Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

ERROR: local PSE does not match original in database

Former Member
0 Kudos

Hi Exports,

I have problem with SSO configuration,

The error message is :

Own System Data

SAP System ECC Client 000

Profile Parameters login/accept_sso2_ticket = 1

Logon Tickets Are Accepted

Certificate List

The Certificate List Is Used To Verify the Digital Signature for the Logon Ticket

H:\usr\sap\ECC\DVEBMGS01\sec\SAPSYS.pse

Owner CN=X85

Issuer CN=X85

Serial Number 00

Owner CN=SSO, O=sapmarkets, C=US

Issuer CN=SSO, O=sapmarkets, C=US

Serial Number 00

Owner CN=DSZ, OU=IDES, O=mySAP.com Workplace, C=DE

Issuer CN=DSZ, OU=IDES, O=mySAP.com Workplace, C=DE

Serial Number 00

Owner CN=ID3

Issuer CN=ID3

Serial Number 00

Owner CN=IDES Workplace Center, OU=IDES, OU=SAP AG, O=mySAP.com Workplace, C=DE

Issuer CN=IDES Workplace Center, OU=IDES, OU=SAP AG, O=mySAP.com Workplace, C=DE

Serial Number 00

Owner CN=JE3

Issuer CN=JE3

Serial Number 00

Owner CN=E6T

Issuer CN=E6T

Serial Number 00

Owner CN=BI7

Issuer CN=BI7

Serial Number 20090820201039

This Is the Certificate of the Issuing System for Logon Tickets

Owner OU=J2EE, CN=BI7

Issuer OU=J2EE, CN=BI7

Serial Number 00

Owner CN=US01

Issuer CN=US01

Serial Number 00

Owner CN=EP7, O=SAP Training

Issuer CN=EP7, O=SAP Training

Serial Number EBB24ECD

Owner CN=CORPORATEPORTAL

Issuer CN=CORPORATEPORTAL

Owner CN=IDES Portal 5.0

Issuer CN=IDES Portal 5.0

Serial Number 00

Owner CN=HR Vertrieb demoportal

Issuer CN=HR Vertrieb demoportal

Serial Number 00

Owner CN=SAPUK ZE6 Sales Portal Demo

Issuer CN=SAPUK ZE6 Sales Portal Demo

Serial Number 00

Owner CN=GFI Demo- & Technology-Center

Issuer CN=GFI Demo- & Technology-Center

Serial Number 00

Owner CN=HR Vertrieb demoportal productiv

Issuer CN=HR Vertrieb demoportal productiv

Serial Number 00

Owner CN=SP4C, OU=SAP Training, O=SAP

Issuer CN=SP4C, OU=SAP Training, O=SAP

Serial Number 00

Owner CN=Portal, OU=IBSDI, O=SAP-AG, C=DE

Issuer CN=Portal, OU=IBSDI, O=SAP-AG, C=DE

Serial Number 00

Owner CN=EP50, OU=Solution Centre productive, O=CRM GBU, C=DE

Issuer CN=EP50, OU=Solution Centre productive, O=CRM GBU, C=DE

Serial Number 00

Owner CN=EP6, OU=SPS, OU=SAP, O=SAP Trust Community, C=DE

Issuer CN=EP6, OU=SPS, OU=SAP, O=SAP Trust Community, C=DE

Serial Number 00

Owner CN=E6T, OU=Training, OU=SAP, O=SAP Trust Community, C=DE

Issuer CN=E6T, OU=Training, OU=SAP, O=SAP Trust Community, C=DE

Serial Number 00

Owner CN=EP6, OU=PortalPlatformTeam, OU=EnterprisePortal, O=SAP Trust Community, C=DE

Issuer CN=EP6, OU=PortalPlatformTeam, OU=EnterprisePortal, O=SAP Trust Community, C=DE

Serial Number 00

Systems for Which ECC Accepts Verified Logon Tickets

The Access Control List Defines Which Systems the Verified Logon Tickets Are Accepted From

Table TWPSSO2ACL

SAP System BI7 Client 000

Owner OU=J2EE, CN=BI7

Issuer OU=J2EE, CN=BI7

Serial Number 00

SAP System BI7 Client 001

Owner CN=BI7

Issuer CN=BI7

Serial Number 20090820201039

This Is the Certificate of the Issuing System for Logon Tickets

SAP System ECC Client 000

Owner CN=ID3

Issuer CN=ID3

Serial Number 00

SAP System ECC Client 001

Owner OU=J2EE, CN=BI7

Issuer OU=J2EE, CN=BI7

Serial Number 00

Application server PSE:

ID: CN=ID3

Namespace:

Profiles: H:\usr\sap\ECC\DVEBMGS01\sec\SAPSYS.pse

OK: file available, length: 15.455

ERROR: local PSE does not match original in database.

