SPNEGO Login module Stack issue: Could not validate SPNEGO token

Similar Messages

• Could not validate SPNEGO token.java.lang.Exception: Checksum error.

  Hello consultant:
  We are trying configurated SSO usind SPNEGO  module
  We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native
  we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"
  When we have logged with user Active Directory and we try access to portal we obtain following error:
  Authorization check user error
  We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
  following steps:
  1. Select "Component" = "security" and "Activity" = "all"
  2. Click the "Go" button, followed by the "Add All" button
  3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
  4. Click the "Go" button, followed by the "Add All" button
  5. Start the tool
  Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:
  15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5
  15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.
  java.lang.Exception: Checksum error.
  at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)
  at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)
  at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)
  at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)
  at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
  at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:219)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Could you help us?
  Many thanks for your collaboration

  << Do not post the same question across a number of forums >>

• Supplied credentials not accepted by the server and Could not validate SPNEGO token

  Hi,
  We have installed and configured SSO 2.0 SP02 on HP-UX system. We have exported the client policy files, root certificate from SLS and imported the same in the client PC. Then we have installed the SLC in client PC with logging enabled option. Now when we try to manually login using SLC we are getting the below error.
  In SLC - "Supplied credentials not accepted by the server"
  In Diatool - "Could not validate SPNEGO token"
  Attached the trace file from SLC and logs from diatool. Anyone suggest how to rectify this error.
  The trace file from SLC
  [2014.03.28 12:08:50.434][TRACE][sbus.exe            ][sbus.dll    ][  4856] CToken:: Secure Login token [toksw:mem://securelogin/Windows Authentication (SPNEGO) :: login
  [2014.03.28 12:08:50.452][TRACE][sbus.exe            ][sbusresloade][  4856] { GetLocale
  [2014.03.28 12:08:50.453][TRACE][sbus.exe            ][sbusresloade][  4856] }        0
  [2014.03.28 12:08:50.453][TRACE][sbus.exe            ][sbusslogin.d][  4856] { CSecureLogin_Protocol_2_0::Send_Init
  [2014.03.28 12:08:50.453][TRACE][sbus.exe            ][sbusslogin.d][  4856] { CSecureLogin::Send_Any
  [2014.03.28 12:08:50.515][ERROR][sbus.exe            ][BASE        ][  2800] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing
  [2014.03.28 12:08:50.563][TRACE][sbus.exe            ][sbusslogin.d][  4856] }        0
  [2014.03.28 12:08:50.563][TRACE][sbus.exe            ][sbusslogin.d][  4856] }        0
  [2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][  4856] { CResourceManager::New
  [2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][  4856] { GetLocale
  [2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][  4856] }        0
  [2014.03.28 12:08:50.566][TRACE][sbus.exe            ][sbusresloade][  4856] { CResourceManager::Init
  [2014.03.28 12:08:50.568][TRACE][sbus.exe            ][sbusresloade][  4856] }        0
  [2014.03.28 12:08:50.568][TRACE][sbus.exe            ][sbusresloade][  4856] }        0
  [2014.03.28 12:09:00.979][ERROR][sbus.exe            ][sbus.dll    ][  4856] LogonUser failed with error 0x0000052e
  [2014.03.28 12:09:12.628][TRACE][sbus.exe            ][Kerberos    ][  4856] Got kerberos ticket for 'HTTP/ssodev' with server key type 23 and session key type 23
  [2014.03.28 12:09:12.628][TRACE][sbus.exe            ][BASE/RANDOM ][  4856] Get 8 bytes random data
  [2014.03.28 12:09:12.628][TRACE][sbus.exe            ][sbusslogin.d][  4856] { CSecureLogin_Protocol_2_0::Send_Auth_SPNEGO
  [2014.03.28 12:09:12.628][TRACE][sbus.exe            ][sbusslogin.d][  4856] { CSecureLogin::Send_Any
  [2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][  4856] }        0
  [2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][  4856] { CSecureLogin_Protocol_2_0::Handle_Auth_Response
  [2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][  4856] }        0
  [2014.03.28 12:09:12.727][TRACE][sbus.exe            ][sbusslogin.d][  4856] } 80070005
  Regards,
  Yogesh Kumar D

