SOAP to SOAP principal propagation with logon tickets

Similar Messages

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• SSO fails with logon ticket

  Hi all ,
  Could some advice on this .I have some issues with SSO with logon tickets .
  My landscape consists of
  - EP 6.0 SP on WAS J2EE 6.0
  - ECC 5.0 SP7 on WAS ABAP 6.0
  I am trying to do SSO between portal and ECC , where in portal is the ticket issuer
  and my ECC accepts the ticket . Follwing are the steps I have done .
  1. From keystore Administrator , I have downloaded the verity.der .
  2. From my ECC system , run STRUSTSS02 transaction and done following activities
  a. import the verity.der into certificate area ( selecte dfile format as binary )
  b. Added certificate into PSE
  c. Add to ACL ( here I have selected my portal SID , client
  as 000 ( Do is need to give a different client ???...)
  d. Saved everything
  3. Then I have created a system object for my ECC system , given all the connector parametrs,
  user management as logon ticket and created an alias too .
  But when I tested is is failure
  I have also created a JCO destination under the webdynpro content admin and selected the
  logon ticket as the option , there also the test fails
  Could any body advice what am I doing wrong ?
  THanks
  Aneez

  Phani ,
  Here is the trace .
  M  *** BEGIN USER TRACE  UID >915< MODE >1< STEP >1< REQID >11685< TIME >053138< DATE >20050805< WP >0< WP_TYPE >DIA<  CONV_ID >5028
  N  dy_signi_ext: SSO TICKET logon (client 110)
  N  mySAPUnwrapCookie: was called.
  N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
  N  HmskiFindTicketInCache: Try to find ticket with cache key: 110:F8906A99658752C18D6007083CC6D4A3 .
  N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
  N  I don't need to ask RunningCompatibly to know: I'm >= 46C.
  N  mySAP: Got the following SSF Params:
  N         DN     =CN=DV1
  N         EncrAlg=DES-CBC
  N         Format =PKCS7
  N         Toolkit =SAPSECULIB
  N         HashAlg =SHA1
  N         Profile =/usr/sap/DV1/DVEBMGS00/sec/SAPSYS.pse
  N         PAB =/usr/sap/DV1/DVEBMGS00/sec/SAPSYS.pse
  N  Got the codepage 4102.
  N  Got ticket (head) AjExMDAgAA5wb3J0YWw6QUhBTUVFRIgAE2Jhc2lj. Length = 444.
  N  00000000  00 41 00 6a 00 45 00 78  00 4d 00 44 00 41 00 67  .A.j.E.x.M.D.A.g
  N  00000010  00 41 00 41 00 35 00 77  00 62 00 33 00 4a 00 30  .A.A.5.w.b.3.J.0
  N  00000020  00 59 00 57 00 77 00 36  00 51 00 55 00 68 00 42  .Y.W.w.6.Q.U.h.B
  N  00000030  00 54 00 55 00 56 00 46  00 52 00 49 00 67 00 41  .T.U.V.F.R.I.g.A
  N  00000040  00 45 00 32 00 4a 00 68  00 63 00 32 00 6c 00 6a  .E.2.J.h.c.2.l.j
  N  00000050  00 59 00 58 00 56 00 30  00 61 00 47 00 56 00 75  .Y.X.V.0.a.G.V.u
  N  00000060  00 64 00 47 00 6c 00 6a  00 59 00 58 00 52 00 70  .d.G.l.j.Y.X.R.p
  N  00000070  00 62 00 32 00 34 00 42  00 41 00 41 00 41 00 43  .b.2.4.B.A.A.A.C
  N  00000080  00 41 00 41 00 4d 00 77  00 4d 00 44 00 41 00 44  .A.A.M.w.M.D.A.D
  N  00000090  00 41 00 41 00 4e 00 46  00 55 00 45 00 51 00 45  .A.A.N.F.U.E.Q.E
  N  000000A0  00 41 00 41 00 77 00 79  00 4d 00 44 00 41 00 31  .A.A.w.y.M.D.A.1
  N  000000B0  00 4d 00 44 00 67 00 77  00 4e 00 54 00 41 00 35  .M.D.g.w.N.T.A.5
  N  000000C0  00 4d 00 6a 00 49 00 46  00 41 00 41 00 51 00 41  .M.j.I.F.A.A.Q.A
  N  000000D0  00 41 00 41 00 41 00 49  00 43 00 67 00 41 00 41  .A.A.A.I.C.g.A.A
  N  000000E0  00 2f 00 77 00 44 00 31  00 4d 00 49 00 48 00 79  ./.w.D.1.M.I.H.y
  N  000000F0  00 42 00 67 00 6b 00 71  00 68 00 6b 00 69 00 47  .B.g.k.q.h.k.i.G
  N  00000100  00 39 00 77 00 30 00 42  00 42 00 77 00 4b 00 67  .9.w.0.B.B.w.K.g
  N  00000110  00 67 00 65 00 51 00 77  00 67 00 65 00 45 00 43  .g.e.Q.w.g.e.E.C
  N  00000120  00 41 00 51 00 45 00 78  00 43 00 7a 00 41 00 4a  .A.Q.E.x.C.z.A.J
  N  00000130  00 42 00 67 00 55 00 72  00 44 00 67 00 4d 00 43  .B.g.U.r.D.g.M.C
  N  00000140  00 47 00 67 00 55 00 41  00 4d 00 41 00 73 00 47  .G.g.U.A.M.A.s.G
  N  00000150  00 43 00 53 00 71 00 47  00 53 00 49 00 62 00 33  .C.S.q.G.S.I.b.3
  N  00000160  00 44 00 51 00 45 00 48  00 41 00 54 00 47 00 42  .D.Q.E.H.A.T.G.B
  N  00000170  00 77 00 54 00 43 00 42  00 76 00 67 00 49 00 42  .w.T.C.B.v.g.I.B
  N  00000180  00 41 00 54 00 41 00 54  00 4d 00 41 00 34 00 78  .A.T.A.T.M.A.4.x
  N  00000190  00 44 00 44 00 41 00 4b  00 42 00 67 00 4e 00 56  .D.D.A.K.B.g.N.V
  N  000001A0  00 42 00 41 00 4d 00 54  00 41 00 30 00 56 00 51  .B.A.M.T.A.0.V.Q
  N  000001B0  00 52 00 41 00 49 00 42  00 41 00 44 00 41 00 4a  .R.A.I.B.A.D.A.J
