SRM and MYSAPSSO2 cookie
Hello,
we are using SRM 4.0 (standalone scenario) with integrated ITS 6.40. The SRM application is accessed directly through browser (without any SAP portal encapsulation). We would like to customize the lifetime of cookie MYSAPSSO2 which is set after user authentication. I have noticed that this cookie is still located at browser level as long as this browser is open : there is no time validity for this cookie. As user's session, at application server level, is submited to timeout, we would like to be able to set such timeout for MYSAPSSO2 cookie too.
Do you know a way to achieve this ?
Thank you for your help.
Regards.
Fabrice
Hi Fabrice.
I am using Single Sign On for SRM Add on ERP without portal.
I have set up the following tickets with value 1 but after 8 hours this tickets resets to 0 and have to put value as 1 again via RZ11 so that user can sign on properly in SRM as SSO.
login/create_sso2_ticket and login/accept_sso2_ticket
In our system, the default value for login/ticket_expiration_time is 8 hrs.
Please advise what i shoud do so that the single sign on works properly and the value of parameters does reset to 0.
Thanks,
Sagar
Similar Messages
-
MYSAPSSO2 cookie format in J2ee and ABAP - NW7
Hello
I installed NW7 with ABAP + Java with system id DV1. I was able to configure the java and abap to issue ticket and to be accepted by other systems (DV2).
If I login to the DV1 abap host using webgui url(integrated ITS), I am getting the MYSAPSSO2 cookie in the browser IE. With this I am able to login to DV2 j2ee and also to ABAP.
If I login to DV1 j2ee engine using the portal link, I am not seeing the MYSAPSSO2 cookie in the browser, but seeing JSESSIONID and with it still I am able to login to DV2.
My question : Is the JSESSIONID exactly equal to MYSAPSSO2 ? If not how can I make the DV1 J2ee to issue MYSAPSSO2 cookie ? Thanks.
SAPLearnerHi
I am able to test and able to login to the other j2ee or abap system. But still not able to see the MYSAPSSO2 cookie issued by EP j2ee.
DV1 - NW7 SP12 system ABAP + J2ee(with portal on it)
DV2 - NW7 SP12 system ABAP + J2ee(with BI java)
I have exported DV1's java and abap certificate to DV2, made it trusted and the the connection is working.
When I login to DV1 j2ee using the url http://<DV1fullhostname>.com:52200/irj/portal
and getting the below in my browser
SignOnDefault=<windows id>; JSESSIONID=(DV1host_DV1_22)ID2068173650DB0050916542928689590End; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse; GWS_AUTO_LOGIN=FALSE; AbxUserLocale=en_US_STAFF; PortalAlias=portal; saplb_*=(DV1host_DV1_22)613943650
With this above cookie I am able to login to DV2 j2ee http://<DV2fullhostname>.com:52500/nwa
or abap http://<DV2fullhostname>.com:8025/sap/bc/gui/sap/its/webgui
without any issue. In my browser I do not see MYSAPSSO2 cookie. Why is that?
My login stack in j2ee is defined as below.
1. Evaluate ticket
2. Basic login modele
3. Create ticket
At the same time if I login to DV1 abap http://<DV1fullhostname>.com:8022/sap/bc/gui/sap/its/webgui I can see the cookie MYSAPSSO2 in the browser and still able to login to DV2.
Dont understand why my DV1 j2ee is not issuing MYSAPSSO2 cookie and issueing JSESSIONID ?
Appreciate your reply
SAPLearner -
Issue while parsing the MYSAPSSO2 Cookie
Hi All,
We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
Following Libraries are used:
logging.jar
i18n_cp.jar
iaik_jce.jar
com.sap.security.api.jar
com.sap.security.core.jar
rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
Following is the code which we are using.
//Instantiate the rpovider
IAIK provider = new IAIK();
Security.addProvider(provider);
//Instantiate the ticket
tv = new com.sap.security.core.ticket.imp.Ticket();
//set teh certificates
tv.setCertificates(certificates);
//set the MYSAPSSO2 cookie
tv.setTicket(strCookie);
if (!tv.isValid()){
System.out.println("Ticket is not valid");
//Verify the ticket
tv.verify();
isValid method is working fine - it is returning true or false exactly based on the validity.
