SSO fails with logon ticket
Hi all ,
Could some advice on this .I have some issues with SSO with logon tickets .
My landscape consists of
- EP 6.0 SP on WAS J2EE 6.0
- ECC 5.0 SP7 on WAS ABAP 6.0
I am trying to do SSO between portal and ECC , where in portal is the ticket issuer
and my ECC accepts the ticket . Follwing are the steps I have done .
1. From keystore Administrator , I have downloaded the verity.der .
2. From my ECC system , run STRUSTSS02 transaction and done following activities
a. import the verity.der into certificate area ( selecte dfile format as binary )
b. Added certificate into PSE
c. Add to ACL ( here I have selected my portal SID , client
as 000 ( Do is need to give a different client ???...)
d. Saved everything
3. Then I have created a system object for my ECC system , given all the connector parametrs,
user management as logon ticket and created an alias too .
But when I tested is is failure
I have also created a JCO destination under the webdynpro content admin and selected the
logon ticket as the option , there also the test fails
Could any body advice what am I doing wrong ?
THanks
Aneez
Phani ,
Here is the trace .
M *** BEGIN USER TRACE UID >915< MODE >1< STEP >1< REQID >11685< TIME >053138< DATE >20050805< WP >0< WP_TYPE >DIA< CONV_ID >5028
N dy_signi_ext: SSO TICKET logon (client 110)
N mySAPUnwrapCookie: was called.
N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N HmskiFindTicketInCache: Try to find ticket with cache key: 110:F8906A99658752C18D6007083CC6D4A3 .
N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N I don't need to ask RunningCompatibly to know: I'm >= 46C.
N mySAP: Got the following SSF Params:
N DN =CN=DV1
N EncrAlg=DES-CBC
N Format =PKCS7
N Toolkit =SAPSECULIB
N HashAlg =SHA1
N Profile =/usr/sap/DV1/DVEBMGS00/sec/SAPSYS.pse
N PAB =/usr/sap/DV1/DVEBMGS00/sec/SAPSYS.pse
N Got the codepage 4102.
N Got ticket (head) AjExMDAgAA5wb3J0YWw6QUhBTUVFRIgAE2Jhc2lj. Length = 444.
N 00000000 00 41 00 6a 00 45 00 78 00 4d 00 44 00 41 00 67 .A.j.E.x.M.D.A.g
N 00000010 00 41 00 41 00 35 00 77 00 62 00 33 00 4a 00 30 .A.A.5.w.b.3.J.0
N 00000020 00 59 00 57 00 77 00 36 00 51 00 55 00 68 00 42 .Y.W.w.6.Q.U.h.B
N 00000030 00 54 00 55 00 56 00 46 00 52 00 49 00 67 00 41 .T.U.V.F.R.I.g.A
N 00000040 00 45 00 32 00 4a 00 68 00 63 00 32 00 6c 00 6a .E.2.J.h.c.2.l.j
N 00000050 00 59 00 58 00 56 00 30 00 61 00 47 00 56 00 75 .Y.X.V.0.a.G.V.u
N 00000060 00 64 00 47 00 6c 00 6a 00 59 00 58 00 52 00 70 .d.G.l.j.Y.X.R.p
N 00000070 00 62 00 32 00 34 00 42 00 41 00 41 00 41 00 43 .b.2.4.B.A.A.A.C
N 00000080 00 41 00 41 00 4d 00 77 00 4d 00 44 00 41 00 44 .A.A.M.w.M.D.A.D
N 00000090 00 41 00 41 00 4e 00 46 00 55 00 45 00 51 00 45 .A.A.N.F.U.E.Q.E
N 000000A0 00 41 00 41 00 77 00 79 00 4d 00 44 00 41 00 31 .A.A.w.y.M.D.A.1
N 000000B0 00 4d 00 44 00 67 00 77 00 4e 00 54 00 41 00 35 .M.D.g.w.N.T.A.5
N 000000C0 00 4d 00 6a 00 49 00 46 00 41 00 41 00 51 00 41 .M.j.I.F.A.A.Q.A
N 000000D0 00 41 00 41 00 41 00 49 00 43 00 67 00 41 00 41 .A.A.A.I.C.g.A.A
N 000000E0 00 2f 00 77 00 44 00 31 00 4d 00 49 00 48 00 79 ./.w.D.1.M.I.H.y
N 000000F0 00 42 00 67 00 6b 00 71 00 68 00 6b 00 69 00 47 .B.g.k.q.h.k.i.G
N 00000100 00 39 00 77 00 30 00 42 00 42 00 77 00 4b 00 67 .9.w.0.B.B.w.K.g
N 00000110 00 67 00 65 00 51 00 77 00 67 00 65 00 45 00 43 .g.e.Q.w.g.e.E.C
N 00000120 00 41 00 51 00 45 00 78 00 43 00 7a 00 41 00 4a .A.Q.E.x.C.z.A.J
N 00000130 00 42 00 67 00 55 00 72 00 44 00 67 00 4d 00 43 .B.g.U.r.D.g.M.C
N 00000140 00 47 00 67 00 55 00 41 00 4d 00 41 00 73 00 47 .G.g.U.A.M.A.s.G
