SRM and MYSAPSSO2 cookie

Hello,
we are using SRM 4.0 (standalone scenario) with integrated ITS 6.40. The SRM application is accessed directly through browser (without any SAP portal encapsulation). We would like to customize the lifetime of cookie MYSAPSSO2 which is set after user authentication. I have noticed that this cookie is still located at browser level as long as this browser is open : there is no time validity for this cookie. As user's session, at application server level, is submited to timeout, we would like to be able to set such timeout for MYSAPSSO2 cookie too.
Do you know a way to achieve this ?
Thank you for your help.
Regards.
Fabrice

Hi Fabrice.
I am using Single Sign On for SRM Add on ERP without portal.
I have set up the following tickets with value 1 but after 8 hours this tickets resets to 0 and have to put value as 1 again via RZ11 so that user can sign on properly in SRM as SSO.
login/create_sso2_ticket and login/accept_sso2_ticket
In our system, the default value for login/ticket_expiration_time is 8 hrs.
Please advise what i shoud do so that the single sign on works properly and the value of parameters does reset to 0.
Thanks,
Sagar

Similar Messages

  • MYSAPSSO2 cookie format in J2ee and ABAP - NW7

    Hello
    I installed NW7 with ABAP + Java with system id DV1. I was able to configure the java and abap to issue ticket and to be accepted by other systems (DV2).
    If I login to the DV1 abap host using webgui url(integrated ITS), I am getting the MYSAPSSO2 cookie in the browser IE.  With this I am able to login to DV2 j2ee and also to ABAP.
    If I login to DV1 j2ee engine using the portal link, I am not seeing the MYSAPSSO2 cookie in the browser, but seeing JSESSIONID and with it still I am able to login to DV2.
    My question : Is the JSESSIONID exactly equal to MYSAPSSO2 ? If not how can I make the DV1 J2ee to issue MYSAPSSO2 cookie ? Thanks.
    SAPLearner

    Hi
    I am able to test and able to login to the other j2ee or abap system. But still not able to see the MYSAPSSO2 cookie issued by EP j2ee.
    DV1 - NW7 SP12 system ABAP + J2ee(with portal on it)
    DV2 - NW7 SP12 system ABAP + J2ee(with BI java)
    I have exported DV1's java and abap certificate to DV2, made it trusted and the the connection is working.
    When I login to DV1 j2ee using the url  http://<DV1fullhostname>.com:52200/irj/portal
    and getting the below in my browser
    SignOnDefault=<windows id>; JSESSIONID=(DV1host_DV1_22)ID2068173650DB0050916542928689590End; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse; GWS_AUTO_LOGIN=FALSE; AbxUserLocale=en_US_STAFF; PortalAlias=portal; saplb_*=(DV1host_DV1_22)613943650
    With this above cookie I am able to login to DV2 j2ee http://<DV2fullhostname>.com:52500/nwa
    or abap http://<DV2fullhostname>.com:8025/sap/bc/gui/sap/its/webgui
    without any issue. In my browser I do not see MYSAPSSO2 cookie. Why is that?
    My login stack in j2ee is defined as below.
               1. Evaluate ticket
               2. Basic login modele
               3. Create ticket
    At the same time if I login to DV1 abap http://<DV1fullhostname>.com:8022/sap/bc/gui/sap/its/webgui  I can see the cookie MYSAPSSO2 in the browser and still able to login to DV2.
    Dont understand why my DV1 j2ee is not issuing MYSAPSSO2 cookie and issueing JSESSIONID ?
    Appreciate your reply
    SAPLearner

  • Issue while parsing the MYSAPSSO2 Cookie

    Hi All,
    We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
    Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
    Following Libraries are used:
    logging.jar
    i18n_cp.jar
    iaik_jce.jar
    com.sap.security.api.jar
    com.sap.security.core.jar
    rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
    Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
    The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
    Following is the code which we are using.
    //Instantiate the rpovider
    IAIK provider = new IAIK();
    Security.addProvider(provider);
    //Instantiate the ticket
    tv  =   new com.sap.security.core.ticket.imp.Ticket();
    //set teh certificates
    tv.setCertificates(certificates);
    //set the MYSAPSSO2 cookie
    tv.setTicket(strCookie);
    if (!tv.isValid()){
         System.out.println("Ticket is not valid");
    //Verify the ticket
    tv.verify();
    isValid method is working fine - it is returning true or false exactly based on the validity.
    ISSUE:
    tv.verify();--->Raises the following exception:
    java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
    When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
    but the portal is providing the serial number in hexadecimal format.
    So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
    The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
    Could anyone help resolve this issue?
    Thanks in advance.