ISSUE:
tv.verify();--->Raises the following exception:
java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
but the portal is providing the serial number in hexadecimal format.
So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
Could anyone help resolve this issue?
Thanks in advance.Hi,
im facing the exact same problem, and I think I found the reason for the behavior described above.
The Problem seems to be located at
[http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]
from com.sap.security.api.jar, just like mentioned.
But the Problem seems to be the issuer, not the serial number.
When decompiling com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),
you can see the following:
public static java.security.cert.X509Certificate[] findCertificates(
java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
if ((certificates == null) || (certificates.length == 0)) {
return null;
ArrayList certificateList = new ArrayList();
for (int i = 0; i < certificates.length; i++) {
java.security.cert.X509Certificate certificate = certificates<i>;
if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
certificateList.add(certificate);
if (certificateList.size() == 0) {
return null;
java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
.size()];
certificateList.toArray(matchedCertificates);
return matchedCertificates;
As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the issuer-parameter contains an issuer like
"OU=J2EE,CN=EXAMPLE"
the issuer retrieved from the certificate is
"OU=J2EE, CN=EXAMPLE"
(see toString() of the java.security.cert.X509Certificate)
You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like
java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.
A workaround (a really UGLY one, I admit), is the following:
1. Open com.sap.security.api.jar with a ZIP-tool and delete
/com/sap/security/api/ticket/TicketVerifier.class
2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java
3. Change
for (int i = 0; i < certificates.length; i++) {
java.security.cert.X509Certificate certificate = certificates<i>;
if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
certificateList.add(certificate);
to
for (int i = 0; i < certificates.length; i++) {
X509Certificate certificate = certificates<i>;
String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
BigInteger serialNumberFromCert = certificate.getSerialNumber();
if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
certificateList.add(certificate);
4. Package this class into a jar and make it available in your classpath.
5. Enjoy
To me, this is a huge bug in the SAP-Library and has to be fixed.
Regards
Matthias
Edited by: Matthias82 on Sep 29, 2011 12:47 PM -
Issue in parsing MYSAPSSO2 Cookie -Certificate Serial no is in Hexadecimal
Hi All,
We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
Following Libraries are used:
logging.jar
i18n_cp.jar
iaik_jce.jar
com.sap.security.api.jar
com.sap.security.core.jar
rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
Following is the code which we are using.
//Instantiate the rpovider
IAIK provider = new IAIK();
Security.addProvider(provider);
//Instantiate the ticket
tv = new com.sap.security.core.ticket.imp.Ticket();
//set teh certificates
tv.setCertificates(certificates);
//set the MYSAPSSO2 cookie
tv.setTicket(strCookie);
if (!tv.isValid()){
System.out.println("Ticket is not valid");
//Verify the ticket
tv.verify();
isValid method is working fine - it is returning true or false exactly based on the validity.
ISSUE:
tv.verify();--->Raises the following exception:
java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
but the portal is providing the serial number in hexadecimal format.
So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
If I print the certificates available in the keystore it is printing that certificate with serial number in hexadecimal format. if I convert that hexadecimal to decimal - I get the same number which is part of the error message raised by the code.
The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
Could anyone help resolve this issue?
Thanks in advance.Any advice please?
Do I need to post it in a different forum? -
MYSAPSSO2 Cookie not found in IE
Hi Everyone,
I am trying to implement SSO between a third party Java application and the SAP EP 7.0. As a test procedure, I log in to my portal and then run my code to see if I can retrieve and decrypt the MYSAPSSO2 cookie.
My code works perfectly when I log in to the portal using Mozilla Firefox (2.0.0.1); I can see the MYSAPSSO2 cookie and decrypt it (Log file output below). However, when I use IE (6.0.3790.1830) to log in to the portal, I can not retrieve the MYSAPSSO2 cookie. It seems as if this cookie does not even exists. I am thinking the cookie is somehow hidden and therefore my code can't see it.
