cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO

Go to solution
Former Member

on ‎09-21-2008 9:55 AM

0 Kudos

Hi All,

I am stuck with the JCo connection ( Application data with Logon Ticket). I have tried all the things and getting the error

com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized

I have read all the relevant notes for it.

Can someone tell me the steps to follow, as I have done my best. I can very well open SAPGUI in portal but the TEST for WEBDynpro for JCo is not happening?

Is there anything i am missing here?

Can someone give me the details from scratch?

Edited by: Prashant Dhas on Sep 21, 2008 11:00 AM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-22-2008 12:40 PM
0 Kudos

Appreciate Sergo for his help.

Do not know the reason, but removed everything( certificate and the systems)and same from VA and same from ABAP.

Created a new system with Connector and User management setting. Given the Alias.

Then mapped the portal user with the Alias or( dont know from where it picked. I think coming VA certificate loaded. Restarted VA after loading the certificate.

tested the connection and everything okay now.

Show replies
Show replies
Former Member
‎09-22-2008 12:43 PM
0 Kudos

<removed_by_moderator>

@Prashant and Sergo... you both read the "Rules of Engagement"

Regards.

Edited by: Juan Reyes on Sep 22, 2008 12:47 PM

Former Member
‎09-22-2008 1:22 PM
0 Kudos

I appreciated for your patience and giving me some encouragement to try something different which I never done.

I have not given points to you, for the only reason that I do not know how the problem resolved. If was a just coincidence..( try and Error) , because whatever was suggested had been done many a times...

But the last time the approach was focused.....so deleted everything and created again from scratch....

Regarding Rules of Engagement.. I always adhere to it.. Whatever I can share it, i do my best....without hoping for anything...thats my policy...

Anyways Thanks

Former Member
‎09-22-2008 1:29 PM
0 Kudos

Sorry Juan, but how i can say for other users to see the "Rules" and especially about

"SDN/BPX has a Contributor Recognition Program" , i'm not say give me points, only give for

Prashant Dhas information about "Contributor Recognition Program",

i apologize but some times is probably to remind the person these links.

To Prashant Dhas, i'm not need this points, give him to other person.

I will be given by their that who has counted that I have assisted on 100 %, I consider what better to remove these POINT system in general if so much people cannot understand that to what.

Regards.

JPReyes
Active Contributor
‎09-22-2008 1:31 PM
0 Kudos

@Prashant: Not going to land in a discussion... seems to me like Sergo spent a lot of time trying to help you... so i have given him the points... This is not about Sergo giving you the perfect answer but helping you with hints that send you in the right direction (which i think he did).

@Sergo... After taking a lot of time (at least 10 posts) its frustrating to not be rewarded but its not all about points and rules state that you should not ask for them.

Keep the good work

Juan

Answers (3)

Answers (3)

Former Member
‎09-22-2008 8:03 AM
0 Kudos

Also forgot to mention that SSO wizards gives me this error when try to give the ABAP details and click on next

Error occurred: Field CERTIFICATE_B64 not a member of OUTPUT

Regarding the SSO, I can very well open SAP GUI from Portal( System adm--> Support-> transaction)

Is this something to do SSO? how come the sapgui opens from portal?

The System that was created in Portal ( SAP_R3) had the parameter UIDPW so the sapgui was asking for userid and passwd, i suppose.

Now I cannot see the SAP_R3 after I deleted the certificate. Need to create the system again. Can you please guide now starting from creating system and the parameter for SSO with logon ticket?

Edited by: Prashant Dhas on Sep 22, 2008 9:12 AM

In some of the Sap best prac.. the following are given for createing the system

Server Port Port number of application server or message server For example, 3200 The first two digits are a fixed value for SAP ECC for a dedicated system, and the second two digits represent the system number.

and for ECC Load Balancing System the server port is 3600??

I am confused ?????

Edited by: Prashant Dhas on Sep 22, 2008 9:25 AM

Show replies
Show replies
Former Member
‎09-21-2008 11:56 AM
0 Kudos

With SSO Wizard, if I query JAVA

SSO certificates on trusted and accepting systems are identical

But for ABAP

I get the following error.

Error occurred: Field CERTIFICATE_B64 not a member of OUTPUT

Show replies
Show replies
Former Member
‎09-21-2008 12:35 PM
0 Kudos

Hi,

Have you configured a backend system in the portal if so which client you have added?

You have import the certificate verify.der in the backend system client which you have added as backend system in the portal.

Then do the neccessary changes in login module using visual admin and then try.

Also when trying to create the jco connectors what client and user id you are giving?

Make sure you give the uid which has sap_all authorizations in the backend system.

Regards,

Vamshi.

Former Member
‎09-21-2008 1:44 PM
0 Kudos

Hi Vamshi,

All the configuration with ECC and Portal has been done.

The certificate verify.der is also imported in ECC client 001( which I want to use). Also the SAP_ALL authorization is set.