  Hello Yogesh,
  With regards to the 2nd error "Could not validate SPNEGO Token"
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.SPNegoLoginModule                     SUFFICIENT  ok          exception             true       Could not validate SPNEGO token. Reason: No user with account attributes [[namespace=com.sap.security.core.authentication, name=principal, value=sap.helpdesk1, isCaseSensitive=false], [namespace=com.sap.security.core.authentication, name=realm, value=HZL01.VEDANTARESOURCE.LOCAL, isCaseSensitive=false]] found
  No logon policy was applied
  It means that the user "sap.helpdesk1" was decrypted from the kerberos
  token but there is no user with this name in the AS Java. The reason for that is a misconfiguration in the SPNEGO user mapping.
  Therefore, please open the SPNEGO wizard in the NWA and configure
  how AS Java should choose a user from the UME based on the received
  SPNEGO token. Here is some documentation about configuring the user
  mapping:
  http://help.sap.com/saphelp_nw73/helpdata/en/f4/1978c3a37a441b87a89d61c1a08689/frameset.htm
  Regards,
  David

• SPNEGO -Could not validate SPNEGO token.

  Hi All,
  we have configured SPENGO wizard. we have followed the steps provided in the SAP note #1457499 and deployed the files in the SPNego_AddOn_700.zip and followed all the steps in the pdf.
  We are getting below error --
  Could not validate SPNEGO token.
  [EXCEPTION]
  java.lang.Exception: Invalid ticket endtime: 20110117223730Z
  at com.sap.security.spnego.krb5.KrbApReq.throwValidationException(KrbApReq.java:112)
  at com.sap.security.spnego.krb5.KrbApReq.validate(KrbApReq.java:100)
  at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:240)
  at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
  at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Please suggest what could be the issue.
  Regards
  Amit

  Hi
  web diagtool also shows the same error :--
  Could not validate SPNEGO token.
  [EXCEPTION]
  java.lang.Exception: Invalid ticket endtime: 20110118140218Z
  at com.sap.security.spnego.krb5.KrbApReq.throwValidationException(KrbApReq.java:112)
  at com.sap.security.spnego.krb5.KrbApReq.validate(KrbApReq.java:100)
  at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:240)
  at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
  at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:149)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:523)
  at java.security.AccessController.doPrivileged(AccessController.java:246)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:412)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:219)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Regards
  Amit

• Exception: "Could not validate SAML Token"

  We have an evaluation system setup that we are using to generate PDF from PS. We're connecting via the EJB client, and typically have had no problems. Until today. At some point today we began seeing exceptions being thrown on the client:
  Caused by: com.adobe.idp.um.api.UMException | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion has expired and hence not valid for user [administrator@DefaultDom]. Its valid till time [Tue Feb 04 10:58:45 MST 2014] was found to be before the current time [Tue Feb 04 16:04:41 MST 2014]
  Simply bouncing the app server where the client code is running solved the problem, however we'd like to better understand what is going on and why. Nothing that I can find in the docs seems to indicate the cause/solution, and possible solutions have links that appear to no longer function: http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html
  Any suggestions and/or insight would be greatly appreciated. Thanks!