  N  000001C0  00 42 00 67 00 55 00 72  00 44 00 67 00 4d 00 43  .B.g.U.r.D.g.M.C
  N  000001D0  00 47 00 67 00 55 00 41  00 6f 00 46 00 30 00 77  .G.g.U.A.o.F.0.w
  N  000001E0  00 47 00 41 00 59 00 4a  00 4b 00 6f 00 5a 00 49  .G.A.Y.J.K.o.Z.I
  N  000001F0  00 68 00 76 00 63 00 4e  00 41 00 51 00 6b 00 44  .h.v.c.N.A.Q.k.D
  N  00000200  00 4d 00 51 00 73 00 47  00 43 00 53 00 71 00 47  .M.Q.s.G.C.S.q.G
  N  00000210  00 53 00 49 00 62 00 33  00 44 00 51 00 45 00 48  .S.I.b.3.D.Q.E.H
  N  00000220  00 41 00 54 00 41 00 63  00 42 00 67 00 6b 00 71  .A.T.A.c.B.g.k.q
  N  00000230  00 68 00 6b 00 69 00 47  00 39 00 77 00 30 00 42  .h.k.i.G.9.w.0.B
  N  00000240  00 43 00 51 00 55 00 78  00 44 00 78 00 63 00 4e  .C.Q.U.x.D.x.c.N
  N  00000250  00 4d 00 44 00 55 00 77  00 4f 00 44 00 41 00 31  .M.D.U.w.O.D.A.1
  N  00000260  00 4d 00 44 00 6b 00 79  00 4d 00 6a 00 41 00 31  .M.D.k.y.M.j.A.1
  N  00000270  00 57 00 6a 00 41 00 6a  00 42 00 67 00 6b 00 71  .W.j.A.j.B.g.k.q
  N  00000280  00 68 00 6b 00 69 00 47  00 39 00 77 00 30 00 42  .h.k.i.G.9.w.0.B
  N  00000290  00 43 00 51 00 51 00 78  00 46 00 67 00 51 00 55  .C.Q.Q.x.F.g.Q.U
  N  000002A0  00 4e 00 78 00 47 00 53  00 38 00 70 00 65 00 6b  .N.x.G.S.8.p.e.k
  N  000002B0  00 68 00 62 00 5a 00 32  00 6e 00 79 00 6e 00 61  .h.b.Z.2.n.y.n.a
  N  000002C0  00 46 00 4c 00 4b 00 54  00 51 00 2f 00 37 00 43  .F.L.K.T.Q./.7.C
  N  000002D0  00 42 00 5a 00 6b 00 77  00 43 00 51 00 59 00 48  .B.Z.k.w.C.Q.Y.H
  N  000002E0  00 4b 00 6f 00 5a 00 49  00 7a 00 6a 00 67 00 45  .K.o.Z.I.z.j.g.E
  N  000002F0  00 41 00 77 00 51 00 76  00 4d 00 43 00 30 00 43  .A.w.Q.v.M.C.0.C
  N  00000300  00 46 00 41 00 32 00 53  00 63 00 53 00 6f 00 71  .F.A.2.S.c.S.o.q
  N  00000310  00 4d 00 53 00 51 00 41  00 2f 00 75 00 41 00 42  .M.S.Q.A./.u.A.B
  N  00000320  00 70 00 43 00 69 00 61  00 6b 00 6f 00 68 00 69  .p.C.i.a.k.o.h.i
  N  00000330  00 68 00 75 00 44 00 79  00 41 00 68 00 55 00 41  .h.u.D.y.A.h.U.A
  N  00000340  00 36 00 4e 00 56 00 48  00 43 00 53 00 6b 00 50  .6.N.V.H.C.S.k.P
  N  00000350  00 58 00 49 00 52 00 6c  00 63 00 57 00 2b 00 32  .X.I.R.l.c.W.+.2
  N  00000360  00 6a 00 41 00 45 00 30  00 31 00 37 00 55 00 62  .j.A.E.0.1.7.U.b
  N  00000370  00 61 00 63 00 34 00 3d                           .a.c.4.=
  N  Dump of InContext  (ssoxxapi.c 155)
  N  00000000  00 34 00 31 00 30 00 32  0f ff ff ff ff ff 54 e8  .4.1.0.2.ÿÿÿÿÿTè
  N  00000010  00 00 00 01 83 37 73 10  0f ff ff ff ff ff 59 98  .....7s..ÿÿÿÿÿY.
  N  00000020  00 00 01 bc 00 00 00 00  00 00 00 01 00 93 ee 8c  ...¼..........î.
  N  00000030
  N  Copies from InContext->Format: PKCS7  (ssoxxapi.c 162)
  N  Copies from InContext->pzcsProName: /usr/sap/DV1/DVEBMGS00/sec/SAPSYS.pse  (ssoxxapi.c 165)
  N  DecodeB64Len returns 0. iDecLength=332
  N  Dump of Decoded ticket:  (ssoxxapi.c 187)
  N  00000000  02 31 31 30 30 20 00 0e  70 6f 72 74 61 6c 3a 41  .1100 ..portal:A
  N  00000010  48 41 4d 45 45 44 88 00  13 62 61 73 69 63 61 75  HAMEED...basicau
  N  00000020  74 68 65 6e 74 69 63 61  74 69 6f 6e 01 00 00 02  thentication....
  N  00000030  00 03 30 30 30 03 00 03  45 50 44 04 00 0c 32 30  ..000...EPD...20
  N  00000040  30 35 30 38 30 35 30 39  32 32 05 00 04 00 00 00  0508050922......
  N  00000050  08 0a 00 00 ff 00 f5 30  81 f2 06 09 2a 86 48 86  ....ÿ.õ0.ò..*.H.
  N  00000060  f7 0d 01 07 02 a0 81 e4  30 81 e1 02 01 01 31 0b  ÷.... .ä0.á...1.
  N  00000070  30 09 06 05 2b 0e 03 02  1a 05 00 30 0b 06 09 2a  0...+......0...*
  N  00000080  86 48 86 f7 0d 01 07 01  31 81 c1 30 81 be 02 01  .H.÷....1.Á0.¾..
  N  00000090  01 30 13 30 0e 31 0c 30  0a 06 03 55 04 03 13 03  .0.0.1.0...U....
  N  000000A0  45 50 44 02 01 00 30 09  06 05 2b 0e 03 02 1a 05  EPD...0...+.....
  N  000000B0  00 a0 5d 30 18 06 09 2a  86 48 86 f7 0d 01 09 03  . ]0...*.H.÷....
  N  000000C0  31 0b 06 09 2a 86 48 86  f7 0d 01 07 01 30 1c 06  1...*.H.÷....0..
  N  000000D0  09 2a 86 48 86 f7 0d 01  09 05 31 0f 17 0d 30 35  .*.H.÷....1...05
  N  000000E0  30 38 30 35 30 39 32 32  30 35 5a 30 23 06 09 2a  0805092205Z0#..*
  N  000000F0  86 48 86 f7 0d 01 09 04  31 16 04 14 37 11 92 f2  .H.÷....1...7..ò
  N  00000100  97 a4 85 b6 76 9f 29 da  14 b2 93 43 fe c2 05 99  .¤.¶v.)Ú.².CþÂ..
  N  00000110  30 09 06 07 2a 86 48 ce  38 04 03 04 2f 30 2d 02  0...*.HÎ8.../0-.
  N  00000120  14 0d 92 71 2a 2a 31 24  00 fe e0 01 a4 28 9a 92  ...q**1$.þà.¤(..
  N  00000130  88 62 86 e0 f2 02 15 00  e8 d5 47 09 29 0f 5c 84  .b.àò...èÕG.)..
  N  00000140  65 71 6f b6 8c 01 34 d7  b5 1b 69 ce              eqo¶..4×µ.iÎ
  N  Read version.