Has anyone faced this issue before? I have tried to decrease the security settings on IE but that doesn't help things. Any help on this issue would be really appreciated!
Pasted below is a snippet of my code.
//request is a HttpServletRequest object
Cookie[] allCookies = request.getCookies();
int allCookiesLength = allCookies.length;
for (int i = 0 ; i<allCookiesLength; i++)
Log.debug("Cookie Name at " + i + " = " + allCookies<i>.getName());
if(allCookies<i>.getName().compareToIgnoreCase("MYSAPSSO2")==0)
SAP_SSO_COOKIE = allCookies<i>;
Log.debug("Cookie Found!");
cookieFound = true;
break;
Log.debug("Cookie NOT Found!");
cookieFound = false;
<u><b>Log file Output with IE</b></u>
2007.02.07 13:05:31 Cookie Name at 1 = saplb_*
2007.02.07 13:05:31 Cookie Name at 2 = JSESSIONID
2007.02.07 13:05:31 Cookie NOT Found!
<u><b>Log file Output with Firefox</b></u>
2007.02.07 13:54:15 Cookie Name at 0 = saplb_*
2007.02.07 13:54:15 Cookie Name at 1 = PortalAlias
2007.02.07 13:54:15 Cookie Name at 2 = JSESSIONID
2007.02.07 13:54:15 Cookie Name at 3 = MYSAPSSO2
2007.02.07 13:54:15 Cookie Found!
Thanks
MOYMichael,
I changed the parameter "httponlycookie" to FALSE and this works. My issue was that when I set the parameter to FALSE, I restarted my J2EE engine. For some odd reason, after the restart this parameter was set back to TRUE. Whats even worse, or maybe even cool, depends how you look at it, is that this parameter is set back to TRUE even if I closed down Visual Admin and fire it up again (without restarting the server). However, in this case SSO still works because the J2EE settings are not updated with this TRUE value. Is there a security setting which sets back this parameter to TRUE every time the server is restarted or when Visual Admin is fired up?
Thanks
MOY -
Terminate Portal User Login with JSessionID or MYSAPSSO2 Cookie
Dear All,
I know using Visual Administrator , we can terminate the session.
Is it possible for the administrator to terminate a logged in portal user with his/her JsessionID or MYSAPSSO2 cookie value or User Id programmatically.?
Is it possible for portal admin to forcibly exit (logoutl) an active user login without logging onto visual administrator?
Regards,
Eben JoysonThe only complete mitigation for session hijacking is to run the entire site as SSL. This is Oracle's recommendation if you need a complete mitigation solution. And example of an ATG site running in full SSL is Dennis Kirk (denniskirk.com).
The problem with doing so is that SSL (a) takes more processing power in the system running the client's browser and (2) incurs latency that degrades the perceived page performance. This is particularly true for consumers running Internet Explorer, where speed-up measures like SPDY are either incomplete or don't work. And for a hard core eComemrce site, slower page performance means that you make less money.
Most sites, including those that you mention, use a mixture of SSL and non-SSL pages to overcome this. They use non-SSL for those areas of the site where penetration does not have a material negative impact. Browsing catalog pages as an anonymous user, for example. If someone hijacks my session and I'm browsing the catalog anonymously, they're welcome to it. There's nothing private in my session. Even robots can access that content.
Once I login or go to pages where private information is being exchanged, then you have to secure the session. That's where the protocol switcher servlet comes in. As you authenticate, you switch the user to SSL.
I've tried a number of additional mitigation steps. Unfortunately I can't discuss them here at this time.
And none of the servlets that you mention have any benefit with mitigating session hijacking. -
Calling an Abap Web Service from IBM WebSphere with a MYSAPSSO2 Cookie
Hello,
I have the following problem :
I have to develop a proof of concept between IBM Web Sphere 5.1 and SAP AS JAVA 7.0.
I have created an IBM sevlet in Web Sphere, I use a specific redirect from an SAP AS Java to call it, this way I can have a SAP Logon Ticket, and I manage to call an ABAP module function with JCO with SSO.
