Solved: MYSAPSSO2: ABAP backend shows empty SYSID and CLIE...

Former Member · ‎06-11-2014

Hi,

We are trying to generate SAP Assertion Tickets using the SSOEXT library from a java app, but our ABAP backend refuses our generated tickets.

The ABAP backend is already configured to accept Logon tickets issued by Java stacks, so the general SSO config works. The certificate to sign the ticket is uploaded to the SYSTEM.PSE and an ACL is configured with a sysid and a client for the certificate. The serial of the certificate is correct in table TWPSSO2ACL.

We have the Java app using the SOOEXT library to generate the assertion ticket and sign it from a PSE. The sample java code delivered with the SSOEXT library successfully validates the ticket for our receiving SID and client using the same certificate.

The ABAP stack refuses the ticket however.

We see errors 23 in the security audit log "Issuer of the logon ticket/authentication assertion ticket is not in the ACL table", but the certificate seems configured correctly for the ACL.

We see the following in the system traces via SM50; our ABAP backend is sysid BID, client 001. The assertion ticket is issued by OBD 001 for BID 001.


N Wed Jun 11 13:29:42 2014
N  dy_signi_ext: LOGON TICKET logon (client 001)
N  mySAPUnwrapTicket: was called.
N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N  HmskiFindTicketInCache: Try to find ticket with cache key: 001:10FF23995334D757C32FB93A25C9DD17 .
N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N  mySAP: Got the following SSF Params:
N         DN      =CN=BID
N         EncrAlg =DES-CBC
N         Format  =PKCS7
N         Toolkit =SAPSECULIB
N         HashAlg =SHA1
N         Profile =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N         PAB     =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N  Got the codepage 4102.
N  Got ticket (head) AjQxMTABAAZFWEE1MzICAAMwMDADAANPQkQEAAwy. Length = 792.
N  Convert ticket content from SAP_CODEPAGE >4110< to >4102<
N  MskiValidateTicket returns 0.
N  Got content client =    .
N  Got content sysid =         .
N  No entry in TWPSSO2ACL for SYS  and CLI .
N  CheckSubject failed (rc=19). Verifying if ticket was issued by me.
N  *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c   1065]
N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  Data from ticket: sysid=        , client=
N  My system data: sysid=BID     , client=001
N  *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c   1071]
N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  dy_signi_ext: ticket issuer not trusted
N  dy_signi_ext: ASSERTION TICKET logon (client 001)
N  mySAPUnwrapTicket: was called.
N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N  HmskiFindTicketInCache: Try to find ticket with cache key: 001:10FF23995334D757C32FB93A25C9DD17 .
N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N  mySAP: Got the following SSF Params:
N         DN      =CN=BID
N         EncrAlg =DES-CBC
N         Format  =PKCS7
N         Toolkit =SAPSECULIB
N         HashAlg =SHA1
N         Profile =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N         PAB     =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse
N  Got the codepage 4102.
N  Got ticket (head) AjQxMTABAAZFWEE1MzICAAMwMDADAANPQkQEAAwy. Length = 792.
N  Convert ticket content from SAP_CODEPAGE >4110< to >4102<
N  MskiValidateTicket returns 0.
N  Got content client =    .
N  Got content sysid =         .
N  No entry in TWPSSO2ACL for SYS  and CLI .
N  CheckSubject failed (rc=19). Verifying if ticket was issued by me.
N  *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c   1065]
N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  Data from ticket: sysid=        , client=
N  My system data: sysid=BID     , client=001
N  *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c   1071]
N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  dy_signi_ext: ticket issuer not trusted

As mentionned, the assertion ticket gets validated succesfully by the sample java code with the SSOEXT for our receiving system:


PS C:\Data\software\sap\sapsso\myssosample> java SSO2Ticket -i .\test.ticket -crt .\obi_tests.cer -exsid BID -excli 001
SAPSSOEXT loaded.
static part ends.

Start SSO2TICKET main
-------------- test version --------------
Version of SAPSSOEXT: SAPSSOEXT 10
***********************************************
 Output of program:
***********************************************


The ticket

AjQxMTABAAZFWEE1MzICAAMwMDADAAN <lots more> X598NhjdkNU1c=

was successfully validated.
Type     : SAP Assertion Ticket
User     : <myuserid>

Ident of ticket issuing system:
Sysid    : OBD
Client   : 000
External ident of user:
PortalUsr: <myuserid>
Auth     : basicauthentication
Ticket validity in seconds:
Valid (s): 60
Certificate data of issuing system:
Subject  : CN=OBI Assertion Tests
Issuer   : CN=OBI Assertion Tests

Does anyone have any clue why our ABAP backend might not recognize the target sysID and client fields from the assertion ticket?

Thanks in advance!

Pieter

Former Member · ‎07-01-2014

It seems to be a kernel version problem. Kernel 720 patch level 401 gives the errors above, kernel 721 patch level 311 works fine:


N Tue Jul  1 11:31:22 2014
N  dy_signi_ext: LOGON TICKET logon (client 111)
N  mySAPUnwrapTicket: was called.
N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.
N  HmskiFindTicketInCache: Try to find ticket with cache key: 111:6E96C3E7BB9D965DE95F0D1F7FFFA376 .
N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.
N  mySAP: Got the following SSF Params:
N         DN      =CN=SI2, OU=***********, OU=SAP Web AS, O=SAP Trust Community, C=DE
N         EncrAlg =DES-CBC
N         Format  =PKCS7
N         Toolkit =SAPSECULIB
N         HashAlg =SHA1
N         Profile =/usr/sap/SI2/DVEBMGS32/sec/SAPSYS.pse
N         PAB     =/usr/sap/SI2/DVEBMGS32/sec/SAPSYS.pse
N  Got the codepage 4102.
N  Got ticket (head) AjQxMTABAAZFWEE1MzICAAMxMTEDAANTSTIEAAwy. Length = 604.
N  Convert ticket content from SAP_CODEPAGE >4110< to >4102<
N  MskiValidateTicket returns 0.
N  Got content client = 111.
N  Got content sysid = SI2     .
N  Got date 201407010930 from ticket.
N  Cur time = 201407010931.
N  Computing validity in hours.
N  Computing validity in minutes.
N  CurTime_t = 1404293460, CreTime_t = 1404293400
N  validity: 120, difference:     60.000.
N  Ticket contains no RFC Payload info.
N  mySAPUnwrapTicket returns 0.
N  DyISigni: client=111, user=EXA532      , lang=E, access=H, auth=T
N  usrexist: effective authentification method: SAP logon ticket
N  Get_RefUser(111,EXA532) =>
N  password logon is generally enabled (default)
N  productive password is still valid (expiration period=0 / days gone=0)
N  password change not required (expiration period=0 / days gone=896)
N  usrexist: update logon timestamp (M)
N  save user time zone = >CET   < into spa
N  DyISignR: return code=0 (see note 320991)
N  ==> krn_Base64_Encode()
N  <== krn_Base64_Encode()==0 (SSF_KRN_OK)

Former Member · ‎06-11-2014

Some more info on the same certificate being used in the system.pse, the ACL on client 001 and the java app.

output of the sample SSOEXT ticket verification code shows the same certificate subject.

MYSAPSSO2: ABAP backend shows empty SYSID and CLIENT

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Re: HTTP Receiver adapter with Dynamic value in UR...

How to create a rolling forecast in SAC? I have an...

In SAP Hana Cloud, do packages exist as database o...

Re: Mass Update a Zfield in Std Table with Split &...

Re: Change BW Query Initial Variable Input at runt...