  PROBLEM
  Using the same instance of ServiceClientFactory to remotely invoke the services exposed by the LiveCycle container can lead to
  exception related to assertion expiry
  Solution
  To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework
  Detailed explanation
  LiveCycle provides a client sdk for java based client to invoke its services remotely.
  An invocation involves Creation of a ServiceClientFactory instance Setting the user credential in thefactory instance Pass that factory to a service client or use that to create InvocationRequest directly
  Use the client to make the actual request.
  For more details refer to Invoking
  LiveCycle ES Using the Java API .
  A ServiceClientFactory instance once created is valid for a ceratin
  period of time which is by default 120 min. if the same instance is used to invoke beyond this period then it would lead to an exception stating that
  the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]
  errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML
  Token --- Assertion has expired and hence not valid for user
  [administrator@DefaultDom]. Its valid till time [Thu Oct 22
  17:07:53 IST
  2009] was found to be before the current time [Thu Oct
  22 17:58:18 IST 2009]
  This is not an issue if the ServiceClientFactory instance is used for short duration. However if you are going to perform a long
  running task like converting large number of documents to pdf ,applying policies to them etc then it would be an issue.
  Session Expiry
  Before fxing the issue some info on what is session expiry.
  When you use a ServiceClientFactory instance to invoke the service following fow happens
  You set the credentials in the properties and invoke theservice
  LiveCycle on server side validates the credentials and issues a Context. It is sort of a ticket which can be reused later instead of the actual credentials.
  Upon receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the Context For later invocations this Context instance is passed instead of the user credentials
  This whole fow is done to ensure that user's credentials are not sent for each remote call thus improving the security.
  For more information on Context refer to
  User Identity in LiveCycle .
  Solution
  To fx this issue you would have to re authenticate to LiveCycle and get the Context reissued. the best way to do that is to make use of the ThrowHandler provided by the ServiceClientFactory framework
  STEP1 -  Create a Throwhandler
  * This ThrowHandler caches the user credentials and uses them
  to refresh the Context in the
  * ServiceClientFactory upon expiry.
  private static class SimpleTimeoutThrowHandler implements
  ThrowHandler {
  private String username;
  private String password;
  public SimpleTimeoutThrowHandler(String username, String
  password) {
  this.username = username;
  this.password = password;
  public boolean handleThrowable(Throwable t, ServiceClient
  sc,
  ServiceClientFactory scf, MessageDispatcher md,
  InvocationRequest ir, int numTries) throws
  DSCException {
  if(timeoutError(t)){
  //The call to AuthenticationManager do not require
  authentication so the default properties
  //are suffcient
  AuthenticationManager am =
  new
  AuthenticationManagerServiceClient(ServiceClientFactory.createInstance (getDefaultProperties()));
  AuthResult ar = null;
  try {
  ar =
  am.authenticate(username,password.getBytes());
  } catch (UMException e) {
  throw new IllegalStateException(e);
  Context ctx = new Context();
  ctx.initPrincipal(ar);
  //Refresh the ServiceClientFactory instance with
  the new context
  scf.setContext(ctx);
  logger.info("Refreshed the context associated with
  ServiceCLientFactory");
  //Now tell SCF to try the invocation again
  return true;
  //Check so that we do not wrap the exception again
  if(t instanceof DSCException)
  throw (DSCException)t;
  if(t instanceof RuntimeException)
  throw (RuntimeException)t;
  // how is it possible to get this far?
  throw new IllegalStateException(t);
  private boolean timeoutError(Throwable t) {
  if(!(t.getCause() instanceof UMException)){
  return false;
  UMException ue = (UMException) t.getCause();
  //Check that UMException is due to the
  assertion/context expiry
  if(UMConstants.ErrorCodes.E_TOKEN_INVALID ==
  ue.getErrCode()){
  return true;
  return false;
  This ThrowHandler would be invoked by the ServiceClientFactory upon receiving any exception. The handler would then determine if its a timeout related exception and then would refresh the Context associated with the factory instance and tells it to retry the invocation.
  STEP - 2 Register the handler
  ServiceClientFactory.installThrowHandler(new
  SimpleTimeoutThrowHandler(username, password));
  Note: The handler should be registered only once in the application
  STEP 3 - Perform your invocation
  Following sample would try to apply policies on all the fles present in a directory
  Properties p = getDefaultProperties();
  p.setProperty(DSC_CREDENTIAL_USERNAME, username);
  p.setProperty(DSC_CREDENTIAL_PASSWORD, password);
  ServiceClientFactory scf =
  ServiceClientFactory.createInstance(p);
  //Now do some long running operation
  String inputDirName ="path-to-input-dir";
  String outDirName = "path-to-out-dir";
  String policyName = "the-policy-name";
  File inDir = new File(inputDirName);
  File outDir = new File(outDirName);
  RightsManagementClient rmClient = new
  RightsManagementClient(scf);
  DocumentManager docManager = rmClient.getDocumentManager();
  //Iterate over all the pdf in the inDir and apply the
  policies. If this takes a
  for(File pdfFile : inDir.listFiles()){
  Document inDoc = new Document(pdfFile, false);
  Document securedDoc = docManager.applyPolicy(inDoc,
  pdfFile.getName(), null, policyName, null, null);
  securedDoc.copyToFile(new
  File(outDir,pdfFile.getName()));
  Now the invocation would complete even if it takes a long time. if any session expiry occurs then our ThrowHandler would take care of that.
  here's a sample:
  TimeOutSample.zip