Scenario 1 : browser + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap module function (ECC5)
This scenario works fine.
I have to do the same scenario with a Web Service and I don't know what to do.
I try to use jax-rpc handlers but I don't know how to pass my cookie from my servlet to my handler.
Scenario 2 : browser + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap Web Service (ECC5)
Has someone already done that ?
Regards, Julien.Julien,
Why are you using 5.1....go for 6.0 and its cake walk, i have integrated WebSphere 6.0 with R/3 uysing xi.....in a week.
Scenario changed to:--
Browser+ authentication --> WebSphere AS servlet request --> XI --> RFC/bapi --> abap webService
Hope that helps
Regards
Ravi -
MYSAPSSO2 cookie - difference user versus portaluser
Hi all,
I recognized that the MYSAPSSO2 cookie contains 2 fields for a user id.
1) the user
2) the portalUser
does anybody the difference / use cases for those fields
any help is appreciated
regards KarinHi Paul,
thanks for your answer.
We use a abap mandant as user store for sap ep.
if the user is stored in the abap mandant (which is almost for all users the case,
except of some special users)
portaluser and user field are used.
if the user is just stored in the local user database of the portal (this is only for some admin users the case) then the user field is empty, only the portaluser field is used.
If I would like to use the MYSAPSSO2 cookie to propagate the user to NON
SAP systems. According to your answer, it would make sense, to use the user field (and not the portaluser field).
Regards
Karin -
Can someone tell me why I log into our portal (where SSO works fine) and execute the javascript "document.cookie.indexOf("MYSAPSSO2") > -1", and it cannot find the MYSAPSSO2 cookie? If I look at my cookies (via Firefox add-on), I see the cookie fine. The cookie is also not displayed if I execute javascript:document.cookie.
Thanks.It is simpler to do from server side as follows. Place below line
inside Page_Load event of any portal component:
Write(this.Request.Cookies.Get("MYSAPSSO2").Value); -
Error when trying to retrieve UserName from MySAPSSO2 cookie
Hi,
I tried to retrieve the UserName from MySAPSSO2 cookie using the dotnet toolkit, but I keep getting the error "User Not Aunthenticated". I have placed the verify.pse files in a folder called psefiles in the same location as the bin folder of my application.
I then also tried to directly use Convert.FromBase64String() to read the username from the cookie, but during conversion I get the error "Invalid character in a Base- 64 string"
Any help is highly appreciated.
Thanks,
Kantishree D.From the menu bar, select
▹ System Preferences ▹ Energy Saver ▹ Power Adapter
and uncheck the box labeled Put the hard disk(s) to sleep when possible, if it's checked.
If the drive has more than one interface (USB, FireWire, Thunderbolt, eSATA), try one of the other interfaces.
Check that the data cable is securely inserted at both ends.
Try a different cable.
If you're connecting the drive through a hub, connect it directly to a built-in port on the Mac.
If you're connecting it directly, try a different port.
Disconnect all other devices on the bus, or as many as possible.
Test the drive with another Mac. Test another drive with this Mac.
If the drive is bus-powered, but has an AC adapter, connect the adapter.
Start up in Safe Mode and test.
If the drive doesn't work under any of the above conditions, and if another drive does work with the same Mac, then the drive has failed. You may be able to salvage the mechanism by removing it from the enclosure and installing it in another one, or in a drive dock. -
Getting the MYSAPSSO2 cookie in the application running in tomcat server
Hi All
I am trying to integrate the java application running in tomcat in to portal ...for this i have developed a servlet and trying to get the MYSAPSSO2 cookie in this so that i can vlaidate this ticket...
can any one plz help in solving this issue
Thanks & Regards
AjayHi Ajay,
Did you solve this problem? how? I need to do this too.
thanks,
Daniel Arakawa -
Information of the MYSAPSSO2 Cookie
Hello everybody,
I am working with SSO and I've instaled analyzer tool to look how the cookies are, on "Information of the MYSAPSSO2 Cookie". The other day worked but now it seems like doesn't works because all parameters shows as null.
How can i known if my portal sends cookies or not?
