cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CTS+ For PI Error: SoapFaultCode:5 Authentication failed

Go to solution
Former Member

on ‎11-23-2011 6:50 PM

0 Kudos

Dears,

We have configured CTS+ for our PI landscape.

All works fine from our PD1 -> PU1 but when importing into PP1 we receive next error:

rror when executing Web service CTSDEPLOY, exception is cx_ai_system_fault

SoapFaultCode:5 Authentication failed. For details see log entry logID=XYZ in security log

1) anyone faced similar problem

2) When checking SM20 on PP1 or on the Solman TDC we do not see any message

When checking the logfiles in the /nwa for PP1 or our solman TDC we do not see any message indicating a security issue. When we filter for category u201C/System/Security/WS/Authenticationu201D we don't see any message.

Any advice on where to start much appreciated!

Regards,

Geert

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

blanca_serrano
Advisor
Advisor
‎11-24-2011 7:18 AM
0 Kudos

Hello Geert,

To begin with, please, for CTSDEPLOYcheck if DeployProxy web service is available properly in Java stack.

After that, please double check if you can use user j2ee_admin to logon Java stack, if it is OK, please reenter the password for this user in rfc CTSDEPLOY. Please also check as per below SAP Library:

<Configuring the CTS Deploy Web Service>

http://help.sap.com/saphelp_nw70/helpdata/en/45/f9f02cf3e41ecce10000000a1553f7/frameset.htm

I hope this helps you.

Regards,

Blanca

Show replies
Show replies
Former Member
‎11-24-2011 9:30 AM
0 Kudos

Hi Blanca,

Thanks for your reply!

CTSDEPLOY webservice is available.

I re-entered the password but same error appears.

I have the impression it has to do with the configuration in STMS. Here we also define an "XI user/password'. Also here I re-entered a username/pwd but still same error appears. I suspect the problem to be located over there.

Could you direct me on where to look for the 'security log' as indicated in the error thrown by transport?

+Error when executing Web service CTSDEPLOY, exception is cx_ai_system_fault

SoapFaultCode:5 Authentication failed. For details see log entry logID=C0000AAA053404D20000000100006ACF in security log.

Highest return code is 12+

Many thanks,

Geert

Answers (4)

Answers (4)

blanca_serrano
Advisor
Advisor
‎11-25-2011 7:03 AM
0 Kudos

Hello Geert,

In order to be sure the problem is not in the logon module stack, please, try the following:

If you really need the EvaluateAssertionTicketLoginModule, then add the login Module EvaluateTicketLoginModule in the first

place. If you do not need the EvaluateAssertionTicketLoginModule, then please replace it with EvaluateTicketLoginModule.

Please, tell me the results.

Regards,

Blanca

Show replies
Show replies
Former Member
‎11-25-2011 12:29 PM
0 Kudos

I found the cause of the problem.

I have to share it so when other people make the same error they do not spend hours solving it.

For reasons the user used for the HTTP Destination was only created on client 000 and not client 001.

The transports delivery route points to client 001 so creating the user in client 001 with the correct permissions did solve the error.

During my analyses I did not detect this since logging on with this user to the Integration Builder, SLD, /nwa, etc... was working correct..

Many thanks Blanca and Matthias for your helps!

Geert

Former Member
‎06-13-2014 9:45 AM
0 Kudos

Hi,

I have the same problem, can you explain me what is the user I have to create in 001?

Regards,

EDIT: solved, bad password in the user...

blanca_serrano
Advisor
Advisor
‎11-24-2011 2:40 PM
0 Kudos

Hi Geert,

The webservices are normally associated to acommunication profile which defines the authentication method supported

by the webservice. For example, your webservice can accept basic and certificate authentication (policy BASICSSO2**). All of this can be configured in the Netweaver Administrator .

Can you please check your configuration? Please, see thif the following online documentation is usefull for you:

http://help.sap.com/saphelp_banking50/helpdata/EN/45/b5e9e831312e78e10000000a155369/frameset.htm

Regards,

Blanca

Show replies
Show replies
Former Member
‎11-24-2011 3:33 PM
0 Kudos

The webservice DeployProxyVi has a connectivity of type: WS

When verifying the communication Profile we see that for connectivity type WS all authentication methods are selected.

When activating a loglevel ALL I receive next in the security.log file:

#2.0 #2011 11 24 14:52:04:031#+0100#Info#/System/Security/Authentication#

#BC-JAS-SEC#security#C0000AAA053404F40000000000006ACF#4204050000000005#sap.com/tcctsappl#com.sap.engine.services.security.authentication.logincontext.table#J2EE_GUEST#0##0050569E00341EE185D46FB136B89A96#4ECE5A022F967EB8E10000000AAA0534#0AAA05347EB84ECE4C04000400000000#1#Thread[HTTP Worker [@2064305958],5,Dedicated_Application_Thread]#Plain##

LOGIN.FAILED

User: N/A

Authentication Stack: BASICSSO2__ws

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule SUFFICIENT ok exception true Received no SAP Authentication Assertion Ticket.