• Erroe while invoking a process (could not validate SAML)

  Hi,
  I am getting the following error while invoking a process from
  Weblogic  Portal Server.The invocation happens properly always but
  after frequent  intervals(approx 1-1.5 hrs) this error comes.Then if
  the Portal Server(the  client which is invoking the process) is
  restarted again it works properly.
  This is very urgent to resolve.Any pointers to this will be very 
  helpful.
  Thannks in advance,
  Leena Jain
  Stack Trace of the error:
  ALC-DSC-215-000:  com.adobe.idp.dsc.DSCAuthenticationException: None of
  the Auth Provider  could authenticate the user. Authentication Failed
          at 
  com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.authenticate 
  (AbstractMessageReceiver.java:157)
          at 
  com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.invoke 
  (AbstractMessageReceiver.java:312)
          at 
  com.adobe.idp.dsc.provider.impl.soap.axis.sdk.SoapSdkEndpoint.invokeCall 
  (SoapSdkEndpoint.java:138)
          at 
  com.adobe.idp.dsc.provider.impl.soap.axis.sdk.SoapSdkEndpoint.invoke 
  (SoapSdkEndpoint.java:81)
          at  sun.reflect.GeneratedMethodAccessor377.invoke(Unknown
  Source)
          at  sun.reflect.DelegatingMethodAccessorImpl.invoke 
  (DelegatingMethodAccessorImpl.java:25)
          at  java.lang.reflect.Method.invoke(Method.java:585)
          at  org.apache.axis.providers.java.RPCProvider.invokeMethod 
  (RPCProvider.java:397)
          at  org.apache.axis.providers.java.RPCProvider.processMessage 
  (RPCProvider.java:186)
          at  org.apache.axis.providers.java.JavaProvider.invoke
  (JavaProvider.java:323) 
          at org.apache.axis.strategies.InvocationStrategy.visit 
  (InvocationStrategy.java:32)
          at  org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:
  118)
          at  org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
          at  org.apache.axis.handlers.soap.SOAPService.invoke
  (SOAPService.java:454) 
          at org.apache.axis.server.AxisServer.invoke(AxisServer.java: 
  281)
          at org.apache.axis.transport.http.AxisServlet.doPost 
  (AxisServlet.java:699)
          at  javax.servlet.http.HttpServlet.service(HttpServlet.java:
  727)
          at  org.apache.axis.transport.http.AxisServletBase.service 
  (AxisServletBase.java:327)
          at  javax.servlet.http.HttpServlet.service(HttpServlet.java:
  820)
          at  weblogic.servlet.internal.StubSecurityHelper 
  $ServletServiceAction.run(StubSecurityHelper.java:226)
          at  weblogic.servlet.internal.StubSecurityHelper.invokeServlet 
  (StubSecurityHelper.java:124)
          at  weblogic.servlet.internal.ServletStubImpl.execute
  (ServletStubImpl.java:283) 
          at weblogic.servlet.internal.TailFilter.doFilter 
  (TailFilter.java:26)
          at  weblogic.servlet.internal.FilterChainImpl.doFilter
  (FilterChainImpl.java:42) 
          at 
  com.adobe.idp.dsc.provider.impl.soap.axis.InvocationFilter.doFilter 
  (InvocationFilter.java:43)
          at  weblogic.servlet.internal.FilterChainImpl.doFilter
  (FilterChainImpl.java:42) 
          at weblogic.servlet.internal.WebAppServletContext 
  $ServletInvocationAction.run(WebAppServletContext.java:3393)
          at  weblogic.security.acl.internal.AuthenticatedSubject.doAs 
  (AuthenticatedSubject.java:321)
          at  weblogic.security.service.SecurityManager.runAs(Unknown
  Source)
           at
  weblogic.servlet.internal.WebAppServletContext.securedExecute 
  (WebAppServletContext.java:2140)
          at  weblogic.servlet.internal.WebAppServletContext.execute 
  (WebAppServletContext.java:2046)
          at  weblogic.servlet.internal.ServletRequestImpl.run 
  (ServletRequestImpl.java:1366)
          at  weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
          at  weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
  Caused by: |  [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]
  errorCode:16421  errorCodeHEX:0x4025 message:Could not validate SAML
  Token --- Assertion is  not valid. Current time is greater than
  NOTonOrAfter time specified in the  Assertion| [IDPLoggedException]
  errorCode:12804 errorCodeHEX:0x3204  message:Could not validate SAML
  Token --- Assertion is not valid. Current  time is greater than
  NOTonOrAfter time specified in the Assertion
           at com.adobe.idp.um.api.impl.ManagerImpl.handleException 
  (ManagerImpl.java:246)
          at  com.adobe.idp.um.api.impl.ManagerImpl.handleException
  (ManagerImpl.java:192) 
          at 
  com.adobe.idp.um.api.impl.AuthenticationManagerImpl.validateAssertionCheck 
  (AuthenticationManagerImpl.java:587)
          at 
  com.adobe.idp.um.api.impl.AuthenticationManagerImpl.validateAssertion 
  (AuthenticationManagerImpl.java:552)
          at 
  com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.authenticate 
  (AbstractMessageReceiver.java:132)
          ... 33 more

