously using connection SOAP_http://sap.com/xi/XI/System.
  2010-05-07 09:01:50 Information Trying to put the message into the call queue.
  2010-05-07 09:01:50 Information Message successfully put into the queue.
  2010-05-07 09:01:50 Information The message was successfully retrieved from the call queue.
  2010-05-07 09:01:50 Information The message status was set to DLNG.
  2010-05-07 09:01:50 Information Delivering to channel: SOAP_MRByID_In5_R
  2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user J2EE_GUEST</b>
  2010-05-07 09:01:50 Fehler SOAP: call failed: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
  2010-05-07 09:01:50 Fehler SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
  2010-05-07 09:01:50 Fehler Adapter Framework caught exception: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
  2010-05-07 09:01:50 Fehler The message was successfully transmitted to endpoint com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found. using connection SOAP_http://sap.com/xi/XI/System.
  2010-05-07 09:01:50 Fehler The message status was set to FAIL.
  </pre>
  <p/>
  Any ideas what could be wrong?
  Edited by: Jochen Damzog on May 7, 2010 9:02 AM
  Edited by: Jochen Damzog on May 7, 2010 9:06 AM
  Edited by: Jochen Damzog on May 7, 2010 9:22 AM

  The problem was due to the channels being not in the most recent state. A simple restart of the soap sender channel did the job.

• Principal Propagation SOAP - XI - RFC Scenario

  Hi,
  I am developing a synchronous scenario whereby a SOAP request posted by a non SAP system should be forwarded to an ECC system using RFC. Challenge I am facing is that I want to use the user, which was used for basic user authentification to post to XI, dynamically in the RFC call. I have been reading about Principal Propagation using assertion tickets, however only SOAP receiver adapter is spoken about. I am trying to configure this using SOAP Sender adapter.
  As far as my understanding goes the sending system should be able to create these assertion tickets ?
  Has anyone developed a similar interface ?
  Scenario is: Non SAP SOAP Sending system = Client, Adapter engine = Server & Client, Integration Server = Server & client and Receiving ABAP system (ECC6.0) is Server.
  Any help would be appreciated and awarded if helpfull.
  Kind Regards, Jelmer Keuken
  Ps. XI is version 7.0 SP18, Alreay read the Blogs of Alexander Bundschuh
  Edited by: J. Keuken on Sep 9, 2009 4:04 PM

  Hi,
  This scenario is definately possible to implement with principal propagation.
  1. Enable the PP on Integration server
  2. Here you need not have to do anything on SOAP sender side to create the assertion ticket..
  The assertion ticket is required on SAP side which will act as Web AS ABAP Server.
  refer the settings --http://help.sap.com/saphelp_nw04/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm
  3. And then follow further steps as it mentioned the blogs...
  Thanks
  Swarup

• Principal Propagation with SOAP sender

  Hello
  I've already read some blogs and SAP help about configuring the principal propagation (PP), those blogs explains details about the configuration with SAP (ABAP and Java) system.
  However in my case I have the third party SOAP sender application. I jsut wonder how to configure or write the soap Java program. Basically 2 things need to be done for hte soap sender:
  1) Force the soap sender to send message along with a SAP assertion ticket
  2) Sign the assertion ticket with private key (Public key/certification will be installed in PI Java AE)
  I have no idea how step 1 works (Take Java soap client program as example)
  Once a private key / public key is generated, how to use it to sign the assertion ticket?
  Basically our soap sender could be from any platform (.net, java program, oracle, etc.), I need to know how to configure the soap sender for PP generally.
  Anybody configured PP for soap sender?
  Thank you so much

  Hi Jayson,
  With the amount of questions asked in one single question , i feel things are not clear at your end.
  i suggest you going through:
  Prinicipal propogation:
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
  Principal Propagation in SAP XI
  /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Configuring adapters for principal propogation
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/cf9e199bf23e49e10000000a421937/frameset.htm
  Regards
  joel

• "Ticket authentication failed" error in Principal Propagation scenario

  Hi All,
  I am working on Principal Propagation, where the scenario is sync RFC-PI-RFC. I have followed all steps mentioned in the below blog. When I execute the scenario (with Principal propagation box checked in the sender agreement) I get dump while executing the RFC from sender system. The dump is:
  "Ticket authentication failed"
  Scenario works fine if I don't check Principal propagation check box in the sender agreement.
  Principal Propagation blog: /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Can anyone suggest what can be the reason for this dump?
  Thanks,
  Shweta.

  Hi All,
  Any inputs on this?
  Thanks,
  Shweta.