  N  Read Codepage.
  N  Read InfoUnit (0x20).
  N  Read length (14).
  N  Read contents.
  N  Read InfoUnit (0x88).
  N  Read length (19).
  N  Read contents.
  N  Read InfoUnit (0x01).
  N  Read length (0).
  N  Read contents.
  N  Read InfoUnit (0x02).
  N  Read length (3).
  N  Read contents.
  N  Read InfoUnit (0x03).
  N  Read length (3).
  N  Read contents.
  N  Read InfoUnit (0x04).
  N  Read length (12).
  N  Read contents.
  N  Read InfoUnit (0x05).
  N  Read length (4).
  N  Read contents.
  N  Read InfoUnit (0x0A).
  N  Read length (0).
  N  Read contents.
  N  Read InfoUnit (0xFF).
  N  ParseTicket returns 0.  (ssoxxapi.c 199)
  N  Bytes processed: 85  (ssoxxapi.c 202)
  N  Argument Dump for ticket verification:
  N  Content byte stream:
  N  00000000  02 31 31 30 30 20 00 0e  70 6f 72 74 61 6c 3a 41  .1100 ..portal:A
  N  00000010  48 41 4d 45 45 44 88 00  13 62 61 73 69 63 61 75  HAMEED...basicau
  N  00000020  74 68 65 6e 74 69 63 61  74 69 6f 6e 01 00 00 02  thentication....
  N  00000030  00 03 30 30 30 03 00 03  45 50 44 04 00 0c 32 30  ..000...EPD...20
  N  00000040  30 35 30 38 30 35 30 39  32 32 05 00 04 00 00 00  0508050922......
  N  00000050  08 0a 00 00                                       ....
  N
  N  Signature byte stream:
  N  00000000  30 81 f2 06 09 2a 86 48  86 f7 0d 01 07 02 a0 81  0.ò..*.H.÷.... .
  N  00000010  e4 30 81 e1 02 01 01 31  0b 30 09 06 05 2b 0e 03  ä0.á...1.0...+..
  N  00000020  02 1a 05 00 30 0b 06 09  2a 86 48 86 f7 0d 01 07  ....0...*.H.÷...
  N  00000030  01 31 81 c1 30 81 be 02  01 01 30 13 30 0e 31 0c  .1.Á0.¾...0.0.1.
  N  00000040  30 0a 06 03 55 04 03 13  03 45 50 44 02 01 00 30  0...U....EPD...0
  N  00000050  09 06 05 2b 0e 03 02 1a  05 00 a0 5d 30 18 06 09  ...+...... ]0...
  N  00000060  2a 86 48 86 f7 0d 01 09  03 31 0b 06 09 2a 86 48  .H.÷....1....H
  N  00000070  86 f7 0d 01 07 01 30 1c  06 09 2a 86 48 86 f7 0d  .÷....0...*.H.÷.
  N  00000080  01 09 05 31 0f 17 0d 30  35 30 38 30 35 30 39 32  ...1...050805092
  N  00000090  32 30 35 5a 30 23 06 09  2a 86 48 86 f7 0d 01 09  205Z0#..*.H.÷...
  N  000000A0  04 31 16 04 14 37 11 92  f2 97 a4 85 b6 76 9f 29  .1...7..ò.¤.¶v.)
  N  000000B0  da 14 b2 93 43 fe c2 05  99 30 09 06 07 2a 86 48  Ú.².CþÂ..0...*.H
  N  000000C0  ce 38 04 03 04 2f 30 2d  02 14 0d 92 71 2a 2a 31  Î8.../0-....q**1
  N  000000D0  24 00 fe e0 01 a4 28 9a  92 88 62 86 e0 f2 02 15  $.þà.¤(...b.àò..
  N  000000E0  00 e8 d5 47 09 29 0f 5c  84 65 71 6f b6 8c 01 34  .èÕG.)..eqo¶..4
  N  000000F0  d7 b5 1b 69 ce                                    ×µ.iÎ
  N  Encoded content byte stream:
  N  00000000  30 63 06 09 2a 86 48 86  f7 0d 01 07 01 a0 56 04  0c..*.H.÷.... V.
  N  00000010  54 02 31 31 30 30 20 00  0e 70 6f 72 74 61 6c 3a  T.1100 ..portal:
  N  00000020  41 48 41 4d 45 45 44 88  00 13 62 61 73 69 63 61  AHAMEED...basica
  N  00000030  75 74 68 65 6e 74 69 63  61 74 69 6f 6e 01 00 00  uthentication...
  N  00000040  02 00 03 30 30 30 03 00  03 45 50 44 04 00 0c 32  ...000...EPD...2
  N  00000050  30 30 35 30 38 30 35 30  39 32 32 05 00 04 00 00  00508050922.....
  N  00000060  00 08 0a 00 00                                    .....
  N  Verify returns 0  (ssoxxsgn.c 189)
  N  Certificate is:
  N  00000000  30 82 02 1d 30 82 02 08  02 01 00 30 09 06 07 2a  0...0......0...*
  N  00000010  86 48 ce 38 04 03 30 0e  31 0c 30 0a 06 03 55 04  .HÎ8..0.1.0...U.
  N  00000020  03 13 03 45 50 44 30 1e  17 0d 30 35 30 37 30 35  ...EPD0...050705
  N  00000030  31 31 34 30 35 30 5a 17  0d 30 37 30 37 30 35 31  114050Z..0707051
  N  00000040  31 34 30 35 30 5a 30 0e  31 0c 30 0a 06 03 55 04  14050Z0.1.0...U.
  N  00000050  03 13 03 45 50 44 30 82  01 b6 30 82 01 2b 06 07  ...EPD0..¶0..+..
  N  00000060  2a 86 48 ce 38 04 01 30  82 01 1e 02 81 81 00 82  *.HÎ8..0........
  N  00000070  7d d4 9c a2 05 69 84 e9  83 71 b1 34 0d 5d 71 83  }Ô.¢.i.é.q±4.]q.
  N  00000080  92 85 b2 5a ca a3 82 d7  ac 38 6e 94 40 84 3f 0a  ..²ZÊ£.׬8n.@.?.
  N  00000090  46 7a a8 75 a8 c1 ca 3b  70 ba 6a 97 07 12 f6 b1  Fz¨u¨ÁÊ;pºj...ö±
  N  000000A0  99 ed 3e ec 53 13 f3 94  0a 67 bb d6 9f 38 72 29  .í>ìS.ó..g»Ö.8r)
  N  000000B0  61 ab 02 3d 17 a1 33 3c  52 23 5d 9f b7 d1 0e 95  a«.=.¡3<R#].·Ñ..
  N  000000C0  e3 a5 5e f9 b0 4f c7 c9  20 c5 72 da 7a c3 d5 0f  ã¥^ù°OÇÉ ÅrÚzÃÕ.
  N  000000D0  24 0d bb 8e 54 da 9e bb  70 21 11 c5 35 82 e5 35  $.».TÚ.»p!.Å5.å5
  N  000000E0  85 2e 9f 59 39 79 b3 32  50 c8 86 83 96 19 17 02  ...Y9y³2PÈ......
  N  000000F0  15 00 fa 50 79 da fa 3f  3a b1 e8 0a 6d f5 bd 16  ..úPyÚú?:±è.mõ½.