N 00000150 00 43 00 53 00 71 00 47 00 53 00 49 00 62 00 33 .C.S.q.G.S.I.b.3
N 00000160 00 44 00 51 00 45 00 48 00 41 00 54 00 47 00 42 .D.Q.E.H.A.T.G.B
N 00000170 00 77 00 54 00 43 00 42 00 76 00 67 00 49 00 42 .w.T.C.B.v.g.I.B
N 00000180 00 41 00 54 00 41 00 54 00 4d 00 41 00 34 00 78 .A.T.A.T.M.A.4.x
N 00000190 00 44 00 44 00 41 00 4b 00 42 00 67 00 4e 00 56 .D.D.A.K.B.g.N.V
N 000001A0 00 42 00 41 00 4d 00 54 00 41 00 30 00 56 00 51 .B.A.M.T.A.0.V.Q
N 000001B0 00 52 00 41 00 49 00 42 00 41 00 44 00 41 00 4a .R.A.I.B.A.D.A.J
N 000001C0 00 42 00 67 00 55 00 72 00 44 00 67 00 4d 00 43 .B.g.U.r.D.g.M.C
N 000001D0 00 47 00 67 00 55 00 41 00 6f 00 46 00 30 00 77 .G.g.U.A.o.F.0.w
N 000001E0 00 47 00 41 00 59 00 4a 00 4b 00 6f 00 5a 00 49 .G.A.Y.J.K.o.Z.I
N 000001F0 00 68 00 76 00 63 00 4e 00 41 00 51 00 6b 00 44 .h.v.c.N.A.Q.k.D
N 00000200 00 4d 00 51 00 73 00 47 00 43 00 53 00 71 00 47 .M.Q.s.G.C.S.q.G
N 00000210 00 53 00 49 00 62 00 33 00 44 00 51 00 45 00 48 .S.I.b.3.D.Q.E.H
N 00000220 00 41 00 54 00 41 00 63 00 42 00 67 00 6b 00 71 .A.T.A.c.B.g.k.q
N 00000230 00 68 00 6b 00 69 00 47 00 39 00 77 00 30 00 42 .h.k.i.G.9.w.0.B
N 00000240 00 43 00 51 00 55 00 78 00 44 00 78 00 63 00 4e .C.Q.U.x.D.x.c.N
N 00000250 00 4d 00 44 00 55 00 77 00 4f 00 44 00 41 00 31 .M.D.U.w.O.D.A.1
N 00000260 00 4d 00 44 00 6b 00 79 00 4d 00 6a 00 41 00 31 .M.D.k.y.M.j.A.1
N 00000270 00 57 00 6a 00 41 00 6a 00 42 00 67 00 6b 00 71 .W.j.A.j.B.g.k.q
N 00000280 00 68 00 6b 00 69 00 47 00 39 00 77 00 30 00 42 .h.k.i.G.9.w.0.B
N 00000290 00 43 00 51 00 51 00 78 00 46 00 67 00 51 00 55 .C.Q.Q.x.F.g.Q.U
N 000002A0 00 4e 00 78 00 47 00 53 00 38 00 70 00 65 00 6b .N.x.G.S.8.p.e.k
N 000002B0 00 68 00 62 00 5a 00 32 00 6e 00 79 00 6e 00 61 .h.b.Z.2.n.y.n.a
N 000002C0 00 46 00 4c 00 4b 00 54 00 51 00 2f 00 37 00 43 .F.L.K.T.Q./.7.C
N 000002D0 00 42 00 5a 00 6b 00 77 00 43 00 51 00 59 00 48 .B.Z.k.w.C.Q.Y.H
N 000002E0 00 4b 00 6f 00 5a 00 49 00 7a 00 6a 00 67 00 45 .K.o.Z.I.z.j.g.E
N 000002F0 00 41 00 77 00 51 00 76 00 4d 00 43 00 30 00 43 .A.w.Q.v.M.C.0.C
N 00000300 00 46 00 41 00 32 00 53 00 63 00 53 00 6f 00 71 .F.A.2.S.c.S.o.q
N 00000310 00 4d 00 53 00 51 00 41 00 2f 00 75 00 41 00 42 .M.S.Q.A./.u.A.B
N 00000320 00 70 00 43 00 69 00 61 00 6b 00 6f 00 68 00 69 .p.C.i.a.k.o.h.i
N 00000330 00 68 00 75 00 44 00 79 00 41 00 68 00 55 00 41 .h.u.D.y.A.h.U.A
N 00000340 00 36 00 4e 00 56 00 48 00 43 00 53 00 6b 00 50 .6.N.V.H.C.S.k.P
N 00000350 00 58 00 49 00 52 00 6c 00 63 00 57 00 2b 00 32 .X.I.R.l.c.W.+.2
N 00000360 00 6a 00 41 00 45 00 30 00 31 00 37 00 55 00 62 .j.A.E.0.1.7.U.b
N 00000370 00 61 00 63 00 34 00 3d .a.c.4.=
N Dump of InContext (ssoxxapi.c 155)
N 00000000 00 34 00 31 00 30 00 32 0f ff ff ff ff ff 54 e8 .4.1.0.2.ÿÿÿÿÿTè
N 00000010 00 00 00 01 83 37 73 10 0f ff ff ff ff ff 59 98 .....7s..ÿÿÿÿÿY.
N 00000020 00 00 01 bc 00 00 00 00 00 00 00 01 00 93 ee 8c ...¼..........î.
N 00000030
N Copies from InContext->Format: PKCS7 (ssoxxapi.c 162)
N Copies from InContext->pzcsProName: /usr/sap/DV1/DVEBMGS00/sec/SAPSYS.pse (ssoxxapi.c 165)
N DecodeB64Len returns 0. iDecLength=332
N Dump of Decoded ticket: (ssoxxapi.c 187)
N 00000000 02 31 31 30 30 20 00 0e 70 6f 72 74 61 6c 3a 41 .1100 ..portal:A
N 00000010 48 41 4d 45 45 44 88 00 13 62 61 73 69 63 61 75 HAMEED...basicau
N 00000020 74 68 65 6e 74 69 63 61 74 69 6f 6e 01 00 00 02 thentication....
N 00000030 00 03 30 30 30 03 00 03 45 50 44 04 00 0c 32 30 ..000...EPD...20
N 00000040 30 35 30 38 30 35 30 39 32 32 05 00 04 00 00 00 0508050922......