JCo with userid and passwd is working fine. Only the problem is with Ticket.

I think I am missing some basic things in the setup. The SSO wizards shows okay for the Java system( I mean the trust is okay) Only with ABAP, it gives the error already mentioned.

In ECC ( 001) when I login to strustsso2, the default client certificate in Certificate list does not come. Only when I click on the own certificate it comes.

Also the useradmin, ( map user for the system) is it necessary, bcos the system which i created in Portal( SAP_R3( connector properties) was showing SAP_R3(X). Is this any relevance?

Another main thing is that I can login to SAPGUI within Portal!!! How come this is possible??????

Former Member
‎09-21-2008 4:35 PM
0 Kudos

Hello, are you add certificate in ACL in required cliente?

Try to read my last post in this thread -->

/message/6151219#6151219 [original link is broken]

Regards.

Former Member
‎09-22-2008 7:12 AM
0 Kudos

Hi Sergo,

Required few clarification,

What I have done is created a System in Portal named SAP_R3( Content Admin>PCD->Created a folder> with Connector parameter).

1. Why does this connection is required. I mean YES it needs to talk to ABAP, but where to use it? Is it in User mapping?

2. Suppose I exported certificate from ABAP and needs to import in Portal, I normally use the System Adm> system conf> Key Store....

But the problem is that If I import the ABAP certificate with the alias SAP_R3, then when I checked in SSO wizard, I get the error abt the inconsistency with the certificate( duplicated certificate). yesterday I have deleted the SAP_R3 for the same reason. Now I could see that DEV_001 is present.

3. Does the User needs to be mapped accordingly. I cannot see in the drop down the DEV_001 now?

4. Sergo, if you dont mind can you tell me the steps to follow so that I can start it again.

5. The JAVA client has been changed to 001 from configtool now?

Thanks

Former Member
‎09-22-2008 7:35 AM
0 Kudos 
I mean YES it needs to talk to ABAP, but where to use it?

If you want, you can create this system (for example for testing works SSO to required system (and cliente) or not). Also you can use this system In the future to use SSO GUI login from portal to ABAP.

Try to read http://help.sap.com/saphelp_nw70/helpdata/EN/44/45a04028f40160e10000000a1550b0/content.htm

in your 2,3,4,5 steps I have not understood that you made and that hashappened...

Regards.

Former Member
‎09-22-2008 7:48 AM
0 Kudos

Hi,

Do you have a stand alone java installation for ep or a abap+java?

Always for abap+java the default client would be 001 only.

What are yo trying to do? Are you using the 001 client for development or test purposes? Does this client contains any data? If not then what is the point of using the 001 client for sso and adding this client as the backend system in the portal?

Have you tried importing the certificate in the 000 client?

You need not to create a seperate folder for system. There is already a folder called systems in the system administration tab

system configuration.

Just create a system there.

Regards,

Vamshi.

Former Member
‎09-22-2008 7:58 AM
0 Kudos

I want to start over again, What should I do first?

the following procedure what I have followed.

1. From Portal> key store> Export the verfiy.der file selecting the SAPLogonTicketKeypair-cert and exporting it.

2. login to ABAP 001 and import the certificate--> Add to Certificate list and then ACL

3. Now my Certificate list show 2 certificate( client 001)

CN=DEV

OU=J2EE, CN=DEV

and ACL

DEV 001 CN=DEV

( so you suggested in some of the thread to do the same in Client 000 also??)

4. Save it and then Export the ABAP certificate and import the same in Portal ( system adm>sys con> key store adm)

with Alias SAP_R3.

5. Now when I test the JCo connection, I get

com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized

Now following thing I think is confusing...

1. The user mapping seems to be wrong...I cannot see the new created DEV_001 now. Earlier SAP_R3 was present but now that is SAP_R3(X) is visible....

The user which I am using is present in both with SAP_ALL and everything required??? I am using 001 for my test and dev...

JAVA client 001( I have changed it from configtool)?

Can you please guide me now

Former Member
‎09-22-2008 8:25 AM
0 Kudos

Hi,

First add the system in the portal make sure you dont add 001 but add a different client which you are using for dev or prd.

Your Step 1 is correct(i.e exporting the verfiry.der certicate).

make the necessary steps in the visual admin(of your r/3 system) to adjust the login ticket Then upload the certifcate in strustsso2 and also upload the file in 000 client.

then login/accept_sso2_ticket =1 and login/create_sso2_ticket=2

then restart the backend system.

Now your portal system is the ticket issuing system and r/3 system is ticket accepting one.

Regards,

Vamshi.

Former Member
‎09-22-2008 8:32 AM
0 Kudos 
 First add the system in the portal make sure you dont add 001 but add a different client which you are using for dev or prd.

Do you mean that while I am iimporting the certificate in ABAP ( ACL) it pops for system id and client?? that time I shld use different client?

