on 11-21-2014 11:25 AM
Hello All,
Portal version: NW CE 7.3 EHP1
I have a Web Dynpro Java application that calls RFC using Adaptive RFC model.
We are facing intermittent issue when were see below error and model execution fails: -
Caused by: RfcException: [null]
message: System received an expired SSO ticket on AB1 mshost ab1.mysystem.com
Return code: RFC_SYS_EXCEPTION(3)
error group: 103
key: RFC_ERROR_LOGON_FAILURE
I checked SAP Note 947376 and set login.ticket_lifetime and SessionExpirationPeriod both to 16hrs.
And also, in addition to this, I include below line after model execution so that it closes JCO connection: -
wdContext.currentZ_Model_InputElement().modelObject().modelInstance().disconnectIfAlive();
But still same error is occuring intermittently.
Also, looked at SAP Note 1130191, but it is not clear 'what' needs to be done as solution.
Any more ideas on this?
Thanks & Regards,
Amey Mogare
Hi Amey,
Hope you are doing good.
Nice to hear from you again.
Has the SSO ticket expired and is it loaded correctly ? Refer the SAP note:1083421 and configure the SS0 settings again. Please run the SSO2 wizard and then make the automatic connection to
the abap server. This will solve any inconsistencies on the server due to manual interventions.
More help:
http://wiki.sdn.sap.com/wiki/display/EP/Troubleshooting+SSO+between+AS-ABAP+and+AS-JAVA
and
Also the SSO enabling parameters should be set on the R/3 server.
SSO Logon Ticket-> login/accept_sso2_ticket and login/create_sso2_ticket
More info:
http://help.sap.com/saphelp_nw04/Helpdata/EN/22/41c43ac23cef2fe10000000a114084/frameset.htm
Thank you!
____________
Kind Regards,
Hemanth
SAP AGS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Amey,
There is another workaround in such cases which I would like to point out. We have seen similar issues previously when the Authentication Ticket Type for the system connection used is SAP Logon Ticket. You need to be using SAP Assertion Ticket.
Please refer to Note 1166904 "Assertion ticket SSO for Web Dynpro Java JCO destinations" and SAP Note No. 1554000.
If you are using SSO ticket authentication, then you may need to switch to SSO with assertion ticket authentication (given you meet the prerequisites). The option "SSO ticket" can lead to problems like "SSO ticket expired" as the SSO ticket is reused for subsequent RFC calls and this can be intermittent as in your case. The new option "Assertion ticket" means that the ticket used for Single Sign On in the connection to the R/3 backend system is only used once thus avoiding problems inherent to the SSO ticket mechanism. It's thus recommended to re-configure the system connection/ Jco connection from SSO ticket to Assertion Ticket.
Regards,
Hemanth
Hi Amey,
If you wish to just to use only SSO, then you need investigate further to narrow down the issue, whether it is with the ABAP server, J2ee, tickets, etc:
1) Clear all the browser cache.
2)
Set the security trace level in the ticket accepting system (r/3 server)
======================================================
1. Call transaction SM50 (process list):
2. Process -> Trace -> Reset -> Workprocess Files
3. Key combination: F5 (select all), CTRL-Shift-F7 => Dialog box;
4. Set trace level=3 and ONLY(!) check the "Security" component;
If necessary, you must repeat these steps for each server (see
transaction SM51), unless you can use a specific server for
reproducing the error (for example, by excluding the load
distribution).
3)
Run the web diagtool as outlined in:
note 1045019 (example 1). It will be ideal to run it on the server 0 (check note 1589567 on how you can do this).
4)
While the diagtool is running, please reproduce a failed SSO to the backend.
5)
When the SSO fails, wait a minute and then press return in the diagtool console so that the resulting traces are picked up.
6)
Check the traces at the time at which you reproduced the issue (using the userID involved).
You can also use the below link to search for the specific error in the R/3 traces.
http://scn.sap.com/docs/DOC-57078
Thanks and Best regards,
Hemanth
P.S: If you wish to check if SSO between the ABAP and the J2ee server is working, test using the method mentioned in note 1903560.
Hello Hemanth,
It is made clear from customer side that we cannot modify authentication type to assertion ticket. So I am left with only option, i.e., to make sso ticket working.
So I think the steps you mentioned in your reply on Nov 21, 2014 4:21 PM, I need to follow closely, right?
I could check SSO2 wizard. And I see that it the involved ABAP system is present in Trusted systems list and also certificate validity is (green) OK.
Also, one thing I noticed, in SSO2 wizard, there is a button 'Show SSO Configuration'.
Here I saw that value of 'login.ticket_lifetime' is 8 hrs, whereas in NWA > Config > Infra > Java sys properties > Services > User Management Engine, same parameter has value 16 hrs.
Would this inconsistency matter? (btw I have modified this value and also sessionexpirationperiod to 16 hrs as per sapnote# 947376.)
Thanks & Regards,
Amey
Hi Amey,
Not really. Most likely the ticket is not being accepted by the ABAP server. Do follow the exact steps I mentioned so that we can find the root cause.
Let me also list some common issues that lead to such SSO cases:
1)
See sap note 1761987, point 7 and synchronise the ABAP and the J2ee server clocks. This will make sure that the ABAP and the J2ee server have the same time as this can lead to such issues.
2)
Set the expiration of security session and SSO ticket timeout to the same value as SAP note 842635 recommends:
"
b) Setting security session and SSO timeout Please set the timeout value for the security sessions (default 27h) and the timeout value for the SSO ticket (default 8h) to the same value. It should be a value that is higher than the maximum working time of an employee, e.g. 16 hours.
"
The parameters are : login.ticket_lifetime and SessionExpirationPeriod.
3)
Do make sure that you are on the latest SAPJVM level so that the issues as mentioned in SAP Note No. 1367871 do not occur.
4)
The client mentioned in the j2ee ume property login.ticket_client should be part of the /nSTRUSTSSO2 ACL.
There is a possibility that as login.ticket_client is set to say 000, which is already a value that is a client in the ABAP server. If so, SSO may not work cause client 000 is also available on
the ABAP server. This leads to inconsistency and we have seen similar issues in the past. The only option is to change the login.ticket_client value to a client that is not present in the ABAP server (say 005) and restart the j2ee server. Then run the SSO2 wizard (SAP note:1083421)
and this will update the strustsso2 table and you should be good to go.
5)
Do see see note 1055856 that has more on issues on the abap end.
Regards,
Hemanth
Thank You Amey .
If you face any issues, it would be better to close this thread and move it to
<http://scn.sap.com/community/netweaver-administrator>
as you will get better responses.
This is not really a WD issue
Hello Hemanth,
Thanks for reply.
We are now trying to use 'Current User (Assertion ticket)' mechanism in modeldata destination.
But getting some issues.
As suggested by you, I am posting this new question on http://scn.sap.com/community/netweaver-administrator
Thanks a lot for all your help so far.
Yes Hemanth. After breaking head for searching the root cause along with Basis colleagues (we don't have full access on NWA). I could finally convince to give a try to 'Assertion ticket' approach.
Yes, we can close this thread. Although I feel a bit sad that I could not locate root cause that could have been helpful to other people who will face same issue and look up to this thread.
Thanks a million for your help.
Thanks & Regards,
Amey
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.