N 00000050 08 0a 00 00 ff 00 f5 30 81 f2 06 09 2a 86 48 86 ....ÿ.õ0.ò..*.H.
N 00000060 f7 0d 01 07 02 a0 81 e4 30 81 e1 02 01 01 31 0b ÷.... .ä0.á...1.
N 00000070 30 09 06 05 2b 0e 03 02 1a 05 00 30 0b 06 09 2a 0...+......0...*
N 00000080 86 48 86 f7 0d 01 07 01 31 81 c1 30 81 be 02 01 .H.÷....1.Á0.¾..
N 00000090 01 30 13 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 .0.0.1.0...U....
N 000000A0 45 50 44 02 01 00 30 09 06 05 2b 0e 03 02 1a 05 EPD...0...+.....
N 000000B0 00 a0 5d 30 18 06 09 2a 86 48 86 f7 0d 01 09 03 . ]0...*.H.÷....
N 000000C0 31 0b 06 09 2a 86 48 86 f7 0d 01 07 01 30 1c 06 1...*.H.÷....0..
N 000000D0 09 2a 86 48 86 f7 0d 01 09 05 31 0f 17 0d 30 35 .*.H.÷....1...05
N 000000E0 30 38 30 35 30 39 32 32 30 35 5a 30 23 06 09 2a 0805092205Z0#..*
N 000000F0 86 48 86 f7 0d 01 09 04 31 16 04 14 37 11 92 f2 .H.÷....1...7..ò
N 00000100 97 a4 85 b6 76 9f 29 da 14 b2 93 43 fe c2 05 99 .¤.¶v.)Ú.².CþÂ..
N 00000110 30 09 06 07 2a 86 48 ce 38 04 03 04 2f 30 2d 02 0...*.HÎ8.../0-.
N 00000120 14 0d 92 71 2a 2a 31 24 00 fe e0 01 a4 28 9a 92 ...q**1$.þà.¤(..
N 00000130 88 62 86 e0 f2 02 15 00 e8 d5 47 09 29 0f 5c 84 .b.àò...èÕG.)..
N 00000140 65 71 6f b6 8c 01 34 d7 b5 1b 69 ce eqo¶..4×µ.iÎ
N Read version.
N Read Codepage.
N Read InfoUnit (0x20).
N Read length (14).
N Read contents.
N Read InfoUnit (0x88).
N Read length (19).
N Read contents.
N Read InfoUnit (0x01).
N Read length (0).
N Read contents.
N Read InfoUnit (0x02).
N Read length (3).
N Read contents.
N Read InfoUnit (0x03).
N Read length (3).
N Read contents.
N Read InfoUnit (0x04).
N Read length (12).
N Read contents.
N Read InfoUnit (0x05).
N Read length (4).
N Read contents.
N Read InfoUnit (0x0A).
N Read length (0).
N Read contents.
N Read InfoUnit (0xFF).
N ParseTicket returns 0. (ssoxxapi.c 199)
N Bytes processed: 85 (ssoxxapi.c 202)
N Argument Dump for ticket verification:
N Content byte stream:
N 00000000 02 31 31 30 30 20 00 0e 70 6f 72 74 61 6c 3a 41 .1100 ..portal:A
N 00000010 48 41 4d 45 45 44 88 00 13 62 61 73 69 63 61 75 HAMEED...basicau
N 00000020 74 68 65 6e 74 69 63 61 74 69 6f 6e 01 00 00 02 thentication....
N 00000030 00 03 30 30 30 03 00 03 45 50 44 04 00 0c 32 30 ..000...EPD...20
N 00000040 30 35 30 38 30 35 30 39 32 32 05 00 04 00 00 00 0508050922......
N 00000050 08 0a 00 00 ....
N
N Signature byte stream:
N 00000000 30 81 f2 06 09 2a 86 48 86 f7 0d 01 07 02 a0 81 0.ò..*.H.÷.... .
N 00000010 e4 30 81 e1 02 01 01 31 0b 30 09 06 05 2b 0e 03 ä0.á...1.0...+..
N 00000020 02 1a 05 00 30 0b 06 09 2a 86 48 86 f7 0d 01 07 ....0...*.H.÷...
N 00000030 01 31 81 c1 30 81 be 02 01 01 30 13 30 0e 31 0c .1.Á0.¾...0.0.1.
N 00000040 30 0a 06 03 55 04 03 13 03 45 50 44 02 01 00 30 0...U....EPD...0
N 00000050 09 06 05 2b 0e 03 02 1a 05 00 a0 5d 30 18 06 09 ...+...... ]0...
N 00000060 2a 86 48 86 f7 0d 01 09 03 31 0b 06 09 2a 86 48 .H.÷....1....H
N 00000070 86 f7 0d 01 07 01 30 1c 06 09 2a 86 48 86 f7 0d .÷....0...*.H.÷.
N 00000080 01 09 05 31 0f 17 0d 30 35 30 38 30 35 30 39 32 ...1...050805092
N 00000090 32 30 35 5a 30 23 06 09 2a 86 48 86 f7 0d 01 09 205Z0#..*.H.÷...
N 000000A0 04 31 16 04 14 37 11 92 f2 97 a4 85 b6 76 9f 29 .1...7..ò.¤.¶v.)
N 000000B0 da 14 b2 93 43 fe c2 05 99 30 09 06 07 2a 86 48 Ú.².CþÂ..0...*.H
N 000000C0 ce 38 04 03 04 2f 30 2d 02 14 0d 92 71 2a 2a 31 Î8.../0-....q**1
N 000000D0 24 00 fe e0 01 a4 28 9a 92 88 62 86 e0 f2 02 15 $.þà.¤(...b.àò..