I am confusing now with the system creation only??? whether to use port 3200 or 3600 and the SAP logon method????

Former Member
‎09-22-2008 8:37 AM
0 Kudos

Try to delete certificate from ACL and from Certificate list, after go to 000 client, add certificate in list, after relogin in your required client and add the certificate in ACL, on the answer about J2ee client check and specify value from login.ticket_client in your JAVA side. After try to check "connectors" test in your created system (in "system" settings Authentication Ticket Type == SAP logon ticket , to check SSO ) in Portal, to check also go to Support--> SapTransaction, specify your ABAP system "Alias" and try to execute any t-code (are this works withoutasking password?) .

If this works, after you create JCO and specify SSO , try to check "test" button.

Regards.

Former Member
‎09-22-2008 9:25 AM
0 Kudos

Hi Sergo,

Thanks for your patience.

The test which you suggest( System adm> Support>transaction), I use to login to SAP. It was asking for the userid and passwd.

But now after I created the system again with Server port 3210( 10 is my instance no.) I face the problem with the transaction.

If I change the server port to 3610 it will work?

So dont know whether I should use 3210 or 3610??????

But what this test will help me. As told, I use to open the sap gui from first but the JCo was not working since?

Former Member
‎09-22-2008 10:02 AM
0 Kudos

Dear Prashant Dhas. How i can help you if you does'nt want to read my post and help links to understand what happens? 

It was asking for the userid and passwd

If it ask you it means you do not have configured SSO properly, are you set as i say "Authentication Ticket Type == SAP logon ticket" ? Or you steel use UIPWD? Open your "system" in portal and check "Authentication Ticket Type", after you set all connection parameters, ITS and WAS, are you try to check

at least "Connection Test for Connectors" to check your SSO? It is too much questions you set, try to read through in the documentation... 

But what this test will help me. As told, I use to open the sap gui from first but the JCo was not working since?

If SSO will works from "system" object to real ABAP, it means "Configuring the SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine" Are correct, and you can use SSO in JCO.

Regards.

Former Member
‎09-22-2008 10:31 AM
0 Kudos

Sergo,

In user management of Property Category 

Authentication Ticket Type == SAP logon ticket"

Already mentioned to you, that the Authentication ticket type is SAP logon Ticket only.

the Logon Method is UIDPW

so do you want it to change to SAPLOGONTICKET????????????????/

Also now I could not connect through the Support> transaction>>

An exception occurred while processing a request for :

iView : com.sap.portal.appintegrator.sap.Transaction

Component Name : com.sap.portal.appintegrator.sap.Transaction

Exception in SAP Application Integrator occured: Missing Property 'ClassName' in property file for layer'Transaction/WinguiSSOLayer'..

Exception id: 12:30_22/09/08_0006_101711350

See the details for the exception ID in the log file

I use to get the same error when I changed something. . but afterwards it worked.. Might be after restarting the server???

i have read all the docs and link mentioned by you. But nowhere it is uptodate the details of creating the steps for SSO? I have read alot now.. but missing somewhere whcih I am not able to track it

Former Member
‎09-22-2008 10:35 AM
0 Kudos

Can you please tell me what does this error means( in SSO wizards when trying to query ABAP)

Error occurred: Field CERTIFICATE_B64 not a member of OUTPUT

Former Member
‎09-22-2008 10:39 AM
0 Kudos

Logon Method is same SAPLOGONTICKET for testing SSO.

After you set both try to check ""Connection Test for Connectors"" if it works your SSO works, if not, not works. If your "System Number" are 10 , the "server port" are 3210.

Regards.

Former Member
‎09-21-2008 11:36 AM
0 Kudos

I have changed the J2ee default client from 000 to 001and gone to SSO wizard and got the message

Failed

Description: Group(s) with at least two certificates with equal Subject DN and Issuer DN have been found. To further use the wizard you must resolve this inconsistency by leaving only one certificate for each Subject and Issuer DN. To do this you can use Visual Aministrator and Keystore Service.

List of Certificates Grouped by Subject DN and Issuer DN

Subject DN: OU=J2EE,CN=DEV; Issuer DN: OU=J2EE,CN=DEV

Ticket Key Storage Entry Name: SAPLogonTicketKeypair-cert

OK

Fingerprint: C6:D6:6F:A2:AC:A8:E5:69:77:D1:04:9F:DF:FB:96:91

Ticket Key Storage Entry Name: SAP_R3

OK

Fingerprint: C6:D6:6F:A2:AC:A8:E5:69:77:D1:04:9F:DF:FB:96:91

The SAP_R3 is what I have assigned, but how come I delete the "SAPLogonTicketKeypair-cert".It is default one.

Also if I delete the SAP_R3, then in user management for user ABC--> user mapping, those system will not be visible and again I will have issues with JCo then?

Any idea ?

Show replies
Show replies
Ask a Question