    Hi,
    im facing the exact same problem, and I think I found the reason for the behavior described above.
    The Problem seems to be located at
    [http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]
    from com.sap.security.api.jar, just like mentioned.
    But the Problem seems to be the issuer, not the serial number.
    When decompiling  com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),
    you can see the following:
         public static java.security.cert.X509Certificate[] findCertificates(
                   java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
              if ((certificates == null) || (certificates.length == 0)) {
                   return null;
              ArrayList certificateList = new ArrayList();
              for (int i = 0; i < certificates.length; i++) {
                   java.security.cert.X509Certificate certificate = certificates<i>;
                   if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
                        certificateList.add(certificate);
              if (certificateList.size() == 0) {
                   return null;
              java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
                        .size()];
              certificateList.toArray(matchedCertificates);
              return matchedCertificates;
    As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the  issuer-parameter contains an issuer like
    "OU=J2EE,CN=EXAMPLE"
    the issuer retrieved from the certificate is
    "OU=J2EE, CN=EXAMPLE"
    (see toString() of the java.security.cert.X509Certificate)
    You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like
    java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.
    A workaround (a really UGLY one, I admit), is the following:
    1. Open  com.sap.security.api.jar with a ZIP-tool and delete
    /com/sap/security/api/ticket/TicketVerifier.class
    2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java
    3. Change
    for (int i = 0; i < certificates.length; i++) {
         java.security.cert.X509Certificate certificate = certificates<i>;
         if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
              certificateList.add(certificate);
    to
    for (int i = 0; i < certificates.length; i++) {
         X509Certificate certificate = certificates<i>;
         String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
         BigInteger serialNumberFromCert = certificate.getSerialNumber();
         if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
              certificateList.add(certificate);
    4. Package this class into a jar and make it available in your classpath.
    5. Enjoy
    To me, this is a huge bug in the SAP-Library and has to be fixed.
    Regards
    Matthias
    Edited by: Matthias82 on Sep 29, 2011 12:47 PM

  • Issue in parsing MYSAPSSO2 Cookie -Certificate Serial no is in Hexadecimal

    Hi All,
    We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
    Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
    Following Libraries are used:
    logging.jar
    i18n_cp.jar
    iaik_jce.jar
    com.sap.security.api.jar
    com.sap.security.core.jar
    rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
    Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
    The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
    Following is the code which we are using.
    //Instantiate the rpovider
    IAIK provider = new IAIK();
    Security.addProvider(provider);
    //Instantiate the ticket
    tv = new com.sap.security.core.ticket.imp.Ticket();
    //set teh certificates
    tv.setCertificates(certificates);
    //set the MYSAPSSO2 cookie
    tv.setTicket(strCookie);
    if (!tv.isValid()){
    System.out.println("Ticket is not valid");
    //Verify the ticket
    tv.verify();
    isValid method is working fine - it is returning true or false exactly based on the validity.
    ISSUE:
    tv.verify();--->Raises the following exception:
    java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
    When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
    but the portal is providing the serial number in hexadecimal format.
    So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
    If I print the certificates available in the keystore it is printing that certificate with serial number in hexadecimal format. if I convert that hexadecimal to decimal - I get the same number which is part of the error message raised by the code.
    The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
    Could anyone help resolve this issue?
    Thanks in advance.

    Any advice please?
    Do I need to post it in a different forum?