  This happens due to expiry of the SAML assertion that the client has. Have a look at the Renew Assertion Recipe at the cookbook site

• Configure JAAS login module stack to support x.509 certificates without SSL

  I want to use x.509 certificates for authentication against a EP 7.0 but I don’t want to have SSL traffic on the network segment where the portal resides. Obviously the SSL must be terminated in an application gateway that sends the certificate to the portal in the header.
  I know that AcceptClientCertWithoutSSL must be set to true in the http provider and that ClientCertificateHeaderName is the name of the header variable that contains the user’s certificate, default is SSL_CLIENT_CERT.
  What I don’t know is how to configure my JAAS login module stack, my suggestion would be this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CertPersisterLoginModule OPTIONAL {Rule1.getUserFrom=SSL_CLIENT_CERT}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  My concern is does the ClientCertLoginModule and the CertPersisterLoginModule read from the header variable? If they don’t, is there another login module that should be used in this case?

  Hi Claus,
  you got the flags right but the options of the login modules (LM) are wrong, so the certificate authentication won't work.
  There's two problems I see: (1) Rule1.getUserFrom is not a valid option for the LM CertPersisterLoginModule, and (2) SSL_CLIENT_CERT is not a valid value for the option Rule1.getUserFrom of the ClientCertLoginModule.
  Looking at this topic:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/ea/301e3e6217b40be10000000a114084/content.htm
  the header variable used to pass the certificate is maintained in the HTTP provider service properties but since you use the default you don't need to maintain that part of the config. You also don't need the CertPersisterLoginModule in the config because it is used for automatic certificate mapping, which doesn't work when you don't have SSL to the portal.
  So with the above said your LM stack config should look like this:
  EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  ClientCertLoginModule OPTIONAL {Rule1.getUserFrom=wholeCert}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  BasicPasswordLoginModule REQUISITE {}
  CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
  If this doesn't work I'd suggest opening a support ticket.
  Regards,
  Yonko

• Portal authentication using two login module stacks?

  G'day,
  I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
  Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
  <authscheme name="mylogon">
    <authentication-template>mystack</authentication-template>
    <priority>21</priority>
    <frontendtype>2</frontendtype>
    <frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
  </authscheme>
  <authscheme-refs>
    <authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
    <authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
  </authscheme-refs>
  When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
  Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
  This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.OK
  User: Administrator
  Authentication Stack: mystack
  The "mylogonform" page is shown when logon is required in both cases.
  However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
  This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
  I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: mystack
  Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
  Message : LOGOUT.OK
  User: tu-1
  Authentication Stack: mystack
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Message : LOGIN.OK
  User: tu-1
  Authentication Stack: ticket
  (Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
  This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
  Message : LOGIN.FAILED
  User: Administrator
  Authentication Stack: mystack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          exception  false      true       authscheme not sufficient: basicauthentication<mylogonform
  Central Checks                                                                                exception             Call logout before login.
  I guess one cannot authenticate as a new user until the current user has been logged out.
  So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
  What is the logic behind portal authentication and showing a logon page?
  If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?