Thanks
GuillermoHi,
Michael, my portal certificate has not expired the date shows from Mon Mar 06 20:30:28 CET 2006 to Thu Mar 06 20:30:28 CET 2008 (i didnt want to be rude, but the button was obvious one for me, thank you)
I suspect my portal doesn't generates that cookie and probably I have anything wrong in the UM configuration...i've read that the parameter ume.usermapping.unsecure=FALSE has to be TRUE but this parameter is to do with the user mapping method isn't it?
Maybe another thing in UM configuration that i dont realize?
Thanks again. -
Decrypt MYSAPSSO2 cookie.
Hi friends,
I have written a custom java application running on a "non sap j2ee server". In that application, i want to accept and decrypt MYSAPSSO2 cookie and get the userid. Is this possible? I did not find any relevant documents for this. Could anyone provide the same?
Regards,
NilzHi Nilz,
Is your problem solved, even I need the solution for the same. I need to decrypt MYSAPSSO2 cookie to get user id from it. I need some java code for it.
I tried to open service.sap.com/swdc, but it asks user id and password to connect to it ...what to do
regards,
bhawna -
Reading MYSAPSSO2 Cookie using HttpGetterCallback
Hi,
I've custom login module where I'm trying to read the existing SSO ticket and re authenticate and validate it if for returning users. For some reason I was not able to get the Cookie value using HttpGetterCallback. Here is the code I'm calling with my Code.
HttpGetterCallback getterCallback = new HttpGetterCallback();
getterCallback.setType(HttpCallback.COOKIE);
getterCallback.setName("MYSAPSSO2");
String token = (String)getterCallback.getValue();
This always returns null I see in the browser there do exists a cookie. Am I doing something wrong here. Any help is really appreciated.
Thanks,
Joe.PYou may need to implement a call back handler. Please refer section [2.8 Remote authentication|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b00a87e5-0601-0010-87a7-9c0456cf8436]
Other ways to do it: [MYSAPSSO2 cookie|Re: MYSAPSSO2 cookie] and [Zope|http://www.zope.org/Members/Dirk.Datzert/MySapSsoSupport/] -
Hi,
I would like to write to the user's current browser session a MYSAPSSO2 cookie such as "MYSAPSSO2=AjExMDAgABBwb3". Is there any API I can use to do this?
Thanks in advanceHi,
hmm... so you already have a valid cookie and simply want to recreate it from inside the portal. I could think of the following if your system constantly kills the cookie:
Store the cookie's value somewhere in the user's session and re-generate it with
IPortalComponentResponse.addCookie()
(see: https://media.sdn.sap.com/javadocs/preNW04/SP2/60_sp2_javadocs/runtime/com/sapportals/portal/prt/component/IPortalComponentResponse.html#addCookie(javax.servlet.http.Cookie)
or similar.
Alternatively, create an additional cookie with identical value but different name (hoping that only the cookie named "MYSAPSSO2" get killed).
btw: Have you already found out why the cookie gets killed? This can usually only happen if you application generates a new cookie
- that is also named MYSAPSSO2
and
- that shall be returned to the very same systems (check cookie's path attribute
Some HTTP tracing might make sense here.
Regards,
Dominik
Maybe you are looking for
-
i dont know why it wont connect
-
Tool bar not coming in Oracle Forms 11g forms
Hi, i am facing problem in my forms 11g application. we migrated our forms from 6i to 11g version. while logging in to application main form with verticular tool bar is dispayed . we will navigate into another form by using menus drop down . if we ex
-
I wanna change my region but I can't because I have 0.65$ credit. Can you clear my credit so I can change region? Please help :(
-
With Mac OS X 10.5 Server, I attempted to create a share point. I think I've found a bug. I have 3 drives, with names of ServerHD, ServerHD2, and ServerHD3. Creating a share point on ServerHD2 or ServerHD3 fails, with the share point showing up in th
-
Hello, Each time after dowloading, updating, backing up all of the sudden the same error came up for both my iPhone and hubby's iPod Touch: Firmware File Corrupt Unconnect, reconnect, and try again later Anyone know if this is due to way too much tra