  N  00000100  f2 24 d8 f8 d7 1b 02 81  80 4f bd f5 2e 33 04 f0  ò$Øø×....O½õ.3.ð
  N  00000110  51 c1 7c a5 5c 93 81 b5  c1 7d 4c 20 50 76 85 34  QÁ|¥..µÁ}L Pv.4
  N  00000120  50 cf d9 fc 72 b2 e1 b2  b1 6f a0 10 48 b8 ff 17  PÏÙür²á²±o .H¸ÿ.
  N  00000130  e7 a9 0a e1 e0 18 05 3e  34 d9 d5 61 df 71 4c c8  ç©.áà..>4ÙÕaßqLÈ
  N  00000140  dc 92 b1 51 b5 df 66 59  70 6b 5e 57 c3 19 a2 d6  Ü.±QµßfYpk^WÃ.¢Ö
  N  00000150  58 3b 7d 32 d2 e9 e1 f1  66 3e aa ac 46 0d cd 4e  X;}2Òéáñf>ª¬F.ÍN
  N  00000160  67 70 36 f7 f9 be 0b 2e  16 a0 5d 69 5d 5b 81 13  gp6÷ù¾... ]i][..
  N  00000170  a9 03 cb 38 63 56 1a bd  36 4a 5d 6c 15 66 17 fa  ©.Ë8cV.½6J]l.f.ú
  N  00000180  10 a3 20 99 e1 d2 34 77  13 03 81 84 00 02 81 80  .£ .áÒ4w........
  N  00000190  6b a6 d4 4e e8 03 f6 f1  35 83 fb 37 01 1f 3c 5c  k¦ÔNè.öñ5.û7..<
  N  000001A0  8e 75 ad 1f 2d b3 9b 69  4f b3 a3 36 b6 9f 38 07  .u..-³.iO³£6¶.8.
  N  000001B0  fe bf f1 0b ca 24 fe 5c  a7 33 a1 55 c9 65 c5 4c  þ¿ñ.Ê$þ\u00A73¡UÉeÅL
  N  000001C0  97 a1 e7 58 d1 47 7f 72  36 47 bf f4 cc 6d 12 14  .¡çXÑG.r6G¿ôÌm..
  N  000001D0  cc 61 be 82 b5 50 be 16  7a cc 4d 47 1e 80 2f 6d  Ìa¾.µP¾.zÌMG../m
  N  000001E0  2e d4 19 69 80 e6 26 13  23 4f 07 0a 9c 87 13 91  .Ô.i.æ&.#O......
  N  000001F0  7b 75 57 93 e1 8d 42 5f  28 47 e2 61 27 6d 0c 4c  {uW.á.B_(Gâa'm.L
  N  00000200  55 99 37 33 cc 92 c0 b9  06 d1 99 68 d0 17 c1 4d  U.73Ì.À¹.Ñ.hÐ.ÁM
  N  00000210  30 0c 06 08 2a 86 48 86  f7 0d 02 05 05 00 03 01  0...*.H.÷.......
  N  00000220  00                                                .
  N  ValidateTicket returns 0.  (ssoxxapi.c 225)
  N  MskiValidateTicket returns 0.
  N  Next node:
  N  00000000  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 00 00 00 00 00  00 00 00 01 84 e7 8a 10  .............ç..
  N  00000110  00 00 00 00 00 00 00 00                           ........
  N  Next node:
  N  00000000  02 00 30 00 30 00 30 00  00 00 00 00 00 00 00 00  ..0.0.0.........
  N  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 06 00 03 00 00  00 00 00 01 84 e7 95 10  .............ç..
  N  00000110  00 00 00 01 84 e4 37 b0                           .....ä7°
  N  Next node:
  N  00000000  03 00 45 00 50 00 44 00  00 00 00 00 00 00 00 00  ..E.P.D.........
  N  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 06 00 03 00 00  00 00 00 01 85 0e cd 30  ..............Í0
  N  00000110  00 00 00 01 84 e7 8a 10                           .....ç..
  N  Next node:
  N  00000000  04 00 32 00 30 00 30 00  35 00 30 00 38 00 30 00  ..2.0.0.5.0.8.0.
  N  00000010  35 00 30 00 39 00 32 00  32 00 00 00 00 00 00 00  5.0.9.2.2.......
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 18 00 0c 00 00  00 00 00 01 85 0e d0 b0  ..............а
  N  00000110  00 00 00 01 84 e7 95 10                           .....ç..
  N  Next node:
  N  00000000  05 00 00 00 08 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 04 00 00 00 00  00 00 00 01 85 0f 76 90  ..............v.
  N  00000110  00 00 00 01 85 0e cd 30                           ......Í0
  N  Next node:
  N  00000000  0a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 00 00 00 00 00  00 00 00 01 84 0a a6 30  ..............¦0
  N  00000110  00 00 00 01 85 0e d0 b0                           ......а
  N  Next node:
  N  00000000  20 70 6f 72 74 61 6c 3a  41 48 41 4d 45 45 44 00   portal:AHAMEED.
  N  00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 0e 00 00 00 00  00 00 00 01 84 0b 7a 10  ..............z.
  N  00000110  00 00 00 01 85 0f 76 90                           ......v.
  N  Next node:
  N  00000000  88 62 61 73 69 63 61 75  74 68 65 6e 74 69 63 61  .basicauthentica
  N  00000010  74 69 6f 6e 00 00 00 00  00 00 00 00 00 00 00 00  tion............
  N  00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000100  00 00 00 13 00 00 00 00  00 00 00 00 00 00 00 00  ................
  N  00000110  00 00 00 01 84 0a a6 30                           ......¦0
  N  Got content client = 000.
  N  Got content sysid = EPD     .
  N  No entry in TWPSSO2ACL for SYS EPD      and CLI 000.
  N  CheckSubject failed (rc=19). Verifying if ticket was issued by me.
  N  *** ERROR => System ID and client from ticket are not the same than mine.  (ssoxxkrn.c   798)
  N  Data from ticket: sysid=EPD     , client=000
  N  My system data: sysid=DV1     , client=110
  N  *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL.  (ssoxxkrn.c   804)
  N  dy_signi_ext: issuer not trusted
  M  *** END USER TRACE NAME >SAPSYS      <  UID >915< MODE >1< STEP >1< TIME >053139< DATE >20050805< WP >0< WP_TYPE >DIA<
  Thanks
  Aneez