  Jayesh,
  there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
  - login module
  - logon stacks
  Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
  A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
  login module 1: check if valid sap logon ticket provided
  if module 1 fails: then login module 2: request user id/password
  if module 2 succeeds: then login module 3: create new sap logon ticket for user
  You can define multiple logon stacks and configure individual applications to use the one stack or the other.
  The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
  btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
  Regards,
  Dominik

• Custom Login Module, SSO Ticket validity & Login Module Stack

  Hi everybody,
  we have a portal (running on jboss) which links to a J2EE web application (running on SAP WAS 6.40) which itself is protected by a custom login module and redirects to different WebDynpro applications (running on same WAS as the J2EE app) depending on some parameters.
  So when we go from the portal to the J2EE web application, the custom login module authenticates the user, creates a MYSAPSSO2 Cookie and then redirects to a webdynpro app.
  What happens is that the webdynpro app doesn't accept the cookie and redirects to the login mask.
  Looking at the request header parameter HOST we have the request coming from sub1.sub2.mycompany.com, which is the portal.
  The WAS is located on sub3.mycompany.com.
  If we manipulate the HOST parameter to sub2.mycompany.com everything works fine and the webdynpro app successfully authenticates the user.
  This does sound either like a domain relaxing issue or a multi domain issue, which we added as parameters to the CreateTicketLoginModule in the Login Module Stack for the J2EE web app.
  Unfortunately without result.
  Did anybody have a similar problem and can give some hints on how to solve this?
  Any help is appreciated
  Regards,
  md
  Edited by: Minh-Duc Truong on Jul 17, 2008 7:18 PM
  Edited by: Minh-Duc Truong on Jul 17, 2008 7:19 PM
  Edited by: Julius Bussche on Jul 18, 2008 7:25 PM

  Hi md,
  I have split your 2nd question into a seperate thread => That would make them easier to answer as well, which will help.
  You can find it here: Custom Login Module, LM Stack ignored
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 18, 2008 7:26 PM

• What is so special about the "ticket" login module stack?

  G'day,
  I am observing some odd behaviour with login module stacks.
  I have a custom login module that performs authentication using information in the HTTP servlet request. This custom login module does not require any interaction from the user. I want to use this custom login module when I authenticate to the portal.
  By default, the portal uses an authentication scheme known as "uidpwdlogon", which uses the "ticket" login module stack, which is configured to perform basic password login. When I attempt to access the portal I am presented with a username/password page and I need to enter a username and password, hit the "submit" button, and access to the portal is granted.
  So I replaced the BasicPasswordLoginModule entry in the "ticket" login module stack with my custom login module, and now access to the portal is granted automatically, as expected. There is no username/password page displayed.
  But if I create a new login module stack that contains exactly the same modules as "ticket" login module stack, and modify the "uidpwdlogon" authentication scheme to use my new login module stack instead of the "ticket" login module stack, then something odd occurs: I am now presented with a username/password page again. I need to hit the "submit" button to navigate away from this page before the custom login module stack will process, which will then grant access to the portal.
  If I change the "uidpwdlogon" authentication scheme back to use the "ticket" login module stack (which is exactly the same as the previous login module stack), then access to the portal is granted automatically without showing a username/password page.
  So: if the (modified) "ticket" login module stack is used, there's no username/password page shown. If a copy of that login module stack is used, then a username/password page is shown.
  What's going on here?