N 000000E0 00 e8 d5 47 09 29 0f 5c 84 65 71 6f b6 8c 01 34 .èÕG.)..eqo¶..4
N 000000F0 d7 b5 1b 69 ce ×µ.iÎ
N Encoded content byte stream:
N 00000000 30 63 06 09 2a 86 48 86 f7 0d 01 07 01 a0 56 04 0c..*.H.÷.... V.
N 00000010 54 02 31 31 30 30 20 00 0e 70 6f 72 74 61 6c 3a T.1100 ..portal:
N 00000020 41 48 41 4d 45 45 44 88 00 13 62 61 73 69 63 61 AHAMEED...basica
N 00000030 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 01 00 00 uthentication...
N 00000040 02 00 03 30 30 30 03 00 03 45 50 44 04 00 0c 32 ...000...EPD...2
N 00000050 30 30 35 30 38 30 35 30 39 32 32 05 00 04 00 00 00508050922.....
N 00000060 00 08 0a 00 00 .....
N Verify returns 0 (ssoxxsgn.c 189)
N Certificate is:
N 00000000 30 82 02 1d 30 82 02 08 02 01 00 30 09 06 07 2a 0...0......0...*
N 00000010 86 48 ce 38 04 03 30 0e 31 0c 30 0a 06 03 55 04 .HÎ8..0.1.0...U.
N 00000020 03 13 03 45 50 44 30 1e 17 0d 30 35 30 37 30 35 ...EPD0...050705
N 00000030 31 31 34 30 35 30 5a 17 0d 30 37 30 37 30 35 31 114050Z..0707051
N 00000040 31 34 30 35 30 5a 30 0e 31 0c 30 0a 06 03 55 04 14050Z0.1.0...U.
N 00000050 03 13 03 45 50 44 30 82 01 b6 30 82 01 2b 06 07 ...EPD0..¶0..+..
N 00000060 2a 86 48 ce 38 04 01 30 82 01 1e 02 81 81 00 82 *.HÎ8..0........
N 00000070 7d d4 9c a2 05 69 84 e9 83 71 b1 34 0d 5d 71 83 }Ô.¢.i.é.q±4.]q.
N 00000080 92 85 b2 5a ca a3 82 d7 ac 38 6e 94 40 84 3f 0a ..²ZÊ£.׬8n.@.?.
N 00000090 46 7a a8 75 a8 c1 ca 3b 70 ba 6a 97 07 12 f6 b1 Fz¨u¨ÁÊ;pºj...ö±
N 000000A0 99 ed 3e ec 53 13 f3 94 0a 67 bb d6 9f 38 72 29 .í>ìS.ó..g»Ö.8r)
N 000000B0 61 ab 02 3d 17 a1 33 3c 52 23 5d 9f b7 d1 0e 95 a«.=.¡3<R#].·Ñ..
N 000000C0 e3 a5 5e f9 b0 4f c7 c9 20 c5 72 da 7a c3 d5 0f ã¥^ù°OÇÉ ÅrÚzÃÕ.
N 000000D0 24 0d bb 8e 54 da 9e bb 70 21 11 c5 35 82 e5 35 $.».TÚ.»p!.Å5.å5
N 000000E0 85 2e 9f 59 39 79 b3 32 50 c8 86 83 96 19 17 02 ...Y9y³2PÈ......
N 000000F0 15 00 fa 50 79 da fa 3f 3a b1 e8 0a 6d f5 bd 16 ..úPyÚú?:±è.mõ½.
N 00000100 f2 24 d8 f8 d7 1b 02 81 80 4f bd f5 2e 33 04 f0 ò$Øø×....O½õ.3.ð
N 00000110 51 c1 7c a5 5c 93 81 b5 c1 7d 4c 20 50 76 85 34 QÁ|¥..µÁ}L Pv.4
N 00000120 50 cf d9 fc 72 b2 e1 b2 b1 6f a0 10 48 b8 ff 17 PÏÙür²á²±o .H¸ÿ.
N 00000130 e7 a9 0a e1 e0 18 05 3e 34 d9 d5 61 df 71 4c c8 ç©.áà..>4ÙÕaßqLÈ
N 00000140 dc 92 b1 51 b5 df 66 59 70 6b 5e 57 c3 19 a2 d6 Ü.±QµßfYpk^WÃ.¢Ö
N 00000150 58 3b 7d 32 d2 e9 e1 f1 66 3e aa ac 46 0d cd 4e X;}2Òéáñf>ª¬F.ÍN
N 00000160 67 70 36 f7 f9 be 0b 2e 16 a0 5d 69 5d 5b 81 13 gp6÷ù¾... ]i][..
N 00000170 a9 03 cb 38 63 56 1a bd 36 4a 5d 6c 15 66 17 fa ©.Ë8cV.½6J]l.f.ú
N 00000180 10 a3 20 99 e1 d2 34 77 13 03 81 84 00 02 81 80 .£ .áÒ4w........
N 00000190 6b a6 d4 4e e8 03 f6 f1 35 83 fb 37 01 1f 3c 5c k¦ÔNè.öñ5.û7..<
N 000001A0 8e 75 ad 1f 2d b3 9b 69 4f b3 a3 36 b6 9f 38 07 .u..-³.iO³£6¶.8.
N 000001B0 fe bf f1 0b ca 24 fe 5c a7 33 a1 55 c9 65 c5 4c þ¿ñ.Ê$þ\u00A73¡UÉeÅL
N 000001C0 97 a1 e7 58 d1 47 7f 72 36 47 bf f4 cc 6d 12 14 .¡çXÑG.r6G¿ôÌm..
N 000001D0 cc 61 be 82 b5 50 be 16 7a cc 4d 47 1e 80 2f 6d Ìa¾.µP¾.zÌMG../m
N 000001E0 2e d4 19 69 80 e6 26 13 23 4f 07 0a 9c 87 13 91 .Ô.i.æ&.#O......