• Principal Propagation in sap pi

  Hello Friends,
  We need some PI expertise and hope you can help us. We are seeing some errors in production and trying to figure out the cause. These errors are
  triggered when we are running a mass job.
  We are trying to understand what this error mean so we can start investigating in right direction.
  Please see the error below , if you can think of  any possible reason please do share your inputs. Thank you!
  Error : Requested parameter PRINCIPAL_PROP_ACTIVE does not exist.
  Thank you!
  Shammi

  Hi Shammi
  Check the Principal Propagation,
  Principal Propagation in SAP NetWeaver Process Integration 7.1
  Hope it helps
  Regards
  Javi

• Principal Propagation Using Sender SOAP adapter in PI7.1

  Hi,
  I am trying to configure principal propagation using SOAP sender adapter. In that, I am trying to generate the assertion ticket in SAP only but it is using PIAFUSER as the user that is being passed and not the user which we are using to logon.
  Please tell me how an assertion ticket can be generated in this case , and the User that is being used for logging on is propagated. Is there any other way in which SOAP adapter can be used to propagate principally.

  Hi,
    Have you come across this link?
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ce95b718d3424be10000000a421937/content.htm
  Regards,
  Ravi

• Principal propagation question

  Hi All,
  We currently have a synchronous scenario:  SOAP -> PI 7.0 -> ABAP Proxy
  We now have a requirement that for the above scenario, the sender system (which does not
  know the password of its logged in user, only the userid), does its SOAP call to PI and PI
  invokes the ABAP Proxy system with the credentials of the user in the sender system.
  Can we use principal propagation for this?  Please correct me if I'm wrong but I see an issue
  with the sender system not knowing the password of its logged in user and therefore issuing
  a SOAP call to PI for that user.  Wouldn't authentication to PI fail without a userid/password
  via SOAP?
  Also, we are moving to PI 7.1.  If I am correct with the above statement, is there a way to
  achieve this requirement perhaps with the WS/SAML new feature?  Aologies but I have read
  countless documents on sdn on principal propagation and the new WS/SAML feature and I'm
  still not sure if it will do what I require.
  Any suggestions as to how I could achieve the scenario would be greatly appreciated.
  Regards,
  JM

  I see an issue with the sender system not knowing the password of its logged in user
  For using Principal Propagation, the user must be created at sender as well as receiver system.
  Does enabling principal propagation mean no passwords are needed to issue a SOAP call to PI and onward to the ABAP proxy?
  Incorrect. It just means that same user would be propagated to all the communicating systems using something called as Assertion Ticket.
  While using Assertion tickets to communicate, a trust relationship is established between various systems. For this an SAP client is associated and in the keystore the certificate should be imported for digital signature. So the authentication is certificate based.
  Regards,
  Prateek

• Principal Propagation SOAP-PI-RFC not working

  Hi experts,
  I have designed on PI 7.0 SP16 a SOAP->PI->RFC scenario enabling the call of
  RFC_READ_TABLE (from ECC) through a webservice. For tests purpose, I have deployed WSDL file on IIS server and I call it from SAP Web Services Navigator. Tests are OK if we do not activate principal propagation on sender and receiver agreements.
  But we need to activate it in order to manage authorizations for people calling the webservice.
  So, I have followed all the required steps described in OSS note 974873.
  In addition, on PI Java Visual Administrator, I added CreateAssertionTicketLoginModule to com.sap.aii.af.soapadapter*XISOAPAdapter (Service u2018Security Provideru2019 -> runtime -> policy configurations ) in order to create an assertion ticket when SOAP adapter is called.
  When calling the webservice, the response contains : "Received HTTP response code 401 : Unauthorized".  In RWB I can see that the communication channel is in error, not even displaying the content of the message.
  The security.log file contains : u201CAttempting to create outgoing ssl connection without trusted certificatesu201D
  My test user (and PIAFUSER) has SAP_XI_APPL_SERV_USER role, are not locked and PI Caches have been cleared.
  In addition, I have not set SSO in PI, thinking it is not a prerequisite to principal propagation.
  Does anyone could help me ?
  Thanks for your help,
  Philippe
  Edited by: IBM France CONSEIL on Feb 19, 2010 9:48 AM

  Stefan,
  what I understand from the comments is that I have to use SAML, but this is coming with PI 7.1 and I am working on PI 7.0.
  However, when I read the beginning of this thread [Principal Propagation - PIAFUSER in Assertion Ticket] it proves it can work without SAML, isn't it ?

• Error while configuring Principal Propagation

  Hi,
  I am trying to configure Principal Propagation for a Proxy -> PI -> RFC, sync scenario. I am working on PI 7.1 SP6 and when i am trying to configure the "Configuration Adapter" in JAVA stack i am not able to find the following config. properties:
  1.) login.ticket_keyalias = SAPLogonTicketKeypair.
  2.) login.ticket_keystore = TicketKeystore.
  I have checked in both NWA of PI 7.1 as well as the basis guys have checked the config. tool of the local server.
  Rest all the configuration have been done but i am getting the following error in the response message of the moni -
  "  com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized "
  Please help.
  Thanks!!!

