05-09-2014 5:41 PM
Hello gentlemen.
I´m configuring the single sign on with X.509 certificates, to log on ABAP systems.
I´m using OpenSSL to generate the certificates (CA, Server, User), so, not using Secure Login Server.
Already have imported the certificates in strust, and the other steps described in the guide.
When i try to logon via sap logon, i´m receiving the error below.
Is any configuration to do in sap logon? Install something, like the package SAPSSO.msi, that is installed to use SSO with Kerberos?
Obs: I just configure the entry in sap logon, with the snc. In the error below, please note the bold text. In my entry there´s not the @IT... part.
SNC entry in sap logon:
p:CN=ET1, OU=IT
Tks!
SAP GUI for Windows 730
---------------------------
GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreac
target="p:CN=ET1, OU=IT@IT.COM.BR"
Time Thu May 08 16:46:28 2014
Component SNC (Secure Network Communication)
Release 730
Version 6
Module sncxxall.c
Line 3352
Method SncPEstablishContext
Return Code -4
System Call gss_init_sec_context
Counter 1
05-09-2014 6:18 PM
Hello Marcos,
Additionally to the documentation Samuli sent you (and these steps indeed must be done), such error means that your SNC SAPCryptolib PSE's certificate is not signed/trusted by any known CA and, therefore, by your client.
You can either use a signed certificate into your PSE or to export your PSE's certificate and import it into your client machine too.
Best Regards,
Guilherme de Oliveira
05-09-2014 6:07 PM
Updating...
I uninstall the package sapsso.msi from the client machine, and reinstall the sap secure login client.
Still receiving a error, but now is comprehensible.
Note that the @IT... is not showing anymore.
---------------------------
SAP GUI for Windows 730
---------------------------
GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210223:Server does not trust my certificate path
target="p:CN=ET1, OU=IT"
05-09-2014 6:13 PM
The CN used in SAP Logon must match the instance profile parameter snc/identity/as of AS ABAP. You didn't mention anything about generating and importing the client certificates and creating mappings for users. Those steps need to be done as well, see the application help for details.
05-09-2014 6:20 PM
Hi Samuli.
Yes, the CN used in SAP Logon is the same.
The question now is setup the certificates again in strust.
But i think that the problem was the incompatible package sapsso.msi in the client machine.
05-09-2014 6:18 PM
Hello Marcos,
Additionally to the documentation Samuli sent you (and these steps indeed must be done), such error means that your SNC SAPCryptolib PSE's certificate is not signed/trusted by any known CA and, therefore, by your client.
You can either use a signed certificate into your PSE or to export your PSE's certificate and import it into your client machine too.
Best Regards,
Guilherme de Oliveira
05-12-2014 1:55 PM