cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot login to NWA, User Management and SLD

Go to solution
Former Member

on ‎07-20-2009 3:45 AM

0 Kudos

Hi,

I cannot login to NWA, User Management and SLD through web though login details is correct. We can access only System Information. No error information is displayed, the site is just redirected to main login screen where input fields is blank. I have checked user, SAP_J2EE_ADMIN role is assigned and settings of role is correct. We're using netweaver 7.0 SPS 15.

From security log, we have the following entry for each login attempt:

**********************************************************************************************************************************************************

LOGIN.OK

User: ***********

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false false

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok true true

3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true false

Central Checks

**********************************************************************************************************************************************************

Please help advise if I missed out anything.

Thanks,

Jen

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

JPReyes
Active Contributor
‎07-20-2009 9:23 AM
0 Kudos

Logs look ok...

http://help.sap.com/saphelp_nw70/helpdata/en/cb/ac3d41a5a9ef23e10000000a155106/content.htm

Try restarting the engine, check user belongs to the SAP_J2EE_ADMIN groups,

http://help.sap.com/saphelp_nw70/helpdata/en/38/116e424925c253e10000000a1550b0/content.htm

Regards

Juan

Show replies
Show replies
Former Member
‎07-20-2009 10:02 AM
0 Kudos

Dear Juan,

Thanks a lot for the quick response.

Our admin user is already assigned to the following groups: SAP_J2EE_ADMIN, EVERYONE and Authenticated Users and we have a regular restart of the engine.

Still, I am redirected to the main login screen.

Thanks and Best regards,

Jen

JPReyes
Active Contributor
‎07-20-2009 10:08 AM
0 Kudos

Are you using the full qualified domain name? fqdn is required and usually when using the hostname or IP this is usually the behaviour.

Regards

Juan

Former Member
‎07-20-2009 4:17 PM
0 Kudos

Hi Joel,

if you enabled SSO ocnfiguration. Check the tickets, I am sure something wrong with your SSO tickets.

Try re-importing the SSO tickets, I might resolve your issue.

Answers (3)

Answers (3)

Former Member
‎07-23-2009 11:36 AM
0 Kudos

Dear All,

Thank you.

Is there a need to restart the Key Storage service after the changes or does the change automaticallyt take effect?

Thanks.

Best Regards,

Jen

Show replies
Show replies
Former Member
‎07-23-2009 11:44 AM
0 Kudos

Dear All,

Further to this, I can see the following entries from the trace log:

Cannot provide the current ABAP master system because the responsible system landscape is currently not available.

Thanks,

Jen

Former Member
‎07-23-2009 12:13 PM
0 Kudos

Hi,

As you have abap+java stack and you are trying to login to the same systems NWA then you need not do any sso configuration or something else. By default you will be able to use the users of the abap system in your java stack as this will be pointing to the abap db.

1. Which client is your java stack pointing?

2. In which client the j2ee_admin user exists and also what are the roles assigned to it.

Just enable the following parameters:

login/accept_sso2_ticket to 1

login/create_sso2_ticket to 2.

Configure your SLD datasuppliers using RZ70.

Go to visual admin, then go to service>slddataprovider>cim client test.

makesure your slddsuser is not locked and pwd for this user is not expired maintain the user and pwd in cim client details and test this.

Regards,

Vamshi.

Former Member
‎07-27-2009 1:57 AM
0 Kudos

Hi Vamshi,

Thank you.

Yes, we have both ABAP and Java stack on the same host.

In answer to your questions, we have the following maintained for the second instance of our Solman System::

1. Java stack is pointing to our working client which is 080 through the ume.r3.connection.master.client parameter. Does it cause any problem if we have login.ticket_client set to 000? If yes and I change it, does this parameter have any other use/purpose aside from in logon tickets?

2. J2EE_ADMIN user exists in client 080 and is assigned with SAP_J2EE_ADMIN role

The following parameters are already maintained in our system as indicated.

login/accept_sso2_ticket to 1

login/create_sso2_ticket to 2

In the first instance of our Solman system, these sites are working from J2EE engine start page. However, the SAPLogonTicketKeyPair was deleted and only the certificate remained. Now, the sites are no longer accessible and only the System Information site is working. The same J2EE_ADMIN user exists and assigned with the SAP_J2EE_ADMIN role and above parameters are maintained.

