cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OSS note 701205 SSO Using sap logon tickets dual stack environment

Former Member

on ‎09-20-2007 9:29 PM

0 Kudos

Hi I recently upgraded from BW 3.x to NW2004s BI 7.0 SP12. I am trying to set up BEx Web integration. I created a system in the portal that has Authentication Ticket Type = SAP Assertion Ticket, BI Master system set to true , Logon Method = SAPLOGONTICKET and gave it a system alias of SAP_BW. Via The visual admin tool, I created the SAPLogonTicketKeypair and Keypair-cert using a Common Name = ABC. I understand that in a dual stack situation the Portal SID cannot be the same as the ABAP sid. I imported the portal cert into BI Using STRUSTSSO2, added the cert to the certificate list and added it to the ACL. Now, when I try connection tests on my SAP_BW system in the portal it fails. I turned on tracing in SM50 to level 3, security only. This is what I see in the logs of the dialog process:

dy_signi_ext: SSO TICKET logon (client 090)

mySAPUnwrapCookie: was called.

HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

HmskiFindTicketInCache: Try to find ticket with cache key: 090:90BA87457002F62A1F3317888C62CDEC .

HmskiFindTicketInCache: Couldn't find ticket in ticket cache

<snip>

Got content client = 999.

N Got content sysid = BWP .

N No entry in TWPSSO2ACL for SYS BWP and CLI 999.

N CheckSubject failed (rc=19). Verifying if ticket was issued by me.

N *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c 841]

N Data from ticket: sysid=BWP , client=999

N My system data: sysid=BWP , client=090

N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL.

So why is the portal sending sysid=BWP and not the common name ABC? Or is there another parameter where I can change the portal sid?

I asked SAP via an OSS message and they said that the ABAP stack has to be 1 level higher than the Java Stack. Unfortunately, SP13 hasn't been released yet

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎02-06-2008 6:14 PM
0 Kudos

The settings in the configtool for configuration 'Propertysheet

com.sap.security.core.ume.service', I set the parameter ->

logon.ticket_client=J2E.

I created a new TicketKeystore -> SAPLogonTicketKeyPair.crt with the

following: CN=BWP O=BWP.

I then deleted any existing certificates in transaction STRUSTSSO2 and

imported the SAPLogonTicketKeyPair certificate.

I added it to the Certificate List, and added it to the ACL with the

following two entries:

System=BWP, Client=J2E

System=BWP, client=000.

Via OSS note 701205, I uploaded the attached SSOSupport.par and created a

new Iview in the portal based on this template. When I preview the iview

as user J2EE_ADMIN, the MYSAPSSO2 Cookie is sending R/3 User = J2EE_ADMIN, portal

User = J2EE_ADMIN, System ID = BWP, Client=J2EE

In the visual administrator, I changed -> Security Provider Policy

Configurations -> evaluate_assertion_ticket ->

Flag 'REQUIRED',

Options trustediss1=CN=BWP, O=BWP trusteddn1=CN=BWP, O=BWP, trustedsys1BWP,090.

I created a new Iview of type com.sap.portal.appintegrator.sap.Transaction to the system SAP_BW, SSO to

ABAP works fine.

Show replies
Show replies
Former Member
‎02-06-2008 6:52 PM
0 Kudos

Stephen,

follow this method...

Note 937697 SAP NetWeaver BI Diagnostics & Support Desk Tool

and Note 983156 BI configuration w. Template Installer

Also check these reports..

1. RSPOR_SETUP

1. Execute the report RSPOR_SETUP with transaction SE38 (or SA38; or you can execute the report from the SAP Reference IMG, see Documentation below)

2. Use value help of entry field Program ID (or RFC Destination) to choose __ as RFC Destination (this destination is created by the Template Installer)

3. Enter Portal SID (required to check step 10)

4. Press button Execute

2. RS_TEMPLATE_MAINTAIN_70

Run Report RS_TEMPLATE_MAINTAIN_70 and Enter Template ID 0ANALYSIS_PATTERN > Choose Program / Execute

Choose Analyse / Validate , Choose Analyse / Execute in Debug Mode ,A Web Browser is opened and you have to logon to the Portal. Finally, an empty Analysis Pattern (without data) should appear. After these tests you can continue your testing by creating and using your own Queries (with BEx Query Designer), Web Templates (BEx Web Application Designer) and Reports (BEx Report Designer).

SAP Note 917950 , 937697 and note 917950 for further help...