  • MYSAPSSO2 Cookie not found in IE

    Hi Everyone,
    I am trying to implement SSO between a third party Java application and the SAP EP 7.0. As a test procedure, I log in to my portal and then run my code to see if I can retrieve and decrypt the MYSAPSSO2 cookie.
    My code works perfectly when I log in to the portal using Mozilla Firefox (2.0.0.1); I can see the MYSAPSSO2 cookie and decrypt it (Log file output below). However, when I use IE (6.0.3790.1830) to log in to the portal, I can not retrieve the MYSAPSSO2 cookie. It seems as if this cookie does not even exists. I am thinking the cookie is somehow hidden and therefore my code can't see it.
    Has anyone faced this issue before? I have tried to decrease the security settings on IE but that doesn't help things. Any help on this issue would be really appreciated!
    Pasted below is a snippet of my code.
    //request is a HttpServletRequest object
    Cookie[] allCookies = request.getCookies();
                        int allCookiesLength = allCookies.length;
                        for (int i = 0 ; i<allCookiesLength; i++)
                             Log.debug("Cookie Name at " + i + " = " + allCookies<i>.getName());
                             if(allCookies<i>.getName().compareToIgnoreCase("MYSAPSSO2")==0)
                                  SAP_SSO_COOKIE =  allCookies<i>;
                                                    Log.debug("Cookie Found!");
                                  cookieFound = true;
                                  break;
                                            Log.debug("Cookie NOT Found!");
                             cookieFound = false;
    <u><b>Log file Output with IE</b></u>
    2007.02.07 13:05:31 Cookie Name at 1 = saplb_*
    2007.02.07 13:05:31 Cookie Name at 2 = JSESSIONID
    2007.02.07 13:05:31 Cookie NOT Found!
    <u><b>Log file Output with Firefox</b></u>
    2007.02.07 13:54:15 Cookie Name at 0 = saplb_*
    2007.02.07 13:54:15 Cookie Name at 1 = PortalAlias
    2007.02.07 13:54:15 Cookie Name at 2 = JSESSIONID
    2007.02.07 13:54:15 Cookie Name at 3 = MYSAPSSO2
    2007.02.07 13:54:15 Cookie Found!
    Thanks
    MOY

    Michael,
    I changed the parameter "httponlycookie" to FALSE and this works. My issue was that when I set the parameter to FALSE, I restarted my J2EE engine. For some odd reason, after the restart this parameter was set back to TRUE. Whats even worse, or maybe even cool, depends how you look at it, is that this parameter is set back to TRUE even if I closed down Visual Admin and fire it up again (without restarting the server). However, in this case SSO still works because the J2EE settings are not updated with this TRUE value. Is there a security setting which sets back this parameter to TRUE every time the server is restarted or when Visual Admin is fired up?
    Thanks
    MOY

  • Terminate Portal User Login with JSessionID or MYSAPSSO2 Cookie

    Dear All,
    I know using Visual Administrator , we can terminate the session.
    Is it possible for the administrator to terminate a logged in portal user with his/her  JsessionID or MYSAPSSO2 cookie value or User Id programmatically.?
    Is it possible for portal admin to forcibly exit (logoutl) an active user login  without logging onto visual administrator?
    Regards,
    Eben Joyson

    The only complete mitigation for session hijacking is to run the entire site as SSL. This is Oracle's recommendation if you need a complete mitigation solution. And example of an ATG site running in full SSL is Dennis Kirk (denniskirk.com).
    The problem with doing so is that SSL (a) takes more processing power in the system running the client's browser and (2) incurs latency that degrades the perceived page performance. This is particularly true for consumers running Internet Explorer, where speed-up measures like SPDY are either incomplete or don't work. And for a hard core eComemrce site, slower page performance means that you make less money.
    Most sites, including those that you mention, use a mixture of SSL and non-SSL pages to overcome this. They use non-SSL for those areas of the site where penetration does not have a material negative impact. Browsing catalog pages as an anonymous user, for example. If someone hijacks my session and I'm browsing the catalog anonymously, they're welcome to it. There's nothing private in my session. Even robots can access that content.
    Once I login or go to pages where private information is being exchanged, then you have to secure the session. That's where the protocol switcher servlet comes in. As you authenticate, you switch the user to SSL.
    I've tried a number of additional mitigation steps. Unfortunately I can't discuss them here at this time.
    And none of the servlets that you mention have any benefit with mitigating session hijacking.