  Hi,
  Plz check below parameters at R/3 side and set value as mentioned below.
  login/accept_sso2_ticket=1
  login/create_sso2_ticket=2
  then test Jco's.

• Problems with SAP Logon ticket

  Hi.
  I am trying to send SAP Logon ticket from ECC 6.0  to the backend legacy using Soap adapter in receiver side. I get the following error in SXMB_MONI, so it looks like AF is not accepting the ticket. Can anybody tell me please, how I can identify that the ticket has been received in PI's side?
  <Trace level="1" type="T">Principal Propagation connection attributes</Trace>
    <Trace level="1" type="T">Host = hostname</Trace>
    <Trace level="1" type="T">Port = 12345</Trace>
    <Trace level="1" type="T">Transport protocol = HTTP</Trace>
    <Trace level="1" type="T">Transport protocol vers = 1.0</Trace>
    <Trace level="1" type="T">Message protocol = 003000</Trace>
    <Trace level="1" type="T">Path = /MessagingSystem/receive/AFW/XI</Trace>
    <Trace level="1" type="T">Security: Logon Ticket</Trace>
    <Trace level="1" type="System_Error">Error while sending by HTTP (error code: 403, error text: Forbidden)</Trace>
    </Trace>
  Thanks, Jukka

  Hi.
  I have had some progress. Actually Principal Propagation works well now, thanks to instructions in http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/frameset.htm
  But I think I have now found out that the principal progation might not be a direct answer to my problem. In the end of the day I should be able to deliver UsernameToken in my soap message header. Something like this:
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    |          <wsu:Timestamp wsu:Id="Timestamp-12134742" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    |             <wsu:Created>2007-10-14T12:45:34.656Z</wsu:Created>
    |             <wsu:Expires>2007-10-14T12:46:34.656Z</wsu:Expires>
    |          </wsu:Timestamp>
    |          <wsse:UsernameToken wsu:Id="UsernameToken-33259721" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    |             <wsse:Username>test</wsse:Username>
    |             <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
    |          </wsse:UsernameToken>
    |       </wsse:Security>
  I just have not found any documentation which I could utilize in Abap Proxy - PI 7.1 - Soap Receiver scenario. Just wondering should I create my own customized soap envelope and disable the Pi envelope in SOAP communication channel...
  Do you know if there's any "standard way" to configure this kind of configuration?
  Br. Jukka

• SSO and Principal Propagation in SUP

  Hi all,
  I am wondering how SSO and Principal Propagation work in SUP.
  Ideally, users should be able to logon on their device application and the same user/pwd should be used to perform backend SAP invocations.
  I have seen that personalization keys exists which can store users/passwords to use later in backend invocations.
  However:
  how can I perform login if my device is offline?
  is the password used for login from device the same as the SAP system's?
  do SUP and SAP have to share the same user engine (i.e. LDAP)?
  Any help or pointers to best practices/manuals are really appreciated
  Thanks, regards
  Vincenzo

  Hi
  how can I perform login if my device is offline?
  Once the device logs into the SUP once every-time thereafter the client app doesn't perform an online authentication.
  The credentials are stored on the device securely and authenticated with the user supplied credentials. When the device is online it will perform the online authentication.
  is the password used for login from device the same as the SAP system's?
  You can have the same credentials on both the systems. The SAP connectivity credentials are however stored in SUP.
  do SUP and SAP have to share the same user engine (i.e. LDAP)?
  Yes currently SUP for development purposes has the openDS ldap service. but in  production we can use the LDAP provider of your company.
  Thanks

