on 07-20-2009 3:45 AM
Hi,
I cannot login to NWA, User Management and SLD through web though login details is correct. We can access only System Information. No error information is displayed, the site is just redirected to main login screen where input fields is blank. I have checked user, SAP_J2EE_ADMIN role is assigned and settings of role is correct. We're using netweaver 7.0 SPS 15.
From security log, we have the following entry for each login attempt:
**********************************************************************************************************************************************************
LOGIN.OK
User: ***********
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true false
Central Checks
**********************************************************************************************************************************************************
Please help advise if I missed out anything.
Thanks,
Jen
Logs look ok...
http://help.sap.com/saphelp_nw70/helpdata/en/cb/ac3d41a5a9ef23e10000000a155106/content.htm
Try restarting the engine, check user belongs to the SAP_J2EE_ADMIN groups,
http://help.sap.com/saphelp_nw70/helpdata/en/38/116e424925c253e10000000a1550b0/content.htm
Regards
Juan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear All,
Thank you.
Is there a need to restart the Key Storage service after the changes or does the change automaticallyt take effect?
Thanks.
Best Regards,
Jen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
As you have abap+java stack and you are trying to login to the same systems NWA then you need not do any sso configuration or something else. By default you will be able to use the users of the abap system in your java stack as this will be pointing to the abap db.
1. Which client is your java stack pointing?
2. In which client the j2ee_admin user exists and also what are the roles assigned to it.
Just enable the following parameters:
login/accept_sso2_ticket to 1
login/create_sso2_ticket to 2.
Configure your SLD datasuppliers using RZ70.
Go to visual admin, then go to service>slddataprovider>cim client test.
makesure your slddsuser is not locked and pwd for this user is not expired maintain the user and pwd in cim client details and test this.
Regards,
Vamshi.
Hi Vamshi,
Thank you.
Yes, we have both ABAP and Java stack on the same host.
In answer to your questions, we have the following maintained for the second instance of our Solman System::
1. Java stack is pointing to our working client which is 080 through the ume.r3.connection.master.client parameter. Does it cause any problem if we have login.ticket_client set to 000? If yes and I change it, does this parameter have any other use/purpose aside from in logon tickets?
2. J2EE_ADMIN user exists in client 080 and is assigned with SAP_J2EE_ADMIN role
The following parameters are already maintained in our system as indicated.
login/accept_sso2_ticket to 1
login/create_sso2_ticket to 2
In the first instance of our Solman system, these sites are working from J2EE engine start page. However, the SAPLogonTicketKeyPair was deleted and only the certificate remained. Now, the sites are no longer accessible and only the System Information site is working. The same J2EE_ADMIN user exists and assigned with the SAP_J2EE_ADMIN role and above parameters are maintained.
I have already generated a new entry for both SAPLogonTicketKeyPair and SAPLogonTicketKeyPair-cert for the second instance of our Solman system, but it still is not working.
Kindly advise if I missed out any other settings.
Thanks and Best Regards,
Jen
Edited by: Joel P. Salazar on Jul 27, 2009 5:40 AM
Hi,
Problem in our first instance is now Resolved by recreating Key Storage Entries. Still for our second instance, the same problem.
Kindly advise how to edit com.sap.seccurity.core.ume.service global parameters.
I have tried to change parameter through Config Tool --> Cluster data --> Instance_***** --> server_ID**** --> services --> com.sap.security.core.ume.service. I would have wanted to change logon.ticket_client paramater from 000 to our working client same as in our first instance.
The change is reflected in Local Properties only though I have made the entries under Global Properties and choose Set button and Apply Changes button and afterwards restart of system.
I have also deleted the SAPLogonTicketKeyPair and -cert entries under Key Storage and generated new ones for our second instance. I have checked security trace logs and I found that it is somehow reading from our first instance system for CN, OU etc.
I am looking at document for SSO config for dual stack.
Hope you can help me with this.
Thanks.
Best Regards,
Jen
Hi,
Thanks. Still the same issue after import of certificates.
Can you advise of any trace logs I can look further regarding this issue where I can see the point of termination or which applications are being accessed? I am already looking at default trace log, security log and Diag tool?
Moreover, kindly provide your inputs on the following points:
- How can I know or check which application deployed in java is behind /NWA, /useradmin etc from web to ensure that no other component is missing?
Any inputs is highy appreciated.
Thanks a lot,
Jen
Dear All,
Thanks a lot for the response.
May I know I can reimport the certificates? We only encountered this issue in the second instance of our solman and all the sites were accessible before. Just today, the sites are not accessible for both instances. Last change done for the first instance is on the Key Storage Service under TicketKeyStore component for both entries SAPLogonTicketKeyPair and SAPLogonTicketKeyPair - cert which were deleted.
Is there a way to retrieved the deleted certificates? Or do we need to generate a new one. Kindly provide steps if possible.
Thanks ,
Jen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I dont think there is a way to retrieve deleted tickets.
For creating new 1s, refer these links.
/people/karsten.geiseler/blog/2007/04/11/seamless-sso-in-spite-of-certificate-expiration
http://saplab.org/2009/03/single-sign-on-portal-and-erp/
Regards,
Ravi
Check this,
http://help.sap.com/saphelp_nw2004s/helpdata/en/32/1c1041a0f6f16fe10000000a1550b0/content.htm
Refer to Enable Single Sign-On to a Remote J2EE Engine in the above link
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.