2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok exception true Authentication did not succeed.#

#2.0 #2011 11 24 14:52:04:033#+0100#Warning#/System/Security/WS#

com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tcsecwssecservice#C0000AAA053404F40000000100006ACF#4204050000000005#sap.com/tccts~appl#com.sap.engine.services.wssec.authentication#J2EE_GUEST#0##0050569E00341EE185D46FB136B89A96#4ECE5A022F967EB8E10000000AAA0534#0AAA05347EB84ECE4C04000400000000#1#Thread[HTTP Worker [@2064305958],5,Dedicated_Application_Thread]#Plain##

Read data of type username and value CTS_USER from HTTP header and set on module javax.security.auth.callback.NameCallback

Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback

From:[DeployProxy, default]

JAAS stack configuration: Module 0 Name EvaluateAssertionTicketLoginModule Flag LoginModuleControlFlag: sufficient Options {}

JAAS stack configuration: Module 1 Name EvaluateTicketLoginModule Flag LoginModuleControlFlag: sufficient Options {}

JAAS stack configuration: Module 2 Name BasicPasswordLoginModule Flag LoginModuleControlFlag: sufficient Options {}

Authentication for web service DeployProxy, configuration default using security policy BASICSSO2__ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

#

#2.0 #2011 11 24 14:52:04:110#+0100#Info#/System/Security/Authentication#

#BC-JAS-SEC#security#C0000AAA053404F50000000000006ACF#4204050000000005#sap.com/tcctsappl#com.sap.engine.services.security.authentication.logincontext.table#J2EE_GUEST#0##0050569E00341EE185D46FB136B89A96#4ECE5A022F967EB8E10000000AAA0534#0AAA05347EB84ECE4C04000500000000#1#Thread[HTTP Worker [@119517920],5,Dedicated_Application_Thread]#Plain##

LOGIN.FAILED

User: N/A

Authentication Stack: BASICSSO2__ws

Login Module Flag Initialize Login Commit Abort Details

1. com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule SUFFICIENT ok exception true Received no SAP Authentication Assertion Ticket.

2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true

3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok exception true Authentication did not succeed.#

#2.0 #2011 11 24 14:52:04:111#+0100#Warning#/System/Security/WS#

com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tcsecwssecservice#C0000AAA053404F50000000100006ACF#4204050000000005#sap.com/tccts~appl#com.sap.engine.services.wssec.authentication#J2EE_GUEST#0##0050569E00341EE185D46FB136B89A96#4ECE5A022F967EB8E10000000AAA0534#0AAA05347EB84ECE4C04000500000000#1#Thread[HTTP Worker [@119517920],5,Dedicated_Application_Thread]#Plain##

Read data of type username and value CTS_USER from HTTP header and set on module javax.security.auth.callback.NameCallback

Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback

From:[DeployProxy, default]

JAAS stack configuration: Module 0 Name EvaluateAssertionTicketLoginModule Flag LoginModuleControlFlag: sufficient Options {}

JAAS stack configuration: Module 1 Name EvaluateTicketLoginModule Flag LoginModuleControlFlag: sufficient Options {}

JAAS stack configuration: Module 2 Name BasicPasswordLoginModule Flag LoginModuleControlFlag: sufficient Options {}

Authentication for web service DeployProxy, configuration default using security policy BASICSSO2__ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

#

mathias_essenpreis
Employee
Employee
‎11-24-2011 12:26 PM
0 Kudos

Hi,

SoapFaultCode:5 Authentication failed sounds to me like an ABAP message. Is there an AS ABAP involved in your communication. That would also explain why you don't get good error tracing in the Java stack.

In The ABAP server goto either transaction SRT_UTIL->error_log (if available in your system) or use the SOAMANAGER transaction to review the traces.

But normally SoapFaultCode:5 Authentication failed means that there's a misconfiguration in the trust setup. If you use Assertion /Logon Tickets or SAML Assertions to call the ABAP from the Java you maybe forgot to exchange the trust certificates or the certificates are invalid (expired).

Regards,

Mathias

Show replies
Show replies
Former Member
‎11-24-2011 2:12 PM
0 Kudos

Hi Matthias,

Thanks for your advices.

I found the details of the error message in the security log on J2EE level - not via abap.

We use basic authentication for the deployments so I don't think it is related to the certificates. (I checked certificates and here all seems ok)

Regs,

Geert

blanca_serrano
Advisor
Advisor
‎11-24-2011 11:08 AM
0 Kudos

Hello Geert,

You can find the secruity log under following path:

\usr\sap\<SID>\<instance_number>\j2ee\cluster\server<n>\log\system\security.<n>.log

Apart from that, I would also check that the URL of deploy tools are correct and also that the logon data set for them by STMS > system overview > tab transport tool > menu Goto > SDM or SLD user/password are correct.

I hope this helps you.

Blanca

Show replies
Show replies
Former Member
‎11-24-2011 12:34 PM
0 Kudos

On the filesystem I did find the secrity log. Unclear to me why it does not appear in /nwa.

When checking the security log I found the below message:

The error message shows:

com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tcsecwssecservice#C0000AAA053404D60000000100006ACF#4204050000000005#sap.com/tccts~appl#com.sap.engine.services.wssec.authentication#J2EE_GUEST#0##0050569E00341EE185D1DF0931DA8E2F#4ECC6133DDD25FEAE10000000AAA0534#0AAA05345FEA4ECE2996000300000000#1#Thread[HTTP Worker [@1923950032],5,Dedicated_Application_Thread]#Plain##

Read data of type username and value CTS_USER from HTTP header and set on module javax.security.auth.callback.NameCallback

Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback

Authentication for web service DeployProxy, configuration default using security policy BASICSSO2__ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

SAP Note 880869 tells to set the loglevel to INFO - which is already the case

I'll look further in it

Ask a Question