N 000001F0 7b 75 57 93 e1 8d 42 5f 28 47 e2 61 27 6d 0c 4c {uW.á.B_(Gâa'm.L
N 00000200 55 99 37 33 cc 92 c0 b9 06 d1 99 68 d0 17 c1 4d U.73Ì.À¹.Ñ.hÐ.ÁM
N 00000210 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 03 01 0...*.H.÷.......
N 00000220 00 .
N ValidateTicket returns 0. (ssoxxapi.c 225)
N MskiValidateTicket returns 0.
N Next node:
N 00000000 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 00 00 00 00 00 00 00 00 01 84 e7 8a 10 .............ç..
N 00000110 00 00 00 00 00 00 00 00 ........
N Next node:
N 00000000 02 00 30 00 30 00 30 00 00 00 00 00 00 00 00 00 ..0.0.0.........
N 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 06 00 03 00 00 00 00 00 01 84 e7 95 10 .............ç..
N 00000110 00 00 00 01 84 e4 37 b0 .....ä7°
N Next node:
N 00000000 03 00 45 00 50 00 44 00 00 00 00 00 00 00 00 00 ..E.P.D.........
N 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 06 00 03 00 00 00 00 00 01 85 0e cd 30 ..............Í0
N 00000110 00 00 00 01 84 e7 8a 10 .....ç..
N Next node:
N 00000000 04 00 32 00 30 00 30 00 35 00 30 00 38 00 30 00 ..2.0.0.5.0.8.0.
N 00000010 35 00 30 00 39 00 32 00 32 00 00 00 00 00 00 00 5.0.9.2.2.......
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 18 00 0c 00 00 00 00 00 01 85 0e d0 b0 ..............а
N 00000110 00 00 00 01 84 e7 95 10 .....ç..
N Next node:
N 00000000 05 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 04 00 00 00 00 00 00 00 01 85 0f 76 90 ..............v.
N 00000110 00 00 00 01 85 0e cd 30 ......Í0
N Next node:
N 00000000 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 00 00 00 00 00 00 00 00 01 84 0a a6 30 ..............¦0
N 00000110 00 00 00 01 85 0e d0 b0 ......а
N Next node:
N 00000000 20 70 6f 72 74 61 6c 3a 41 48 41 4d 45 45 44 00 portal:AHAMEED.
N 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 0e 00 00 00 00 00 00 00 01 84 0b 7a 10 ..............z.
N 00000110 00 00 00 01 85 0f 76 90 ......v.
N Next node:
N 00000000 88 62 61 73 69 63 61 75 74 68 65 6e 74 69 63 61 .basicauthentica
N 00000010 74 69 6f 6e 00 00 00 00 00 00 00 00 00 00 00 00 tion............
N 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000100 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 ................
N 00000110 00 00 00 01 84 0a a6 30 ......¦0
N Got content client = 000.
N Got content sysid = EPD .
N No entry in TWPSSO2ACL for SYS EPD and CLI 000.
N CheckSubject failed (rc=19). Verifying if ticket was issued by me.
N *** ERROR => System ID and client from ticket are not the same than mine. (ssoxxkrn.c 798)
N Data from ticket: sysid=EPD , client=000
N My system data: sysid=DV1 , client=110
N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL. (ssoxxkrn.c 804)
N dy_signi_ext: issuer not trusted
M *** END USER TRACE NAME >SAPSYS < UID >915< MODE >1< STEP >1< TIME >053139< DATE >20050805< WP >0< WP_TYPE >DIA<
Thanks
Aneez
Similar Messages
-
Not able to activate SSO with logon tickets...
Hi all,
I configured SSO with logon tickets on a new installation of EP 7.0 Nw 2004s SR2.
The target R3 server is in a different domain. But i added the certificate receiver portal server address in the UME service entries.
But when i try to test it, it is showing the password entry login screen.
Is there any changes i need to make to the logon stacks?
Given below are the major steps i completed.
1. Created RFC destination in portal
2. Created RFC destination for portal in R3
3. Exported verify.der certificate to R3.
4. Added necessary entries for R3 sever in the portal security providers list.
5. Restarted portal j2ee instance.
Did I miss out any required steps?
I doubt whether logon tickets are generated from the portal , since it directly shows the normal login screen when i test.
Can anyone help me on this?
Thanks in advance
ShobinHi,
Thanks alot for your reply.
I checked sso2. The connection fails there. But long back, we had created another destination in the R3 system to use in a different portal instance. There, SSO works fine. Even this destination also fails when checked through sso2.
I login to portal with administrator rights which has the same user id in R3 also. Please note that both these systems are in different domain. But I have added another host name in ume.service.login property which is already set up for SSO with the target R3 system.
When i test SSO, i am not getting any error messages regarding the certificate or logon ticket. It simply ask me for a user name and password.
Is there any change i have to do in logon stacks to give preference to logon tickets?
Thanks alot
Shobin -
SSO with Logon Ticket to non-SAP Unix based application
Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
OlivierCheck these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick -
SSO to SAP R3 thru ITS 6.20 with Logon tickets
Hi All,
I am trying to configure SSO to R3 thru ITS with the Logon Tickets.
I have configured R3 to accept the tickets using STRUSTSSO2.
Downloaded the verify.der file from Portal and imported to R3
And tried to test the System connection.
If I use <b>SAP GUI for Windows</b>,the logon ticket is passed and SSO happens
with out any problem.
But If I use <b>SAP GUI for html</b>,then ITS Logon screen appears and once I
enter the user id and password it logs in.
In ITS global.srvc file I have added the following parameter
<b>~mysapcomusesso2cookie 1</b>
I also have the following parameters in the global.srvc file
<b>~login <space>
~password <space></b>
Do I need to configure any thing more in ITS.
Where am I going wrong.