  G'day,
  Thanks for the reply.
  The relevant parts of the authschemes.xml file are as follows:
          <authscheme name="uidpwdlogon">
              <authentication-template>myloginstack</authentication-template>
              <priority>21</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
          </authscheme>
          <authscheme-ref name="default">
              <authscheme>uidpwdlogon</authscheme>
          </authscheme-ref>
          <authscheme-ref name="UserAdminScheme">
              <authscheme>uidpwdlogon</authscheme>
          </authscheme-ref>
  Note that I have changed the uidpwdlogon element to use "myloginstack" instead of "ticket", and changed the priority from 20 to 21, as suggested (but it should be noted that the outcome is the same regardless of priority).
  The "ticket" login module stack is defined as follows:
    EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    MyLoginModule REQUISITE {...}
    CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
  and the "myloginstack" is defined identically as follows:
    EvaulateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
    MyLoginModule REQUISITE {...}
    CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
  When the "uidpwdlogon" authentication scheme is configured to use the "myloginstack" login module stack, the browser immediately opens up the normal username/password page. I wait for a few minutes (for logging reasons), then hit submit, and access to the portal is granted.
  The log output for this is as follows:
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: myloginstack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
  MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
  Message : LOGIN.OK
  User: testuser
  Authentication Stack: myloginstack
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  MyLoginModule                                                           REQUISITE   ok          true       true                 
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  Central Checks                                                                                true                 
  There are two login stack events because the first login stack event asks the browser to pass along authentication data, which is processed in the second login stack event.
  Also note that the time of the first login module event is a few minutes after the username/password page appears, suggesting that the portal is attempting to obtain information before it processes the login module stack.
  If I change the "uidpwdlogon" authentication scheme to use the "ticket" login module stack, then no username/password page appears and the security log is essentially identical to that of "myloginstack":
  Message : LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
  MyLoginModule                                                           REQUISITE   ok          exception             true       Further authentication required from client
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      
  Message : LOGIN.OK
  User: testuser
  Authentication Stack: ticket
  Login Module                                                            Flag        Initialize  Login      Commit     Abort      Details
  com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false      false                
  MyLoginModule                                                           REQUISITE   ok          true       true                 
  com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          true       true                 
  Central Checks                                                                                true                 
  I am creating the "myloginstack" login module stack using the Visual Administrator tool, by clicking the "Add" button for the "Policy Configurations" tab of the SecurityProvider service. Note that when I do this the entry for "myloginstack" gets a diamond icon, while the entry for "ticket" has a different icon (resembling a graph). I do not know what these different icons beside each policy configuration imply (is "ticket" different to "myloginstack" somehow?) nor how to create a new policy configuration that will have different icon.
  I assume the username/password page is shown because the <frontendtarget> element in the "uidpwdlogon" authentication scheme is defined to use "com.sap.portal.runtime.logon.certlogon". Perhaps there is another value I can use here that displays nothing and redirects the browser directly to the portal?

• Has anyone had this problem with VPN iPad vpn connection could not validate the server certificate

  Has anyone had this problem with IPad 3 after upgrade to IOS 7,
  trying to to connect VPN , but I get this messag, "could not validate the server certificate".
  I am trying to connect to Oracle VPN.

  Has anyone found a solution for this yet? I am still getting the could not validate server certificate error. I have tried importing the entire certificate chain as well as importing each individual cert in the chain. My certificate works perfectly with the cisco vpn on my pc.
  This is my first experience owning an apple product, and I am very disappointed with the customer support that I have received. I tried calling the help line and no one would even attempt to answer my question. I was then told that the Mac "geniuses" wouldn't know either and that I may be able to find an answer on the message boards. So I am reaching out to the community...Has anyone been able to figure out how to resolve this issue or even the specific cause? Any help is appreciated.

• Login Module Stack of EP

  Hi guys,
  I am in the process to setup HeaderVariable Authentication for accessing to EP and have a some questions.
  1) What Login Module Stack needs to be adjusted to use the HeaderVariableLoginModule? SAP J2EE Root or Ticket or ....
  2) Are changes in the policy configurations (adding logon module) applied immediately or is a J2EE restart required?
  Thanks,
  Mario.

  Thank you Paul.
  I've found on my own also to question 1. I have to modify the Login Module stack of template "tiket" as following:
    1) EvaluateTicketLoginModule SUFFICIENT
    2) HeaderVariableLoginModule OPTIONAL     Header=REMOTE_USER
    3) CreateTickeLoginModule    SUFFICIENT
    4) BasicPasswordLoginModule  REQUISITE
    5) CreateTicketLoginModule   OPTIONAL
  Now I'd like to know if is it possible to test the header variable login configuration without using any external web server but connect directly to Enerprise Portal.
  When I try to connect directly to the Enerprise Portal using the URL
     http://<server>:<port>/irj/portal?REMOTE_USER=<userID>
  i'm not able to log into the system, but i'm redirected to the login page.
  If I type in userID and password, portal doesn't authenticate the user.
  Is the External Web Server mandatory for the Header Variable Login Module configuration?
  Thanks in advance,
  Mario.