  • Calling an Abap Web Service from IBM WebSphere with a MYSAPSSO2 Cookie

    Hello,
    I have the following problem :
    I have to develop a proof of concept between IBM Web Sphere 5.1 and SAP AS JAVA 7.0.
    I have created an IBM sevlet in Web Sphere, I use a specific redirect from an SAP AS Java to call it, this way I can have a SAP Logon Ticket, and I manage to call an ABAP module function with JCO with SSO.
    Scenario 1 : browser  + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap module function (ECC5)
    This scenario works fine.
    I have to do the same scenario with a Web Service and I don't know what to do.
    I try to use jax-rpc handlers but I don't know how to pass my cookie from my servlet to my handler.
    Scenario 2 : browser + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap Web Service (ECC5)
    Has someone already done that  ?
    Regards,  Julien.

    Julien,
    Why are you using 5.1....go for 6.0 and its cake walk, i have integrated WebSphere 6.0 with R/3 uysing xi.....in a week.
    Scenario changed to:--
    Browser+ authentication --> WebSphere AS servlet request --> XI --> RFC/bapi --> abap webService
    Hope that helps
    Regards
    Ravi

  • MYSAPSSO2 cookie - difference user versus portaluser

    Hi all,
    I recognized that the MYSAPSSO2 cookie contains 2 fields for a user id.
    1) the user
    2) the portalUser
    does anybody the difference / use cases for those fields
    any help is appreciated
    regards Karin

    Hi Paul,
    thanks for your answer.
    We use a abap mandant as user store for sap ep.
    if the user is stored in the abap mandant (which is almost for all users the case,
    except of some special users)
    portaluser and user field are used.
    if the user is just stored in the local user database of the portal (this is only for some admin users the case) then the user field is empty, only the portaluser field is used.
    If I would like to use the MYSAPSSO2 cookie to propagate the user to NON
    SAP systems. According to your answer, it would make sense, to use the user field (and not the portaluser field).
    Regards
    Karin

  • MYSAPSSO2 Cookie

    Can someone tell me why I log into our portal (where SSO works fine) and execute the javascript "document.cookie.indexOf("MYSAPSSO2") > -1", and it cannot find the MYSAPSSO2 cookie? If I look at my cookies (via Firefox add-on), I see the cookie fine. The cookie is also not displayed if I execute javascript:document.cookie.
    Thanks.

    It is simpler to do from server side as follows. Place below line
    inside Page_Load event of any portal component:
       Write(this.Request.Cookies.Get("MYSAPSSO2").Value);

  • Error when trying to retrieve UserName from MySAPSSO2 cookie

    Hi,
    I tried to retrieve the UserName from MySAPSSO2 cookie using the dotnet toolkit, but I keep getting the error "User Not Aunthenticated". I have placed the verify.pse files in a folder called psefiles in the same location as the bin folder of my application.
    I then also tried to directly use Convert.FromBase64String() to read the username from the cookie, but during conversion I get the error "Invalid character in a Base- 64 string"
    Any help is highly appreciated.
    Thanks,
    Kantishree D.

    From the menu bar, select
     ▹ System Preferences ▹ Energy Saver ▹ Power Adapter
    and uncheck the box labeled Put the hard disk(s) to sleep when possible, if it's checked.
    If the drive has more than one interface (USB, FireWire, Thunderbolt, eSATA), try one of the other interfaces.
    Check that the data cable is securely inserted at both ends.
    Try a different cable.
    If you're connecting the drive through a hub, connect it directly to a built-in port on the Mac.
    If you're connecting it directly, try a different port.
    Disconnect all other devices on the bus, or as many as possible.
    Test the drive with another Mac. Test another drive with this Mac.
    If the drive is bus-powered, but has an AC adapter, connect the adapter.
    Start up in Safe Mode and test.
    If the drive doesn't work under any of the above conditions, and if another drive does work with the same Mac, then the drive has failed. You may be able to salvage the mechanism by removing it from the enclosure and installing it in another one, or in a drive dock.