• Not able to activate SSO with logon tickets...

  Hi all,
  I configured SSO with logon tickets on a new installation of EP 7.0 Nw 2004s SR2.
  The target R3 server is in a different domain. But i added the certificate receiver portal server address in the UME service entries.
  But when i try  to test it, it is showing the password entry login screen.
  Is there any changes i need to make to the logon stacks?
  Given below are the major steps i completed.
  1. Created RFC destination in portal
  2. Created RFC destination for portal in R3
  3. Exported verify.der certificate to R3.
  4. Added necessary entries for R3 sever in the portal security providers list.
  5. Restarted portal j2ee instance.
  Did I miss out any required steps?
  I doubt whether logon tickets are generated from the portal , since it directly shows the normal login screen when i test.
  Can anyone help me on this?
  Thanks in advance
  Shobin

  Hi,
  Thanks alot for your reply.
  I checked sso2. The connection fails there. But long back, we had created another destination in the R3 system to use in a different portal instance. There, SSO works fine. Even this destination also fails when checked through sso2.
  I login to portal with administrator rights which has the same user id in R3 also. Please note that both these systems are in different domain. But I have added another host name in ume.service.login property which is already set up for SSO with the target R3 system.
  When i test SSO, i am not getting any error messages regarding the certificate or logon ticket. It simply ask me  for a user name and password.
  Is there any change i have to do in logon stacks to give preference to logon tickets?
  Thanks alot
  Shobin

