cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SM 7.1 SPS08: SSO-Setup does not work

Former Member

on ‎01-14-2014 11:08 AM

0 Kudos

Hello,

in basic configuration step 5 "configure automatically" activity SSO Setup fails with errors (see log below).

Problem is, that system was build with a system copy an SID was renamed (before: RS1, now: RS2).

In Java Visual Admin in Services - KeyStorage - View TicketKeystore - Entries I can see, that AbapTicketSMD-cert is for RS2, but SAPLogonTickeKeypair and SAPLogonTickeKeypair-cert is for RS1.

I think this could be the problem, but I'm not sure.

What do I do to have after a systemcopy with new SID, to get SSO Setup working?

RS2 : Activity 'SSO Setup' ended with errors:

A failure occured while connecting to ABAP stack on localhost sys=00 client=001 user=null. Details : Parameter containing a user ID is missing: neither user nor user alias nor external ID nor SSO ticket nor X.509 certificate is specified.

Found SID for SSO ACL entry : RS1

Found login.ticket_client for SSO ACL entry : 000

The Read entry permission on TicketKeystore/SAPLogonTicketKeypair-cert was given to sap.com/tc~webadministrator~solmandiag/servlet_jsp/smd/root/WEB-INF/lib/SetupLib.jar

The TicketKeystore/SAPLogonTicketKeypair-cert was succesfully read (619 bytes)

ABAP SSO ticket certificate of RS1 was imported in ABAP PSE of localhost (client 100)

The ABAP SSO ticket certificate was successfully imported in ABAP System PSE, and the ACL updated accordingly (SID=RS1 LoginTicketClient=100)

Java SSO ticket certificate of RS1 was imported in ABAP PSE of localhost (client 100)

The Java SSO ticket certificate was successfully imported in ABAP System PSE, and the ACL updated accordingly (SID=RS1 LoginTicketClient=000)

A failure occured while connecting to ABAP stack on localhost sys=00 client=001 user=null

!! Exception : Parameter containing a user ID is missing: neither user nor user alias nor external ID nor SSO ticket nor X.509 certificate is specified

A failure occured while connecting to ABAP stack on localhost sys=00 client=001 user=null

!! Exception : Parameter containing a user ID is missing: neither user nor user alias nor external ID nor SSO ticket nor X.509 certificate is specified

The ABAP instance profile contains the parameter : login/accept_sso2_ticket=1

The SSO ticket Certificate <CN=RS2> has been successfully imported into Java Keystore

The com.sap.security.core.server.jaas.EvaluateTicketLoginModule already contained the entry : trustedsys=RS1, 100 trustediss=CN=RS2 trusteddn=CN=RS2

Regards,

Julia

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎01-14-2014 3:26 PM
0 Kudos

Hi

Check the below note for the solution.

Note 1121248 - SSO Setup for Diagnostics

Rableen

Show replies
Show replies
Former Member
‎01-14-2014 12:16 PM
0 Kudos

Hi,

Which client do yuo want to have the configuration...001 or 100..

Do the import in that client..

login to the url http://hostname:5XX00/sso2

and see what entry do you see in the java system.

Have you regenerated the cert in visual admin for the new system...

Then download that and keep it ready to import in the strustss02.

Before importing regenerate the Backend system cert in stsrustsso2 and then add it to the cert and the acl list.

now import the cert and restart the system or icm and see if it fixes the issue.

thanks

Rishi abrol

Show replies
Show replies
Former Member
‎01-14-2014 1:27 PM
0 Kudos

Hello Rishi,

thank you for your help.

Configuration is in client 100.

I didn't regenerate cert in visual admin. Is it right to go to service - Key Storage - TicketKeystore - Entries and click on create? Will this change the entries SAPLogonTicketKeypair and -cert?

I had a look into http://hostname:5XX00/sso2.

Accepting system is RS2 client 000, SSO certificate is valid.

SSO-consistency check failed and following systems will be used: RS1 100.

I accepted this and now as trusted system SID RS1 client 100 is available - which is wrong.

If I try to add another trusted system via SLD, I can choose RS2, but login data is neccessary. Which username do I take?

Regards,

Julia

Former Member
‎01-15-2014 11:25 PM
0 Kudos

Hi,

I didn't regenerate cert in visual admin. Is it right to go to service - Key Storage - TicketKeystore - Entries and click on create? Will this change the entries SAPLogonTicketKeypair and -cert?

Yes once you do system copy you need to go in visual admin and then rename the old one and create a new TicketKeypair.

As shown below...

In the CN name it think it is Picking RS1...

Once replaced then use that cert and that do the config and do restart...

Thanks

Rishi abrol

Former Member
‎01-14-2014 11:23 AM
0 Kudos

you need to import the new certificate for RS2 in ABAP. see below:

Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2E - User Authentication and Single Si...

Show replies
Show replies
Former Member
‎01-14-2014 12:10 PM
0 Kudos

Hello Sunil,

thank for you link, but I don't unterstand what to do.

In STRUST system pse is for system RS2. Where do I get the J2EE Engine’s public-key certificate and where do I have to import it?

And does this change the entries in the JVA KeyStorage?

Regards,

Julia

Ask a Question