Kindly help me to solve this problem.

Thanks

Jibin.

1 ACCEPTED SOLUTION

0 Kudos

Hello,

I would recommend checking the status of the PSE (green or red) using transaction STRUST or STRUSTSSO2.

You might have to recreate your PSE in the Trust Manager.

8 REPLIES 8

0 Kudos

Hello,

I would recommend checking the status of the PSE (green or red) using transaction STRUST or STRUSTSSO2.

You might have to recreate your PSE in the Trust Manager.

0 Kudos

Hi Edward,

It showing RED only,

Can you help me to recreate PSE in this system.

Give me the steps to create manuvaly.

Kindly help me to solve this problem.

Thanks

Jibin.

0 Kudos

Hello,

Delete PSE

1)Within the Trust Manager screen first select the folder called System PSE. This folder will contain all of the PSE's that give

the error local PSE does not match original in database. (Red Status)

2) Next select menu path>> Edit >> Delete Certificate

3) You will receieve a pop-up window that says Do you really want to delete existing PSE's? Select Yes

4) This will change the System PSE icon from a folder icon to a Red X

Create PSE

1) Select the System PSE icon (Red X)

2) Next right click on the System PSE icon and select Create

3) A pop-up window should be auto-populated with correct PSE information.

4) Select the green check mark.

Now all of your PSE's should be green.

0 Kudos

Stop - please do not delete the PSE.

If the system reports some inconsistencies (between database and file copy) you should try to repair them by using the "distribute" function provided by STRUST: this will overwrite the file copy with the PSE content stored in the database (where the "original" is stored).

0 Kudos

And the other way round?

I wonder how to overwrite the System PSE held on database level with the SAPSYS.PSE from $INSTANCEDIR/sec

AFAIK sapgenpse does enhance/add the SAPSYS.PSE with extra certificates using the import_own_cert option, but is there an option to use sapgenpse to import SAPSYS.PSE as the database held System-PSE without changing anything, just to replace the copy residing in the DB?

If that's not the tool - anything simple like deleting the system PSE using STRUST and firing up SAP with the SAPSYS.PSE residing on the file system will do?

Not much experiments on this yet, so anybody got a more profound knowledge of the mechanics used?

I know if there is no SAPSYS.PSE on file it will become created automacilly when firing up SAP, or when using STRUST from an already running installation.

0 Kudos

Have you checked the PSE Import function in STRUST?

Regards,

Patrick

0 Kudos

Sure. Tried two ways:

a)

1. Delete existing System-PSE

2. Import SAPSYS.PSE

3. System-PSE remains empty (red x)

Leaving STRUST and calling it again: No System-PSE

b)

1. Create new System-PSE ok - everything is in place

2. Import needed SAPSYS.PSE

3. Certificate field is populated with that data

Leaving STRUST and calling it again: The imported SAPSYS.PSE data is gone and System-PSE is coming up with newly created certificate data

Example:

1. Create New

Inhaber        CN=SID

Aussteller     CN=SID

Seriennummer   20131211053554

Gültig von     11.12.2013 05:35:54 bis    01.01.2038 00:00:01

Prüfsumme      BE:7D:67:FE:7F:F6:8B:85:C5:63:BF:BC:74:BE:7D:4D:67:FE

2. After Import

Inhaber        CN=SID

Aussteller     CN=SID

Seriennummer   00

Gültig von     01.10.1997 00:00:00 bis    01.01.2038 00:00:00

Prüfsumme      8E:0F:BC:54:98:5D:02:84:CB:F0:BE:7D:4D:67:32:80:62:CD

3. Leaving STRUST and re-entering

Inhaber        CN=SID

Aussteller     CN=SID

Seriennummer   20131211053554

Gültig von     11.12.2013 05:35:54 bis    01.01.2038 00:00:01

Prüfsumme      BE:7D:67:FE:7F:F6:8B:85:C5:63:BF:BC:74:BE:7D:4D:67:FE

Saving the PSE leads to an export to file dialog...

Distributing doesn't help either

0 Kudos

OK - saving is possible using the text menu using save as dialog.

Thanks for your clue wasn't sure. So I kept on searching

Import Personal Security Environment Certificate in question

Choose "Save as..." from the menu

Select Database entry destination