09-03-2009 10:15 AM
Hi Exports,
I have problem with SSO configuration,
The error message is :
Own System Data
SAP System ECC Client 000
Profile Parameters login/accept_sso2_ticket = 1
Logon Tickets Are Accepted
Certificate List
The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket
H:\usr\sap\ECC\DVEBMGS01\sec\SAPSYS.pse
Owner CN=X85
Issuer CN=X85
Serial Number 00
Owner CN=SSO, O=sapmarkets, C=US
Issuer CN=SSO, O=sapmarkets, C=US
Serial Number 00
Owner CN=DSZ, OU=IDES, O=mySAP.com Workplace, C=DE
Issuer CN=DSZ, OU=IDES, O=mySAP.com Workplace, C=DE
Serial Number 00
Owner CN=ID3
Issuer CN=ID3
Serial Number 00
Owner CN=IDES Workplace Center, OU=IDES, OU=SAP AG, O=mySAP.com Workplace, C=DE
Issuer CN=IDES Workplace Center, OU=IDES, OU=SAP AG, O=mySAP.com Workplace, C=DE
Serial Number 00
Owner CN=JE3
Issuer CN=JE3
Serial Number 00
Owner CN=E6T
Issuer CN=E6T
Serial Number 00
Owner CN=BI7
Issuer CN=BI7
Serial Number 20090820201039
This Is the Certificate of the Issuing System for Logon Tickets
Owner OU=J2EE, CN=BI7
Issuer OU=J2EE, CN=BI7
Serial Number 00
Owner CN=US01
Issuer CN=US01
Serial Number 00
Owner CN=EP7, O=SAP Training
Issuer CN=EP7, O=SAP Training
Serial Number EBB24ECD
Owner CN=CORPORATEPORTAL
Issuer CN=CORPORATEPORTAL
Owner CN=IDES Portal 5.0
Issuer CN=IDES Portal 5.0
Serial Number 00
Owner CN=HR Vertrieb demoportal
Issuer CN=HR Vertrieb demoportal
Serial Number 00
Owner CN=SAPUK ZE6 Sales Portal Demo
Issuer CN=SAPUK ZE6 Sales Portal Demo
Serial Number 00
Owner CN=GFI Demo- & Technology-Center
Issuer CN=GFI Demo- & Technology-Center
Serial Number 00
Owner CN=HR Vertrieb demoportal productiv
Issuer CN=HR Vertrieb demoportal productiv
Serial Number 00
Owner CN=SP4C, OU=SAP Training, O=SAP
Issuer CN=SP4C, OU=SAP Training, O=SAP
Serial Number 00
Owner CN=Portal, OU=IBSDI, O=SAP-AG, C=DE
Issuer CN=Portal, OU=IBSDI, O=SAP-AG, C=DE
Serial Number 00
Owner CN=EP50, OU=Solution Centre productive, O=CRM GBU, C=DE
Issuer CN=EP50, OU=Solution Centre productive, O=CRM GBU, C=DE
Serial Number 00
Owner CN=EP6, OU=SPS, OU=SAP, O=SAP Trust Community, C=DE
Issuer CN=EP6, OU=SPS, OU=SAP, O=SAP Trust Community, C=DE
Serial Number 00
Owner CN=E6T, OU=Training, OU=SAP, O=SAP Trust Community, C=DE
Issuer CN=E6T, OU=Training, OU=SAP, O=SAP Trust Community, C=DE
Serial Number 00
Owner CN=EP6, OU=PortalPlatformTeam, OU=EnterprisePortal, O=SAP Trust Community, C=DE
Issuer CN=EP6, OU=PortalPlatformTeam, OU=EnterprisePortal, O=SAP Trust Community, C=DE
Serial Number 00
Systems for Which ECC Accepts Verified Logon Tickets
The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From
Table TWPSSO2ACL
SAP System BI7 Client 000
Owner OU=J2EE, CN=BI7
Issuer OU=J2EE, CN=BI7
Serial Number 00
SAP System BI7 Client 001
Owner CN=BI7
Issuer CN=BI7
Serial Number 20090820201039
This Is the Certificate of the Issuing System for Logon Tickets
SAP System ECC Client 000
Owner CN=ID3
Issuer CN=ID3
Serial Number 00
SAP System ECC Client 001
Owner OU=J2EE, CN=BI7
Issuer OU=J2EE, CN=BI7
Serial Number 00
Application server PSE:
ID: CN=ID3
Namespace:
Profiles: H:\usr\sap\ECC\DVEBMGS01\sec\SAPSYS.pse
OK: file available, length: 15.455
ERROR: local PSE does not match original in database.