Common troubleshooting errors:

1. User ID should be the same in the portal and the BI 7.0

2. Make sure Portal and BW are on the same domain.

Also check and make sure you added following entry into strustsso2 transaction of BW.

a) Add to Certificate List

b) Add to ACL. When you add to ACL, make sure to enter client number as 000. Enter system name as actual name.

3. Did you restart the BWserver after setting the profile parameters (using admin rights) in RZ10?

4. To see if SSO is configured properly, in your BWSERVER, go to transaction SE80, under dropdown select BSP application and open the application "SYSTEM". Under page with flow logic you will find the page sso2test.htm. Test that page, after opening; you should see a message "Found SSO2 Cookie" in the iframe. This message must be displayed without any further popup boxes asking for name and password information!

Else the SSO is not enabled.

hope that helps...

daniel_davinci
Active Contributor
‎09-21-2007 2:24 AM
0 Kudos

Hi Stephen,

For a dual stack install the SID's are the same, rather it is the Client for dual stack installs that needs to be adjusted (must not be identical).

I suggest you proceed as follows;

- In the config tool on the java stack set the (global) value login.ticket_client to a different number than the ABAP client. (restart)

- Import the certificate again from the java stack (SID can/should be the same) into the abap and ensure you use the new client value

Regards

Daniel

Show replies
Show replies
Former Member
‎09-21-2007 1:59 PM
0 Kudos

Hi Daniel, I changed the CN=BWP and regenerated the ticket, export/imported into the portal. My login.ticket_client=999 (non existing client). Restarted the J2ee Engine. So now the SID is the same as the portal and ABAP stack. When I now do connection tests I see this in the dev_w0 trace file :

-

trc file: "dev_w0", trc level: 3, release: "700"

-

*

  • ACTIVE TRACE LEVEL 3

  • ACTIVE TRACE COMPONENTS all, N

*

M Fri Sep 21 08:51:43 2007

M TRACE FILE TRUNCATED (pid = 11659 )

M kernel runs with dp version 224(ext=109) (@(#) DPLIB-INT-VERSION-224)

M length of sys_adm_ext is 360 bytes

N Fri Sep 21 08:52:16 2007

N dy_signi_ext: SSO TICKET logon (client 090)

N mySAPUnwrapCookie: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 090:20DB50300A1392A9E32EE33FECAFCCE9 .

N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N I don't need to ask RunningCompatibly to know: I'm >= 46C.

N mySAP: Got the following SSF Params:

N DN =CN=BWP, OU=I0020178618, OU=SAP Web AS, O=SAP Trust Community, C=DE

N EncrAlg=DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =/usr/sap/BWP/DVEBMGS00/sec/SAPSYS.pse

N PAB =/usr/sap/BWP/DVEBMGS00/sec/SAPSYS.pse

<SNIP>

Got content client = 999.

N Got content sysid = BWP .

N Got date 200709211252 from ticket.

N Cur time = 200709211252.

N Computing validity in hours.

N Computing validity in minutes.

N CurTime_t = 1190465520, CreTime_t = 1190465520

N validity: 120, difference: 0.000.

N HmskiInsertTicketInCache: Trying to insert logon ticket in ticket cache.

N HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache key: 090:20DB50300A1392A9E32EE33FECAFCCE9 .

N HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache info: <USER>= ,<CLIENT>=999 .

N DyISigni: client=090, user= , lang=E, access=R, auth=T

N nousrrec: no user record found - logon rejected

N save user time zone = > < into spa

N DyISigni: return code=1 (see note 320991)

N dy_signi_ext: SSO TICKET logon (client 090)

N mySAPUnwrapCookie: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 090:20DB50300A1392A9E32EE33FECAFCCE9 .

N HmskiFindTicketInCache: Logon ticket found in ticket cache.

N HmskiFindTicketInCache: Ticket information in ticket cache is: <USER>= ,<CLIENT>=999

N HmskiFindTicketInCache: no <LANGUAGE>= field found.

N HmskiFindTicketInCache: Ticket information in ticket cache read successfully.

N DyISigni: client=090, user= , lang= , access=R, auth=T

N nousrrec: no user record found - logon rejected

N save user time zone = > < into spa

N DyISigni: return code=1 (see note 320991)

I checked not 320991 and return code is "Incorrect logon data (client, user name, password)"

As you can see a few lines above client=090 and user=<null> How can I fix this.

I am logged into the portal using my ABAP userid/password (SFAEHN) when I perform the connection tests.

Also, in one section of the dev_w0 trace file I see this :

N Next node:

N 00000000 20 70 6f 72 74 61 6c 3a 53 46 41 45 48 4e 00 00 portal:SFAEHN.

Ask a Question