• Principal Propagation with SOAP sender

  Hello
  I've already read some blogs and SAP help about configuring the principal propagation (PP), those blogs explains details about the configuration with SAP (ABAP and Java) system.
  However in my case I have the third party SOAP sender application. I jsut wonder how to configure or write the soap Java program. Basically 2 things need to be done for hte soap sender:
  1) Force the soap sender to send message along with a SAP assertion ticket
  2) Sign the assertion ticket with private key (Public key/certification will be installed in PI Java AE)
  I have no idea how step 1 works (Take Java soap client program as example)
  Once a private key / public key is generated, how to use it to sign the assertion ticket?
  Basically our soap sender could be from any platform (.net, java program, oracle, etc.), I need to know how to configure the soap sender for PP generally.
  Anybody configured PP for soap sender?
  Thank you so much

  Hi Jayson,
  With the amount of questions asked in one single question , i feel things are not clear at your end.
  i suggest you going through:
  Prinicipal propogation:
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
  Principal Propagation in SAP XI
  /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Configuring adapters for principal propogation
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/cf9e199bf23e49e10000000a421937/frameset.htm
  Regards
  joel

• Principal Propagation / SAP Assertion Ticket

  Hi Experts,
  i m planning a synchronous scenario
  3rd party (SOAP) -> PI -> SAP ECC (RFC)
  PI is on 7.1, ECC on 7.00
  I would like to run Principal Propagation. At the moment i m struggling with Assertion Ticket to be issued by the SOAP sender. From [SAP Help: Princ Prop / Configuring the Sender|http://help.sap.com/saphelp_nw04/helpdata/EN/45/3418a0eabe072fe10000000a155369/content.htm]: "The SOAP client itself must be able to issue SAP assertion tickets."
  - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
  - Or is there a way to issue the SAP assertion ticket from 3rd party SOAP sender?
  - If yes, how does that work?
  I found two interesting threads:
  [Principal Propagation SOAP - XI - RFC Scenario   |Re: Principal Propagation SOAP - XI - RFC Scenario]:
  I do not understand Swarups answer 100%. He wrote: "Here you need not have to do anything on SOAP sender side to create the assertion ticket.The assertion ticket is required on SAP side which will act as Web AS ABAP Server"
  Can anybody illuminate that? Is he right?
  [Issuing SAP assertion Tickets |Issuing SAP assertion Tickets]: The last post of Anthony stayed unansered, unfortunately. "How does the sender system do that? Is it somethign embedded in the header of the SOAP message? This really is unclear to me"
  Thanks for your help,
  Udo

  Hi Udo,
  > - Does that mean: if the sender is a non SAP system Principle Propagation cannot be implemented?
  Principle propagation supports XI, SOAP and RFC adapters.
  http://help.sap.com/saphelp_nw04/helpdata/en/45/0f16bef65c7249e10000000a155369/frameset.htm
  Before using the principle propagation you have to active the configuration, but you can only activate the configuration if you have kernel patch 149 installed.
  Regards
  Ramesh

• SSO to SAP R3 thru ITS 6.20 with Logon tickets

  Hi All,
  I am trying to configure SSO to R3 thru ITS with the Logon Tickets.
  I have configured R3 to accept the tickets using STRUSTSSO2.
  Downloaded the verify.der file from Portal and imported to R3
  And tried to test the System connection.
  If I use <b>SAP GUI for Windows</b>,the logon ticket is passed and SSO happens
  with out any problem.
  But If I use <b>SAP GUI for html</b>,then ITS Logon screen appears and once I
  enter the user id and password it logs in.
  In ITS global.srvc file I have added the following parameter
  <b>~mysapcomusesso2cookie 1</b>
  I also have the following parameters in the global.srvc file
  <b>~login <space>
  ~password  <space></b>
  Do I need to configure any thing more in ITS.
  Where am I going wrong.
  I have read regarding <b>Pluggable Authentication Service(PAS)</b>.Is this mandatory for SSO thru ITS
  Please let me know
  I am working on EP6 SP14
  Any help is really appreciated
  Thanks in advance
  Regards,
  Santhosh

  Hi,
  IWithin System definition of R/3 System, you've to give the FQDN of ITS just same as Portal system. For example if your Portal system's FQDN is below:
  http://portal.hedehode.com:50000/irj
  then the ITS Server definition (parameter ITS Hostname) must be:
  itsserver.hedehode.com:port
  for portal to resolve itsserver.hedehode.com host, you may need to enter its IP address into hosts (c:\windows\system32\drivers\etc\hosts) file of portal system.
  <ip>   itsserver.hedehode.com

• Problem with logon ticket on a cluster J2EE environment.