  • Getting the MYSAPSSO2 cookie in the application running in tomcat server

    Hi All
    I am trying to integrate the java application running in tomcat in to portal ...for this i have developed a servlet and trying to get the MYSAPSSO2 cookie in this so that i can vlaidate this ticket...
    can any one plz help in solving this issue
    Thanks & Regards
    Ajay

    Hi Ajay,
    Did you solve this problem? how? I need to do this too.
    thanks,
    Daniel Arakawa

  • Information of the MYSAPSSO2 Cookie

    Hello everybody,
    I am working with SSO and I've instaled analyzer tool to look how the cookies are, on "Information of the MYSAPSSO2 Cookie". The other day worked but now it seems like doesn't works because all parameters shows as null.
    How can i known if my portal sends cookies or not?
    Thanks
    Guillermo

    Hi,
    Michael, my portal certificate has not expired the date shows from Mon Mar 06 20:30:28 CET 2006 to Thu Mar 06 20:30:28 CET 2008 (i didnt want to be rude, but the button was obvious one for me, thank you)
    I suspect my portal doesn't generates that cookie and probably I have anything wrong in the UM configuration...i've read that the parameter ume.usermapping.unsecure=FALSE has to be TRUE but this parameter is to do with the user mapping method isn't it?
    Maybe another thing in UM configuration that i dont realize?
    Thanks again.

  • Decrypt MYSAPSSO2 cookie.

    Hi friends,
    I have written a custom java application running on a "non sap j2ee server". In that application, i want to accept and decrypt MYSAPSSO2 cookie and get the userid. Is this possible? I did not find any relevant documents for this. Could anyone provide the same?
    Regards,
    Nilz

    Hi Nilz,
    Is your problem solved, even I need the solution for the same. I need to decrypt MYSAPSSO2 cookie to get user id from it. I need some java code for it.
    I tried to open service.sap.com/swdc, but it asks user id and password to connect to it ...what to do
    regards,
    bhawna

  • Reading MYSAPSSO2 Cookie using HttpGetterCallback

    Hi,
    I've custom login module where I'm trying to read the existing SSO ticket and re authenticate and validate it if for returning users. For some reason I was not able to get the Cookie value using HttpGetterCallback. Here is the code I'm calling with my Code.
    HttpGetterCallback getterCallback = new HttpGetterCallback();
    getterCallback.setType(HttpCallback.COOKIE);
    getterCallback.setName("MYSAPSSO2");
    String token = (String)getterCallback.getValue();
    This always returns null I see in the browser there do exists a cookie. Am I doing something wrong here. Any help is really appreciated.
    Thanks,
    Joe.P

    You may need to implement a call back handler. Please refer section [2.8 Remote authentication|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b00a87e5-0601-0010-87a7-9c0456cf8436]
    Other ways to do it: [MYSAPSSO2 cookie|Re: MYSAPSSO2 cookie] and [Zope|http://www.zope.org/Members/Dirk.Datzert/MySapSsoSupport/]

  • Write MYSAPSSO2 cookie

    Hi,
    I would like to write to the user's current browser session a MYSAPSSO2 cookie such as "MYSAPSSO2=AjExMDAgABBwb3". Is there any API I can use to do this?
    Thanks in advance

    Hi,
    hmm... so you already have a valid cookie and simply want to recreate it from inside the portal. I could think of the following if your system constantly kills the cookie:
    Store the cookie's value somewhere in the user's session and re-generate it with
    IPortalComponentResponse.addCookie()
    (see: https://media.sdn.sap.com/javadocs/preNW04/SP2/60_sp2_javadocs/runtime/com/sapportals/portal/prt/component/IPortalComponentResponse.html#addCookie(javax.servlet.http.Cookie)
    or similar.
    Alternatively, create an additional cookie with identical value but different name (hoping that only the cookie named "MYSAPSSO2" get killed).
    btw: Have you already found out why the cookie gets killed? This can usually only happen if you application generates a new cookie
    - that is also named MYSAPSSO2
    and
    - that shall be returned to the very same systems (check cookie's path attribute
    Some HTTP tracing might make sense here.
    Regards,
    Dominik

Maybe you are looking for