• Dependent module os4apilib.so could not be loaded

  Hi ALL
  Now I'm installing PI 7.1 on AS/400, when proceed to step import ABAP, an error about "Dependent module os4apilib.so could not be loaded" occurs. According to note 978127 and 1017181, it looks like a similar case to this one but it's for kernel 700. After I tried to replace os4apilib.so in directory /usr/sap/XD2/SYS/exe/uc/as400_pase_64/ with a new one extracted from SCSCLIENT_3-20001357.SAR, the issue still persists.
  Please refer to below for error details:
  WARNING    2009-01-30 17:32:06.065
             CJSlibModule::writeWarning_impl()
  Execution of the command "/usr/sap/XD2/SYS/exe/uc/as400_pase_64/R3load -testconnect" finished with return code 255. Output:exec(): 0509-036 Cannot load program /usr/sap/XD2/SYS/exe/uc/as400_pase_64/R3load because of the following errors:
          0509-150   Dependent module os4apilib.so could not be loaded.
          0509-022 Cannot load module os4apilib.so.
          0509-026 System error: A file or directory in the path name does not exist.
          0509-021 Additional errors occurred but are not reported.
  ERROR      2009-01-30 17:32:06.068
             CJSlibModule::writeError_impl()
  CJS-30023  Process call '/usr/sap/XD2/SYS/exe/uc/as400_pase_64/R3load -testconnect' exits with error code 255. For details see log file(s) R3load.exe.log.
  ERROR      2009-01-30 17:32:07.61 [sixxcstepexecute.cpp:940]
  FCO-00011  The step testDatabaseConnection with step key |NW_Onehost|ind|ind|
  ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_CreateDBandLoad|ind|ind|
  ind|ind|10|0|NW_ABAP_Import_Dialog|ind|ind|ind|ind|6|0|NW_ABAP_Import|ind|ind
  |ind|ind|0|0|testDatabaseConnection was executed with status ERROR (Last error reported by the step :Process call '/usr/sap/XD2/SYS/exe/uc/as400_pase_64/
  R3load -testconnect' exits with error code 255. For details see log file(s) R3load.exe.log.).
  Thanks very much for any kinds of help provided here.
  Best regards,
  Effan

  I hardly remember how I resolved it, my friend. But start trying with latest installation master and kernel if that's a choice for you, maybe I loaded the latest ILE introduced by some notes. If it doesn't help, retry it and sort the installation directory by time sequence and then find all related logs. Please open a new thread for open discussion.
  BTW, why not to install 7.11 if this is a new instance? I just finished one, it's still warm to support you.
  Regards,

• Changing login module stack for Netweaver Portal?

  G'day,
  I want to change the login stack for Netweaver Portal (at http://<host:50100/irj).
  Currently portal is configured in Visual Administrator to use the "ticket" authentication template. I can change this authentication template and change how I authenticate to portal.
  But changing "ticket" authentication template also changes how other applications perform authentication. So I changed the login module stack for the "com.sap/irj*irj" component to not use an authentication template, and added my own login modules.
  But when I access portal again, the "ticket" authentication is still used. I restarted the cluster to be sure but no matter what login modules I configure for "com.sap/irj*irj", only changes to "ticket" have any effect.
  So: how do modify the login module stack for portal, without modifying the "ticket" authentication template?
  --Geoff

  Hi,
  If you'd like to change the authentication stack only for the EP but not for all applications that use UME authentication, then you have to modify the descriptor authschemes.xml. You have to change the scheme "default" to point to another LM stack instead of "ticket" as it is shipped.
  Kind regards,
  Tsvetomir

• Unable to complete 10.1.2 update - "Could not validate CoreFP"

  The new iTunes update just won't finish. I'm getting the following error
  "The update 'iTunes' can't be installed.
  The Installer could not validate the contents of the 'CoreFP' Package. Contact the software manufacturer for assistance"
  Also, after 2 failed attempts to install the update (one via software update and one via the .dmg) I've experienced Kernel panics. Not sure if it's related or not, but it's worth mentioning

  I was having this same issue today. The CoreFP.pkg file was also causing my Time Machine backups to fail since last Sunday.
  I ran 'Verify Disk Permissions', 'Repair Disk Permissions', and 'Verify Disk' in Disk Utility ('Repair Disk' was grey out, otherwise I would have tried that too). The details window didn't show any errors, but when I tried installing the iTunes update again it worked without issue, and now Time Machine is able to backup successfully.