• IDOC sender Principal Propagation

  Hi experts,
  I've a scenario IDOC to JDBC, it give me a error. I could have seen in others threads this error can be relationed with 'Principal Propagation' but i don' understand this concept, also in this scenario i haven't a sender agreement (because it is a IDOC),
  the error is:
  - <Trace level="1" type="B" name="CL_XMS_PLSRV_IE_ADAPTER-ENTER_PLSRV">
    <Trace level="3" type="T">Channel for adapter engine: JDBC</Trace>
  - <Trace level="1" type="B" name="CL_XMS_PLSRV_CALL_XMB-CALL_XMS_HTTP">
    <Trace level="2" type="T">return fresh values from cache</Trace>
    <Trace level="2" type="T">Get logon data for adapter engine (SAI_AE_DETAILS_GET):</Trace>
    <Trace level="3" type="T">URL = http://sapdes:50300/MessagingSystem/receive/AFW/XI</Trace>
    <Trace level="3" type="T">User = PIISUSER</Trace>
    <Trace level="3" type="T">Cached = X</Trace>
    <Trace level="3" type="T">Creating HTTP-client</Trace>
    <Trace level="3" type="T">HTTP-client: creation finished</Trace>
    <Trace level="3" type="T">Security: Basic authentication</Trace>
    <Trace level="3" type="T">Serializing message object...</Trace>
    <Trace level="1" type="T">HTTP Multipart document length: 5223</Trace>
    <Trace level="3" type="T">HTTP-client: sending http-request...</Trace>
    <Trace level="3" type="T">HTTP-client: request sent</Trace>
    <Trace level="3" type="T">HTTP-client: Receiving http-response...</Trace>
    <Trace level="3" type="T">HTTP-client: response received</Trace>
    <Trace level="3" type="T">HTTP-client: checking status code...</Trace>
    <Trace level="3" type="T">HTTP-client: status code = 503</Trace>
    <Trace level="3" type="System_Error">HTTP-client: error response= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Error Report</title> <style> td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;} A:link A:visited A:active </style> </head> <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0" rightmargin="0"> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"><font face="Arial, Verdana, Helvetica" size="4" color="#666666"><b>  503 &nbsp Service Unavailable</b></font></td> </tr> <tr bgcolor="#3F73A3"> <td height="23" width="84"><img width=1 height=1 border=0 alt=""></td> <td height="23"><img width=1 height=1 border=0 alt=""></td> <td align="right" height="23"><font face="Arial, Verdana, Helvetica" size="2" color="#FFFFFF"><b>SAP J2EE Engine/7.00 </b></font></td> </tr> <tr bgcolor="#9DCDFD"> <td height="4" colspan="3"><img width=1 height=1 border=0 alt=""></td> </tr> </table> <br><br><br><br><br><br> <table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75"> <tr bgcolor="#FFFFFF"> <td align="left" colspan="2" height="48"><font face="Arial, Verdana, Helvetica" size="3" color="#000000"><b>  The requested application, AFW, is currently unavailable.</b></font></td> </tr> <tr bgcolor="#FFFFFF"> <td align="left" valign="top" height="48"><font face="Arial, Verdana, Helvetica" size="2" color="#000000"><b>  Details:</b></font></td> <td align="left" valign="top" height="48"><font face="Arial, Verdana, Helvetica" size="3" color="#000000"><pre>  No details available</pre></font></td> </tr> </body> </html></Trace>
    <Trace level="3" type="T">HTTP-client: closing...</Trace>
    </Trace>
    </Trace>
    </Trace>
  - <Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_LOG_TO_PERSIST">
    <Trace level="3" type="T">Persisting message after plsrv call</Trace>
    <Trace level="3" type="T">Message-Version = 007</Trace>
    <Trace level="3" type="T">Message version 007</Trace>
    <Trace level="3" type="T">Pipeline CENTRAL</Trace>
    </Trace>
    <Trace level="3" type="System_Error">Error exception return from pipeline processing!</Trace>
    <Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_TO_PERSIST" />
  - <!--  ************************************
    -->
    <Trace level="3" type="T">Persisting message Status = 014</Trace>
    <Trace level="3" type="T">Message version 008</Trace>
    <Trace level="3" type="T">Pipeline CENTRAL</Trace>
    </SAP:Trace>
  very thanks,

  Hi
    Check this blog & the SAP notes in it
  /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  Regards
  Vishnu

• Avoid principal propagation in RFC_to_File scenario?

  Hi!
  I am facing with the following error in sxmb_moni by retrieving the message from business system A.
  Errror in part Call adapter
  System_Error: Error exception retnr from pipeline processing
  name = "CL_XMS_MAIN_WRITE_MESSAGE_TO_PERSIST"
  I also detected the following additional error text:
  <SAP:AdditionalText>com.sap.aii.af.ra.ms.api.ConfigException: Unauthorized: J2EE AE rejected user. Reason: Principal propagation is not active, but technical IS service user was not used (J2EE_ADMIN).</SAP:AdditionalText>
  <SAP:ApplicationFaultMessage namespace="" /
  The error tell me that the principal propagation is missing.
  Unfortunately I cannot activate principal propagation on Sender system due to ABAP dump error.
  Question:
  Are there some alternative solutions without activating principal propagation?
  If yes hwo can these be realize?
  For example: is it possible to send messages as technical IS server user such as j2ee_admin from sender system without activating principal propagation?
  Any helpful information will be very appreciated.
  Thank you!
  Holger

  HI Holger
  Looking at the error we can see its authorization issue. You can try using user like PISUPER to create and use principal propagation
  Moreover other than this you have to go through normal RFC -> XI -> File procedure where you have different user involved at different services. No other choice
  Thanks
  Gaurav