Solved: SSO with ABAP in Eclipse

Former Member · ‎04-11-2014

To begin with, I'm quite new to SAP and have little to no knowledge in ABAP and the whole SAP environment. I must also say that, just from the looks, our SAP never made me want to look deeper into it - it just seems old and inconvenient. Nevertheless, I'm "testing" ABAP in Eclipse; so far I'm impressed. Compared to the rusty workbench, this finally seems like a modern IDE with many helpful features.

There is one thing that bugs me though: whenever a new SAP GUI instance is opened in Eclipse, I have to reenter username and password.

I've tried reading into possible solutions to this, but all I have found are descriptions of rather complex processes that require changes on the backend as well.

My question is actually simple: can I get around this without having to make changes to the backend?

We don't need a SSO solution for the standard SAP GUI Logon, just for ABAP in Eclipse.

Thank you for any hints, links or comments!

schneidermic0 · ‎04-11-2014

Hi Dirk,

check chapter 4 in .

These system setting should solve your issue also without SSO.

Michael

schneidermic0 · ‎04-11-2014

Hi Dirk,

check chapter 4 in .

These system setting should solve your issue also without SSO.

Michael

Former Member · ‎04-11-2014

Hi Michael,

thank you for your reply! I've set the two parameters

login/create_sso2_ticket = 3
login/accept_sso2_ticket = 1

using transaction RZ10. Unfortunatly, I couldn't notice any difference. The respective parameter values 3 and 1 also seemed to be already set standard and I still get a "Der Aussteller des SSO-Tickets konnte nicht überprüft werden"-message in Eclipse and have to enter my credentials.

Would the application server need to be restarted or did I miss any other additional steps?

schneidermic0 · ‎04-11-2014

Hi Dirk,

Unfortunately, I don't know whether this parameter can be changed dynamically and I can't check it in our system due to missing authorizations.

However, the following link describes how you can check it:

Changing and Activating Profile Parameters - Configuration in the CCMS - SAP Library

If the parameter can not be changed dynamically a system restart is required. I hope this helps

Michael

peter_langner · ‎04-11-2014

Hi Dirk,

another way could be to let KeePass help you enter your username and password:

Cheers,

Peter

Former Member · ‎04-11-2014

Hi Peter,

thank you for that tipp, I have thought about using KeePass as last possibility if there is no easy SAP-way to get it done. I have tried KeePass and it works pretty well but has the touch of a workaround. A good one, though!

Former Member · ‎04-17-2014

Hi,

i checked the settings on our server.

It´s exactly:

login/create_sso2_ticket = 3
login/accept_sso2_ticket = 1

But it doesn´t work.

In http://scn.sap.com/community/abap/eclipse/blog/2012/07/16/installing-abap-in-eclipse is mentioned:

"11) Maintain the SAP logon pad with the system you are trying to connect (Development system). And ensure the SNC is activated and No Single sign on is checked if u r not using SSO."

Is SNC a must have?? I can´t activate it in SAP logon.

schneidermic0 · ‎04-22-2014

Hi Volker,

I asked one of my colleagues, who is more expert in this area than I am.

He told me that this should work, if your system is configured as mentioned above.

To analyze the issue further we would need some trace files of your logon procedure (see note http://service.sap.com/sap/support/notes/495911).

Maybe you want to open an OSS ticket in which you can send the trace files.

Michael

Former Member · ‎04-22-2014

Hi Michael,

i run the trace.

Here is an extract of the result:

N krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=23

N *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c 1553]

N {root-id=535351FF89113C43E10000000A325054}_{conn-id=00000000000000000000000000000000}_0

N *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR) [ssfxxkrn.c 1553]

N *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c 144]

N SsfVerify returned 23 :: SSF_API_UNKNOWN_PROFILE :: Unable to find profile. Settings aren't correct.

N SsfVerify returned null for SignerList.

N *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 23. [ssoxxapi.c 234]

N *** ERROR => Ticket validation failed with rc = 20 and ssf_rc = 23. [ssoxxkrn.c 957]

*

I read the mentioned note 1055856 and think that it´s the "Certificate is not in Cetificatelist"-Issue (number 4).