  Hi Experts,
  We have a Portal system with one J2EE node running which issues logon ticket to do SSO into our R/3 4.6 system.
  After we added another node into the J2EE cluster on another machine, we have problem SSO into our R/3 system if you login to that new node, but everything works fine if user login into the original node directly.
  I checked the keystore in EP on both nodes and they look exactly the same.
  do we need to do anything for this to work? any help much appreciated!
  Thanks
  Jerry.

  Interesting, can you see the system landscape def from both nodes?  If so, are the connection test results the same from both nodes?
  Regards,
  Patrick

• Principal Propagation SOAP - XI - RFC Scenario

  Hi,
  I am developing a synchronous scenario whereby a SOAP request posted by a non SAP system should be forwarded to an ECC system using RFC. Challenge I am facing is that I want to use the user, which was used for basic user authentification to post to XI, dynamically in the RFC call. I have been reading about Principal Propagation using assertion tickets, however only SOAP receiver adapter is spoken about. I am trying to configure this using SOAP Sender adapter.
  As far as my understanding goes the sending system should be able to create these assertion tickets ?
  Has anyone developed a similar interface ?
  Scenario is: Non SAP SOAP Sending system = Client, Adapter engine = Server & Client, Integration Server = Server & client and Receiving ABAP system (ECC6.0) is Server.
  Any help would be appreciated and awarded if helpfull.
  Kind Regards, Jelmer Keuken
  Ps. XI is version 7.0 SP18, Alreay read the Blogs of Alexander Bundschuh
  Edited by: J. Keuken on Sep 9, 2009 4:04 PM

  Hi,
  This scenario is definately possible to implement with principal propagation.
  1. Enable the PP on Integration server
  2. Here you need not have to do anything on SOAP sender side to create the assertion ticket..
  The assertion ticket is required on SAP side which will act as Web AS ABAP Server.
  refer the settings --http://help.sap.com/saphelp_nw04/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm
  3. And then follow further steps as it mentioned the blogs...
  Thanks
  Swarup

• SSO-Logon from mobile device - create logon ticket from WebDynpro for Java

  Hi Experts,
  I'm developing WebDynpro-JAVA application for some warehouse stuff  (runs on a portal system, clients are mobile barcode-scanners with Windows mobile 5.0). JCOs from the portal system to the R/3-backend are confirgured for SSO with Logon-tickets and portal uses LDAP for authentication against a Windows-ADS.
  This works so far ... but my problem is the standard Logon-screen, which is nearly unusable on the mobile device (screen size, layout, etc.). Is there any solution to create logon-tickets directly from the WebDynpro application (using something from com.sap.engine.interfaces.security.auth or similar ?) or any chance to have a special logon screen for mobile devices (parameter sap-wd-client=Pie03Client is ignored for the logon screen).
  Thanks in advance.
  regards,
  Hendrik

  Hi Henrik,
  Did you find the solution to your problem ?
  I'm facing the same issue, so I'd be pleased to know the solution!
  Regards
  Stekam

• Problem about  logon ticket cookie

  Hi all,
      We have just set up  trust between two portals.And we want to archive this:
      One user log on a portal(consumer) and he can logon another(producer) with logon ticket.
      But one problem is:
      One user log on consumer and access the producer.Then he log off consumer without closing the browser.another user log on consumer,and when he enter the producer.The cookie in producer is the former user's information.
      When somebody logoff the portal. The logon ticket doesn't expire.Then another user log on. The cookie never updates?
      OK..One can close the browser to kill the cookie.But this is such a potential security problem.
      Is there something to explain this?
      Is there any idea to solve this?
      best regards,
  delma
  Message was edited by:
          delma ma

  Producer portal always knows the consumer as trusted one. 
  Well the SLT is actually a HTTP Cookie issued by the portal system to client browser after a successful logon. It contains portal user name, expiry time and target system identification signed by portal secure certificate.
  The logon procedure looks like so:
  User (XXX) calls the portal1(Consumer)
  Portal1 responds with logon page
  User sends the creditentials to the portal1
  Portal sends back some cookies to the user in 3-4 HTTP roundtrips.
  One of this cookies is the SAP Logon Ticket.
  User (XXX) contacting portal2 (Producer) sends the SAP Logon Ticket along the HTTP to that system.
  This cookie is then send by the browser in all subsequent HTTP calls done by the browser in this session.
  Here it explains the SLT is on the client's browser.
  The recievier system (portal2) - called on the HTTP port, when properly configured  checks the portal certificate with the one stored and then authorizes the user.
  The SLT does not verify the user machine, only it's name anyone fetching the SLT can use it to access other systems in landscape.
  Means of protection
  1.Using HTTPS so the SLT is not available to third party
  2.Additional authorization - for example NTLM
  Cheers
  biroj...........

• Principal propagation

  hi, all.
  i have scenario:
  HTTP <-> XI <-> SAP.
  between HTTP and XI i use http adapter. between XI and SAP i use proxy. i have to propagate useres from HTTP system to SAP system.
  Can I create all needed users in XI, and connect from HTTP to XI using any of this user, but for connecting from XI to SAP can I use principal propagation?