I have read regarding <b>Pluggable Authentication Service(PAS)</b>.Is this mandatory for SSO thru ITS
Please let me know
I am working on EP6 SP14
Any help is really appreciated
Thanks in advance
Regards,
SanthoshHi,
IWithin System definition of R/3 System, you've to give the FQDN of ITS just same as Portal system. For example if your Portal system's FQDN is below:
http://portal.hedehode.com:50000/irj
then the ITS Server definition (parameter ITS Hostname) must be:
itsserver.hedehode.com:port
for portal to resolve itsserver.hedehode.com host, you may need to enter its IP address into hosts (c:\windows\system32\drivers\etc\hosts) file of portal system.
<ip> itsserver.hedehode.com -
Problem with logon ticket on a cluster J2EE environment.
Hi Experts,
We have a Portal system with one J2EE node running which issues logon ticket to do SSO into our R/3 4.6 system.
After we added another node into the J2EE cluster on another machine, we have problem SSO into our R/3 system if you login to that new node, but everything works fine if user login into the original node directly.
I checked the keystore in EP on both nodes and they look exactly the same.
do we need to do anything for this to work? any help much appreciated!
Thanks
Jerry.Interesting, can you see the system landscape def from both nodes? If so, are the connection test results the same from both nodes?
Regards,
Patrick -
SOAP to SOAP principal propagation with logon tickets
I have configured a scenario using soap sender to soap receiver with an integrated configuration on PI 7.1. It is synchronous CE 7.11<->PI 7.10<->ECC 6.0. The scenario works with basic authentication. If I enable principal propagation on the sender side it still works fine. Now I have activated principal propagation on the receiver side and I get the following error in the message audit log:
<p/>
<pre>
2010-05-07 09:01:50 Information MP: entering1
2010-05-07 09:01:50 Information MP: processing local module localejbs/sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean
2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user DAMZOG.JOCHE </b>
2010-05-07 09:01:50 Information SOAP: request message leaving the adapter (call)
2010-05-07 09:01:50 Information The application tries to send an XI message synchronously using connection SOAP_http://sap.com/xi/XI/System.
2010-05-07 09:01:50 Information Trying to put the message into the call queue.
2010-05-07 09:01:50 Information Message successfully put into the queue.
2010-05-07 09:01:50 Information The message was successfully retrieved from the call queue.
2010-05-07 09:01:50 Information The message status was set to DLNG.
2010-05-07 09:01:50 Information Delivering to channel: SOAP_MRByID_In5_R
2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user J2EE_GUEST</b>
2010-05-07 09:01:50 Fehler SOAP: call failed: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
2010-05-07 09:01:50 Fehler SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
2010-05-07 09:01:50 Fehler Adapter Framework caught exception: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
2010-05-07 09:01:50 Fehler The message was successfully transmitted to endpoint com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found. using connection SOAP_http://sap.com/xi/XI/System.
2010-05-07 09:01:50 Fehler The message status was set to FAIL.
</pre>
<p/>
Any ideas what could be wrong?
Edited by: Jochen Damzog on May 7, 2010 9:02 AM
Edited by: Jochen Damzog on May 7, 2010 9:06 AM
Edited by: Jochen Damzog on May 7, 2010 9:22 AMThe problem was due to the channels being not in the most recent state. A simple restart of the soap sender channel did the job.
-
SSO to non SAP Application using SAP Logon Ticket
Hi Experts,
I Have EP 7 SP 15 using SPNego Wizard to SSO with Active Directory and SSO between EP and ECC using SAP Certificates.
Now I have a demand to SSO some JAVA based applications (non SAP) to my portal using the SAP Logon Ticket.
I Have followed some blogs that directed me to use SAPSSOEXT (some libs) to read the MYSAPSSO2 cookie. The problem is that I didn't found this cookie, I even executed the command javascript:document to look for this cookie but the browser just show me the JSESSIONID info.
Does anybody knows where I can find this cookie or if there's a better way to set up this SSO? It´s necessary to say that I cannot SSO these application to the kerberos protocol because some security reasons on my company.
Thanks
ArmandoHi,
I dont have much info related but i can giv u hint
refer OSS Notes 442401 and 723896.
When using SAP logon tickets for non-SAP applications, two different implementation options are available. The difference lies in where the ticket verification takes place.
In the first case, the SAP logon ticket is submitted to the web server filter located on the web server. The web server filter verifies the portal serveru2019s public key
certificate using its local Personal Security Environment (PSE) and then populates the HTTP header field with the user ID for SSO to the non-sap web application.
In the second case, the SAP logon ticket is sent to the non-SAP application, which then verifies it using the ticket verification DLL and submits the user ID to the application for SSO.
You can refer following link :-
http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
user authentication and SSO
http://help.sap.com/saphelp_nw70/helpdata/EN/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
Authentication Using a Directory with SSO Integration Using Logon Tickets
http://help.sap.com/saphelp_nw70/helpdata/EN/f8/3b514ca29011d5bdeb006094191908/frameset.htm
SSO
SAP Logon Ticket-based Single Sign-On
http://help.sap.com/saphelp_nwce10/helpdata/en/45/b6af743753003ae10000000a11466f/frameset.htm -
SSO-Logon from mobile device - create logon ticket from WebDynpro for Java
Hi Experts,
I'm developing WebDynpro-JAVA application for some warehouse stuff (runs on a portal system, clients are mobile barcode-scanners with Windows mobile 5.0). JCOs from the portal system to the R/3-backend are confirgured for SSO with Logon-tickets and portal uses LDAP for authentication against a Windows-ADS.
This works so far ... but my problem is the standard Logon-screen, which is nearly unusable on the mobile device (screen size, layout, etc.). Is there any solution to create logon-tickets directly from the WebDynpro application (using something from com.sap.engine.interfaces.security.auth or similar ?) or any chance to have a special logon screen for mobile devices (parameter sap-wd-client=Pie03Client is ignored for the logon screen).