Kindly help me to solve this problem.
Thanks
Jibin.
09-04-2009 7:13 PM
Hello,
I would recommend checking the status of the PSE (green or red) using transaction STRUST or STRUSTSSO2.
You might have to recreate your PSE in the Trust Manager.
09-04-2009 7:13 PM
Hello,
I would recommend checking the status of the PSE (green or red) using transaction STRUST or STRUSTSSO2.
You might have to recreate your PSE in the Trust Manager.
09-07-2009 7:38 PM
Hi Edward,
It showing RED only,
Can you help me to recreate PSE in this system.
Give me the steps to create manuvaly.
Kindly help me to solve this problem.
Thanks
Jibin.
09-09-2009 7:54 PM
Hello,
Delete PSE
1)Within the Trust Manager screen first select the folder called System PSE. This folder will contain all of the PSE's that give
the error local PSE does not match original in database. (Red Status)
2) Next select menu path>> Edit >> Delete Certificate
3) You will receieve a pop-up window that says Do you really want to delete existing PSE's? Select Yes
4) This will change the System PSE icon from a folder icon to a Red X
Create PSE
1) Select the System PSE icon (Red X)
2) Next right click on the System PSE icon and select Create
3) A pop-up window should be auto-populated with correct PSE information.
4) Select the green check mark.
Now all of your PSE's should be green.
09-13-2009 2:08 PM
Stop - please do not delete the PSE.
If the system reports some inconsistencies (between database and file copy) you should try to repair them by using the "distribute" function provided by STRUST: this will overwrite the file copy with the PSE content stored in the database (where the "original" is stored).
12-11-2013 7:09 PM
And the other way round?
I wonder how to overwrite the System PSE held on database level with the SAPSYS.PSE from $INSTANCEDIR/sec
AFAIK sapgenpse does enhance/add the SAPSYS.PSE with extra certificates using the import_own_cert option, but is there an option to use sapgenpse to import SAPSYS.PSE as the database held System-PSE without changing anything, just to replace the copy residing in the DB?
If that's not the tool - anything simple like deleting the system PSE using STRUST and firing up SAP with the SAPSYS.PSE residing on the file system will do?
Not much experiments on this yet, so anybody got a more profound knowledge of the mechanics used?
I know if there is no SAPSYS.PSE on file it will become created automacilly when firing up SAP, or when using STRUST from an already running installation.
12-12-2013 6:29 AM
12-12-2013 8:08 AM
Sure. Tried two ways:
a)
1. Delete existing System-PSE
2. Import SAPSYS.PSE
3. System-PSE remains empty (red x)
Leaving STRUST and calling it again: No System-PSE
b)
1. Create new System-PSE ok - everything is in place
2. Import needed SAPSYS.PSE
3. Certificate field is populated with that data
Leaving STRUST and calling it again: The imported SAPSYS.PSE data is gone and System-PSE is coming up with newly created certificate data
Example:
1. Create New
Inhaber CN=SID
Aussteller CN=SID
Seriennummer 20131211053554
Gültig von 11.12.2013 05:35:54 bis 01.01.2038 00:00:01
Prüfsumme BE:7D:67:FE:7F:F6:8B:85:C5:63:BF:BC:74:BE:7D:4D:67:FE
2. After Import
Inhaber CN=SID
Aussteller CN=SID
Seriennummer 00
Gültig von 01.10.1997 00:00:00 bis 01.01.2038 00:00:00
Prüfsumme 8E:0F:BC:54:98:5D:02:84:CB:F0:BE:7D:4D:67:32:80:62:CD
3. Leaving STRUST and re-entering
Inhaber CN=SID
Aussteller CN=SID
Seriennummer 20131211053554
Gültig von 11.12.2013 05:35:54 bis 01.01.2038 00:00:01
Prüfsumme BE:7D:67:FE:7F:F6:8B:85:C5:63:BF:BC:74:BE:7D:4D:67:FE
Saving the PSE leads to an export to file dialog...
Distributing doesn't help either
12-12-2013 8:35 AM
OK - saving is possible using the text menu using save as dialog.
Thanks for your clue wasn't sure. So I kept on searching
Import Personal Security Environment Certificate in question
Choose "Save as..." from the menu
Select Database entry destination