  Hi Mikhail
  <b>refre this Blog for to get details about principal propagation</b>
  <b>Principal Propagation with SAP NetWeaver Process Integration 7.1</b>
  /people/alexander.bundschuh/blog/2007/08/06/principal-propagation-with-sap-netweaver-process-integration-71
  <b>Principal Propagation in SAP XI</b>
  /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Thanks!!
  Regards
  Abhishek Agrahari

• Deleting Logon Ticket

  Hi all,
  I am using EP6 here and ECC5. I am using SSO with logon tickets.
  My logon ticket has expired. So i have to make a new one in visual administrator.
  But it is not letting me delete that or not even rename that.
  It gives an error message. I cant copy the error mesage that comes. And I cant find the same error in any file. may be i missed some file. Tell me where can i find that error so that i can paste the error message here.
  Please tell me how too delete the logon ticket
  Thanks
  Tajinder

  hi tajiinder,
  Configuring the J2EE Engine to Accept Logon Tickets
  Use
  The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the user’s Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user.
  For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.
  Prerequisites
  To check the validity of a user’s logon ticket, the J2EE Engine must be able to verify the issuing server’s digital signature.
  &#9679;      If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.
  &#9679;      If the ticket-issuing server is a different one, then this server’s public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.
  Procedure
  The Trusted Systems ® SSO Wizard configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the J2EE Engine.
         1.      Open the SSO Wizard.
  Note the following:
  &#9675;       If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by following the path System Management ® Configuration ® Trusted Systems.
  &#9675;       If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, first you must deploy the SSO Wizard. More information: SAP note 1083421.
  The system which you configure is displayed in the Selected Accepting System section.
  There are two ways to add a trusted system:
  &#9675;       By connecting to the system and requesting its certificate.
  If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. More information: SAP note 1083421.
  &#9675;       By manually uploading the certificate of the system.
  Adding a Trusted System by Connecting to It
                              a.      In the Trusted Systems section, choose Add Trusted System ® By Querying Trusted System.
                              b.      The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
  If you cannot find the system you want to add, choose Cancel and provide the connection details:
                                                    i.       Select the type of the system from the System Type dropdown list.
                                                  ii.       Enter the necessary connection details.
  If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system by its license key which you received from SAP.
                              c.      Enter your user name and password in the provided fields and choose Next.
                              d.      The details about the selected system’s certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.
  Adding a Trusted System by Manually Uploading its Certificate
  Before you start the following procedure, you must export the trusted system’s certificate. More information: Exporting the Ticket-Issuing Server's Public-key Certificate.
                              a.      In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
                              b.      Enter the System ID and Client in the provided fields.
                              c.      Browse to the location of the system’s certificate. Select the certificate and choose Open.
                              d.      Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.
         2.      Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.
                              a.      In the Security Provider Service choose Runtime ® Policy Configurations ® Authentication tab.
                              b.      Select the policy configuration for the application component to accept logon tickets from the Components list.
                              c.      Choose the Switch to edit mode button.
                              d.      Choose Add New. The list of available login modules for the component appears.
                              e.      Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.
  If you change the options of a login module in the user store, the changes will be inherited by all policy configurations that use this login module.
  If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case the login module will no longer inherit its options from the user store. To restore the inheritance change the options in the policy configuration or in the user store so that they are identical.
  Result
  After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.
  if you have douts pls go thru the following urls
  help.sap.com/saphelp_nw04/helpdata/en/71/c3d53a60ad204ce10000000a114084/content.htm - 30k
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
  thanks karthikeya
  dont forget to reawrd me if it helps you

• Principal Propagation Using Sender SOAP adapter in PI7.1

  Hi,
  I am trying to configure principal propagation using SOAP sender adapter. In that, I am trying to generate the assertion ticket in SAP only but it is using PIAFUSER as the user that is being passed and not the user which we are using to logon.
  Please tell me how an assertion ticket can be generated in this case , and the User that is being used for logging on is propagated. Is there any other way in which SOAP adapter can be used to propagate principally.

  Hi,
    Have you come across this link?
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ce95b718d3424be10000000a421937/content.htm
  Regards,
  Ravi

• Principal Propagation SOAP-PI-RFC not working

  Hi experts,
  I have designed on PI 7.0 SP16 a SOAP->PI->RFC scenario enabling the call of
  RFC_READ_TABLE (from ECC) through a webservice. For tests purpose, I have deployed WSDL file on IIS server and I call it from SAP Web Services Navigator. Tests are OK if we do not activate principal propagation on sender and receiver agreements.
  But we need to activate it in order to manage authorizations for people calling the webservice.
  So, I have followed all the required steps described in OSS note 974873.
  In addition, on PI Java Visual Administrator, I added CreateAssertionTicketLoginModule to com.sap.aii.af.soapadapter*XISOAPAdapter (Service u2018Security Provideru2019 -> runtime -> policy configurations ) in order to create an assertion ticket when SOAP adapter is called.
  When calling the webservice, the response contains : "Received HTTP response code 401 : Unauthorized".  In RWB I can see that the communication channel is in error, not even displaying the content of the message.
  The security.log file contains : u201CAttempting to create outgoing ssl connection without trusted certificatesu201D
  My test user (and PIAFUSER) has SAP_XI_APPL_SERV_USER role, are not locked and PI Caches have been cleared.
  In addition, I have not set SSO in PI, thinking it is not a prerequisite to principal propagation.
  Does anyone could help me ?
  Thanks for your help,
  Philippe
  Edited by: IBM France CONSEIL on Feb 19, 2010 9:48 AM

  Stefan,
  what I understand from the comments is that I have to use SAML, but this is coming with PI 7.1 and I am working on PI 7.0.
  However, when I read the beginning of this thread [Principal Propagation - PIAFUSER in Assertion Ticket] it proves it can work without SAML, isn't it ?