Thanks in advance.
regards,
HendrikHi Henrik,
Did you find the solution to your problem ?
I'm facing the same issue, so I'd be pleased to know the solution!
Regards
Stekam -
SSO to Web Service using SAP Logon Ticket
Hi,
I have to do SSO using SAP Logon Ticket between my portal and a Java Web Service that is accessible over internet. I do have the WSDL file of this Web Service.
I want to know:
1. What changes are required in Web Service to configure it to read and accept Logon Ticket?
2. What am I supposed to do at portal end to enable this process?
Thanks,
VivekHi Vivek & Raja,
> is it that if the WS is a third party WS and running on a Non-SAP J2EE Server,
> we can't implement SSO from Portal to it using SAP Logon Ticket?
Right, if you cannot extend it's functionality, how should it do the ticket verification...
@Raja:
> SAP Logon Ticket is for authenticating to a SAP system, since yours in a
> thirdparty ws, there is not need of SAP logonticket.
On the other hand, that's not true. It is possible as well as often done to verify the SSO ticket on some third party system. This is also supported, for Java as well as for other systems, different articles about such scenarios have been published, also here on SDN.
Hope it helps
Detlev
PS: Vivek, please consider rewarding points for helpful answers on SDN. Thanks in advance! -
Error in the configuration for sap logon tickets
Hi Forum,
I use Tcode crmd_order_bp to see the BP cockpit and the error message displays as
<b>Error in the configuration for SAP logon tickets</b>
But if I click "Yes", system displays cockpit.
How can I avoid this error.
Thanks in advance
Regards
ShridharYou will still need to configure SSO (either by logon ticket or username/password). The data source access is done using the username/password configured in the UM Config dialog box.
I can see where you're coming from with your thinking, however logon-ticket-based SSO is probably the best approach.
Cheers,
Darren. -
Hi all,
I am using EP6 here and ECC5. I am using SSO with logon tickets.
My logon ticket has expired. So i have to make a new one in visual administrator.
But it is not letting me delete that or not even rename that.
It gives an error message. I cant copy the error mesage that comes. And I cant find the same error in any file. may be i missed some file. Tell me where can i find that error so that i can paste the error message here.
Please tell me how too delete the logon ticket
Thanks
Tajinderhi tajiinder,
Configuring the J2EE Engine to Accept Logon Tickets
Use
The J2EE Engine uses EvaluateTicketLoginModule to accept logon tickets for SSO. After receiving the logon ticket from the users Web browser, the J2EE Engine verifies the ticket signature based on the established trust relationship with the issuing system. Based on the ticket validity, the J2EE Engine authenticates the user.
For the case when you use authentication assertion tickets for SSO between the AS ABAP and the J2EE Engine, the corresponding module is EvaluateAssertionTicketLoginModule.
Prerequisites
To check the validity of a users logon ticket, the J2EE Engine must be able to verify the issuing servers digital signature.
● If the J2EE Engine is both the ticket-issuing server as well as the accepting server, then it can automatically verify its own digital signature.
● If the ticket-issuing server is a different one, then this servers public-key certificate must be available in the keystore view that the J2EE Engine uses for verifying logon tickets.
Procedure
The Trusted Systems ® SSO Wizard configuration functions of the SAP NetWeaver Administrator enable you to use wizard-based management of trust relationships for SSO with logon and assertion tickets. The configuration changes made with the wizard have a global effect for ticket-based SSO to the J2EE Engine.
1. Open the SSO Wizard.
Note the following:
○ If the ticket-accepting system is SAP NetWeaver 7.0 SP14 or higher, you can access the SSO Wizard by following the path System Management ® Configuration ® Trusted Systems.
○ If the ticket-accepting system is SAP NetWeaver 7.0 SP 13 or lower, first you must deploy the SSO Wizard. More information: SAP note 1083421.
The system which you configure is displayed in the Selected Accepting System section.
There are two ways to add a trusted system:
○ By connecting to the system and requesting its certificate.
If the ticket-issuing system is SAP NetWeaver 2004 SP20 or lower, or SAP NetWeaver 7.0 SP13 or lower, you must configure it so it can send a response to the certificate request. More information: SAP note 1083421.
○ By manually uploading the certificate of the system.
Adding a Trusted System by Connecting to It
a. In the Trusted Systems section, choose Add Trusted System ® By Querying Trusted System.
b. The System Landscape Directory (SLD) opens automatically and lets you select the system you want to add. Select the system and choose OK. The connection details for the selected system are displayed automatically.
If you cannot find the system you want to add, choose Cancel and provide the connection details:
i. Select the type of the system from the System Type dropdown list.
ii. Enter the necessary connection details.
If you want to add an AS ABAP system, the field System Number appears. You can get the system number of an ABAP system by its license key which you received from SAP.
c. Enter your user name and password in the provided fields and choose Next.
d. The details about the selected systems certificate appear. To add the system, choose Finish. If you want to make changes, choose Back.
Adding a Trusted System by Manually Uploading its Certificate
Before you start the following procedure, you must export the trusted systems certificate. More information: Exporting the Ticket-Issuing Server's Public-key Certificate.
a. In the Trusted Systems section choose Add Trusted System ® By Uploading Certificate Manually.
b. Enter the System ID and Client in the provided fields.
c. Browse to the location of the systems certificate. Select the certificate and choose Open.
d. Choose Next. The information about the system and the certificate is displayed. To add the system as trusted, choose Finish. If you want to make changes, choose Back.
