on 01-14-2014 11:08 AM
Hello,
in basic configuration step 5 "configure automatically" activity SSO Setup fails with errors (see log below).
Problem is, that system was build with a system copy an SID was renamed (before: RS1, now: RS2).
In Java Visual Admin in Services - KeyStorage - View TicketKeystore - Entries I can see, that AbapTicketSMD-cert is for RS2, but SAPLogonTickeKeypair and SAPLogonTickeKeypair-cert is for RS1.
I think this could be the problem, but I'm not sure.
What do I do to have after a systemcopy with new SID, to get SSO Setup working?
RS2 : Activity 'SSO Setup' ended with errors:
A failure occured while connecting to ABAP stack on localhost sys=00 client=001 user=null. Details : Parameter containing a user ID is missing: neither user nor user alias nor external ID nor SSO ticket nor X.509 certificate is specified.
Found SID for SSO ACL entry : RS1
Found login.ticket_client for SSO ACL entry : 000
The Read entry permission on TicketKeystore/SAPLogonTicketKeypair-cert was given to sap.com/tc~webadministrator~solmandiag/servlet_jsp/smd/root/WEB-INF/lib/SetupLib.jar
The TicketKeystore/SAPLogonTicketKeypair-cert was succesfully read (619 bytes)
ABAP SSO ticket certificate of RS1 was imported in ABAP PSE of localhost (client 100)
The ABAP SSO ticket certificate was successfully imported in ABAP System PSE, and the ACL updated accordingly (SID=RS1 LoginTicketClient=100)
Java SSO ticket certificate of RS1 was imported in ABAP PSE of localhost (client 100)
The Java SSO ticket certificate was successfully imported in ABAP System PSE, and the ACL updated accordingly (SID=RS1 LoginTicketClient=000)
A failure occured while connecting to ABAP stack on localhost sys=00 client=001 user=null
!! Exception : Parameter containing a user ID is missing: neither user nor user alias nor external ID nor SSO ticket nor X.509 certificate is specified
A failure occured while connecting to ABAP stack on localhost sys=00 client=001 user=null
!! Exception : Parameter containing a user ID is missing: neither user nor user alias nor external ID nor SSO ticket nor X.509 certificate is specified
The ABAP instance profile contains the parameter : login/accept_sso2_ticket=1
The SSO ticket Certificate <CN=RS2> has been successfully imported into Java Keystore
The com.sap.security.core.server.jaas.EvaluateTicketLoginModule already contained the entry : trustedsys=RS1, 100 trustediss=CN=RS2 trusteddn=CN=RS2
Regards,
Julia
Hi
Check the below note for the solution.
Note 1121248 - SSO Setup for Diagnostics
Rableen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Which client do yuo want to have the configuration...001 or 100..
Do the import in that client..
login to the url http://hostname:5XX00/sso2
and see what entry do you see in the java system.
Have you regenerated the cert in visual admin for the new system...
Then download that and keep it ready to import in the strustss02.
Before importing regenerate the Backend system cert in stsrustsso2 and then add it to the cert and the acl list.
now import the cert and restart the system or icm and see if it fixes the issue.
thanks
Rishi abrol
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Rishi,
thank you for your help.
Configuration is in client 100.
I didn't regenerate cert in visual admin. Is it right to go to service - Key Storage - TicketKeystore - Entries and click on create? Will this change the entries SAPLogonTicketKeypair and -cert?
I had a look into http://hostname:5XX00/sso2.
Accepting system is RS2 client 000, SSO certificate is valid.
SSO-consistency check failed and following systems will be used: RS1 100.
I accepted this and now as trusted system SID RS1 client 100 is available - which is wrong.
If I try to add another trusted system via SLD, I can choose RS2, but login data is neccessary. Which username do I take?
Regards,
Julia
Hi,
I didn't regenerate cert in visual admin. Is it right to go to service - Key Storage - TicketKeystore - Entries and click on create? Will this change the entries SAPLogonTicketKeypair and -cert?
Yes once you do system copy you need to go in visual admin and then rename the old one and create a new TicketKeypair.
As shown below...
In the CN name it think it is Picking RS1...
Once replaced then use that cert and that do the config and do restart...
Thanks
Rishi abrol
you need to import the new certificate for RS2 in ABAP. see below:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.