I have already generated a new entry for both SAPLogonTicketKeyPair and SAPLogonTicketKeyPair-cert for the second instance of our Solman system, but it still is not working.

Kindly advise if I missed out any other settings.

Thanks and Best Regards,

Jen

Edited by: Joel P. Salazar on Jul 27, 2009 5:40 AM

Former Member
‎07-27-2009 11:34 AM
0 Kudos

Hi,

Problem in our first instance is now Resolved by recreating Key Storage Entries. Still for our second instance, the same problem.

Kindly advise how to edit com.sap.seccurity.core.ume.service global parameters.

I have tried to change parameter through Config Tool --> Cluster data --> Instance_***** --> server_ID**** --> services --> com.sap.security.core.ume.service. I would have wanted to change logon.ticket_client paramater from 000 to our working client same as in our first instance.

The change is reflected in Local Properties only though I have made the entries under Global Properties and choose Set button and Apply Changes button and afterwards restart of system.

I have also deleted the SAPLogonTicketKeyPair and -cert entries under Key Storage and generated new ones for our second instance. I have checked security trace logs and I found that it is somehow reading from our first instance system for CN, OU etc.

I am looking at document for SSO config for dual stack.

Hope you can help me with this.

Thanks.

Best Regards,

Jen

Former Member
‎07-27-2009 4:20 PM
0 Kudos

Hi,

Dont change that parameter, Just import the certificate of your java stack to the 000 client and as well as the working client.

Like when you import the certificate in your working client Just add to ACL while doing this add twice one for 000 and other for 080.

Regards,

Vamshi.

Former Member
‎08-04-2009 7:43 AM
0 Kudos

Hi,

Thanks. Still the same issue after import of certificates.

Can you advise of any trace logs I can look further regarding this issue where I can see the point of termination or which applications are being accessed? I am already looking at default trace log, security log and Diag tool?

Moreover, kindly provide your inputs on the following points:

- How can I know or check which application deployed in java is behind /NWA, /useradmin etc from web to ensure that no other component is missing?

Any inputs is highy appreciated.

Thanks a lot,

Jen

Former Member
‎08-04-2009 4:03 PM
0 Kudos

CAn you paste the defaulttrace file here.

Former Member
‎08-07-2009 3:28 AM
0 Kudos

Hi,

Issue is now resolved. This was caused by incorrect configuration of one UME property.

Thanks a lot.

Best Regards,

Jen

Former Member
‎12-31-2009 7:38 AM
0 Kudos

What was the setting in UME that caused this?? I'm currently struggling with similar problem...

Former Member
‎07-23-2009 10:00 AM
0 Kudos

Dear All,

Thanks a lot for the response.

May I know I can reimport the certificates? We only encountered this issue in the second instance of our solman and all the sites were accessible before. Just today, the sites are not accessible for both instances. Last change done for the first instance is on the Key Storage Service under TicketKeyStore component for both entries SAPLogonTicketKeyPair and SAPLogonTicketKeyPair - cert which were deleted.

Is there a way to retrieved the deleted certificates? Or do we need to generate a new one. Kindly provide steps if possible.

Thanks ,

Jen

Show replies
Show replies
Former Member
‎07-23-2009 10:13 AM
0 Kudos

I dont think there is a way to retrieve deleted tickets.

For creating new 1s, refer these links.

/people/karsten.geiseler/blog/2007/04/11/seamless-sso-in-spite-of-certificate-expiration

http://saplab.org/2009/03/single-sign-on-portal-and-erp/

Regards,

Ravi

JPReyes
Active Contributor
‎07-23-2009 10:17 AM
0 Kudos

No way to recover them, You'll have to recreate the SAPLogonTicketKeyPair.

Regards

Juan

Former Member
‎07-20-2009 4:38 PM
0 Kudos

Check this,

http://help.sap.com/saphelp_nw2004s/helpdata/en/32/1c1041a0f6f16fe10000000a1550b0/content.htm

Refer to Enable Single Sign-On to a Remote J2EE Engine in the above link

Show replies
Show replies
Ask a Question