I used transaction STRUST to view the certificate, but i don´t know what to do here?!

Don´t get me wrong: i DO NOT want to use SSO and we DO NOT have SNC enabled in our system.

Eclipse is working, the only problem is: every time we hit F8 to test the Program we have to reenter username and password in the appearing SAP-Interface.

Thanks for your help.

Edit: here is another extract of a new trace which says that a PSE isn´t found:

N Tue Apr 22 14:44:47 2014

N conv_lang_iso2sap : no conversion necessary

N dy_set_sso_ticket: SSO logon data stored

N syssigni: SSO logon data retrieved

N dy_signi_ext: LOGON TICKET logon (client 010)

N mySAPUnwrapTicket: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 010:D6504895C0B6EA979ABCC4AF6400B452 .

N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N ==> krn_Ssf_GetOwnCertificate()

N ==> krn_SsfV2_para_GetProfile()

N krn_SsfV2_para_GetProfile: SsfOpenProfile failed with rc=23

N *** ERROR => <== krn_SsfV2_para_GetProfile()==208 (SSF_KRN_INPUT_DATA_ERROR) SsfOpenProfile failed [ssfxxkrn.c 1553]

N {root-id=5353B3D789113C4EE10000000A325054}_{conn-id=00000000000000000000000000000000}_0

N *** ERROR => <== krn_Ssf_GetOwnCertificate()==208 (SSF_KRN_INPUT_DATA_ERROR) [ssfxxkrn.c 1553]

N mySAP: Got the following SSF Params:

N DN =

N EncrAlg =DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =/usr/sap/VAD/DVEBMGS09/sec/SAPSSO2000.pse

N PAB =/usr/sap/VAD/DVEBMGS09/sec/SAPSSO2000.pse

N Got the codepage 4102.

N Got ticket (head) AjQxMDIBABgARgBBAFoASQBTAE0AOQAyACAAIAAg. Length = 552.

N *** ERROR => SsfVerify failed (see note 1055856). [ssoxxsgn.c 144]

N SsfVerify returned 23 :: SSF_API_UNKNOWN_PROFILE :: Unable to find profile. Settings aren't correct.

N MYSAPSSO2 ticket last error from SSF: ERROR in af_open: (4129/0x1021) The PSE does not exist : "/usr/sap/VAD/DVEBMGS09/sec/SAPSSO

N ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "/usr/sap/VAD/DVEBMGS09/sec/SAPSSO2000.pse"

N ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "/usr/sap/VAD/DVEBMGS09/sec/SAPSSO2000.pse"

N ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "/usr/sap/VAD/DVEBMGS09/sec/SAPSSO2000.pse"

N .

N SsfVerify returned null for SignerList.

N *** ERROR => ValidateTicket failed with rc = 20 and ssf_rc = 23. [ssoxxapi.c 234]

N *** ERROR => Ticket validation failed with rc = 20 and ssf_rc = 23. [ssoxxkrn.c 957]

N dy_signi_ext: ticket issuer not verified

D *** ERROR => tablecontrol->invisible is TRUE [diagotab.c 2880]

Why do i need a certificate and what kind of PSE do i need?

- Message was edited -

schneidermic0 · ‎04-22-2014

Hi Volker,

my colleague would like to have a look at your system. Could you create an OSS ticket, so that he can logon to your system for further analysis?

Thanks,

Michael

Former Member · ‎04-22-2014

OSS ticket created.

Thank you very much.

Do you need the ticket-number?

schneidermic0 · ‎04-22-2014

The ticket number would be great. I guess, I can't really help, but I would like to follow it.

Former Member · ‎04-23-2014

It´s 374980 / 2014.

Former Member · ‎04-23-2014

Via the OSS the problem was solved.

There was a difference between a pse in our clients 000 and 010.

I had to use the same in 000 like in 010.

client 000 --> Transaction SSFA --> "Anmeldeticket" Detail --> here the points

private adressbook and SSF-Profilname had to be the same as on client 010.

Now the SAP-Interface didn´t popup anymore on my client.

schneidermic0 · ‎04-23-2014

Thanks for the update!