2. Add the login module EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) to the login module stacks for the J2EE Engine policy configurations of the application components that accept login tickets for SSO. To do this, use the Security Provider Service of the Visual Administrator.
a. In the Security Provider Service choose Runtime ® Policy Configurations ® Authentication tab.
b. Select the policy configuration for the application component to accept logon tickets from the Components list.
c. Choose the Switch to edit mode button.
d. Choose Add New. The list of available login modules for the component appears.
e. Choose the EvaluateTicketLoginModule (or EvaluateAssertionTicketLoginModule) from the list and choose OK.
If you change the options of a login module in the user store, the changes will be inherited by all policy configurations that use this login module.
If you change the options of a login module in a single policy configuration, the change applies only to that policy configuration. In this case the login module will no longer inherit its options from the user store. To restore the inheritance change the options in the policy configuration or in the user store so that they are identical.
Result
After you complete the wizard, the ticket-issuing system is shown in the Trusted Systems list. The J2EE Engine accepts logon tickets that have been issued by the corresponding server.
if you have douts pls go thru the following urls
help.sap.com/saphelp_nw04/helpdata/en/71/c3d53a60ad204ce10000000a114084/content.htm - 30k
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
thanks karthikeya
dont forget to reawrd me if it helps you -
Problem about logon ticket cookie
Hi all,
We have just set up trust between two portals.And we want to archive this:
One user log on a portal(consumer) and he can logon another(producer) with logon ticket.
But one problem is:
One user log on consumer and access the producer.Then he log off consumer without closing the browser.another user log on consumer,and when he enter the producer.The cookie in producer is the former user's information.
When somebody logoff the portal. The logon ticket doesn't expire.Then another user log on. The cookie never updates?
OK..One can close the browser to kill the cookie.But this is such a potential security problem.
Is there something to explain this?
Is there any idea to solve this?
best regards,
delma
Message was edited by:
delma maProducer portal always knows the consumer as trusted one.
Well the SLT is actually a HTTP Cookie issued by the portal system to client browser after a successful logon. It contains portal user name, expiry time and target system identification signed by portal secure certificate.
The logon procedure looks like so:
User (XXX) calls the portal1(Consumer)
Portal1 responds with logon page
User sends the creditentials to the portal1
Portal sends back some cookies to the user in 3-4 HTTP roundtrips.
One of this cookies is the SAP Logon Ticket.
User (XXX) contacting portal2 (Producer) sends the SAP Logon Ticket along the HTTP to that system.
This cookie is then send by the browser in all subsequent HTTP calls done by the browser in this session.
Here it explains the SLT is on the client's browser.
The recievier system (portal2) - called on the HTTP port, when properly configured checks the portal certificate with the one stored and then authorizes the user.
The SLT does not verify the user machine, only it's name anyone fetching the SLT can use it to access other systems in landscape.
Means of protection
1.Using HTTPS so the SLT is not available to third party
2.Additional authorization - for example NTLM
Cheers
biroj........... -
SSO using Kerberos with SAP Logon Tickets
Hi,
I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here.
I have a three tiered architecture.
A. The presentation tier (SAP Portal which has my Repository Manager implementation)
B. ASP.NET web service data layer.
C. Backend document management system which runs on IIS.
I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003. Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server.
My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation? Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server. Does anyone have any sample code or an application here that does this?
Thanks,
ScottHi Scott
Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
regards
ram -
SSO with SAP logon tickets to non-SAP web app
I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
CindyHi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati -
Problem about SSO using logon ticket with user mapping
Hi everyone ,
I had done SSO with Portal , BW and R/3 system.
I use logon ticket with user mapping .
When user name is same in Portal as in R/3 system, or user name is same in Portal as in BW , user can access R/3 transactions and BW report without logon.
There are some Portal users name which are different with R/3 user and BW user. And I done the user mapping for these user.
But some user mapping works fine,but most of them can't work,means that most of them need to enter mapped user ID and password.
What's the reason?
When SSO using logon ticket with user mapping, the Portal user which is different with R/3 user and BW user, can they access R/3 transaction iview and BW report iview without logon?Hi Chen,
What you have done is correct. But the problem lies here.
Since you are using the same system object for accessing the iview, where the ticket method is set to SAPLOGONTICKET in the user Management property of the system object.
To avoid this create another system object like the previous one but set the logon method to UIDPW and select admin, user from the drop down box. Also create a system alias for this system.
Now create another iview like the previous one but link this iview to the new system. Now do the user mapping for the users which are different in portal compared with R/3. Now you should be able to login without any problems.
Another important point is login to portal with Fully qualified domain name. In the ITS property of the system object also give the FQDN.
Hope this helps
Regards
Arun
Maybe you are looking for
-
Trouble with Creative Cloud and After Effects
Hello, I'm having a lot of trouble lately with the Creative Cloud desktop application. I've uninstalled and reinstalled it several times and it keeps getting stuck here: And nothing loads! I was also having a problem with After Effects. Every time I'
-
How do I fix the error message that a USB is taking up too much energy on my Macbook Pro?
Whenever I plug in my iPhone5 to my Macbook Pro, an error message comes up saying that "the USB is taking too much power and will be automatically disconnected".
-
SEM BSC - Exception while mapping value fiels to datasource
Hi All, I am facing an Exception error while trying to get the value field mapped with Datasource by clicking the "Refresh Data Sources" in Value field tab of Measure definition of the Balance scorecard. The Exception is : An exception with the type
-
Change Android Device Name Using RD client - Is it possible?
Hello guys, i am having a problem. I configured my RDC on windows server just fine, i can acess it through ddns.net without any problems. However, i have some software installed on my windows server that only works with pre-authorized PC-NAME ... so
-
Audio output problem in Mountain Lion
I just downloaded and installed Mountain Lion on my late 2008 MacBook Pro 15 inch. And I ran into a problem with the audio output of my computer. The first thing I noticed when I logged in after I installed OS X Mountain Lion was that the speaker ico