Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO issue after kernel upgrade from 7.00 to 7.21 EXT

Go to solution
Former Member

‎11-27-2013 8:58 AM

0 Kudos

Hi All,

I have recently upgraded the SAP Kernel for our Portal system from 7.00 to 7.21 EXT. The system landscape scenario runs like this:

- SAP Servers are installed on HP-UX 11.31

- Oracle DB is 11.2.0.3

- Clients are Windows 7

- SAPGui versions being used are 7.20 & 7.30

- Kernel upgraded from 7.00 to 7.21 EXT following Note 1713896

- SAP host agent installed following Note 1031096

- SAPCRYPTOLIB (720_EXT version) re-installed following Notes 397175 & 1375378

After upgrading the kernel, I came across a host of new entities e.g. user sapadm, usage of SAP host agent etc but was able to start up our SAP Portal system smoothly. However, the problem is that the Employee Self Service (ESS) tab which we were using successfully via SSO Windows authentication prior to the upgrade, has now started throwing an exception. When I click on the ESS tab, I get the following error.

**************************************************************************************************************

Caused by: com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to SAP gateway failed

Connect_PM  TYPE=B MSHOST=nakeqas1 GROUP=DEFAULT R3NAME=EQA MSSERV=sapmsEQA SNC_MODE=1 SNC_QOP=3 SNC_MYNAME="p:CN=PQA, OU=I002xxxxxxx, OU=SAP Web AS, O=SAP Trust Community, C=DE" SNC_PARTNERNAME="p:CN=EQA, OU=I002xxxxxxx, OU=SAP Web AS, O=SAP Trust Community, C=DE" PCS=1

LOCATION    CPIC (TCP/IP) on local host with Unicode

ERROR       GSS-API(maj): No credentials were supplied

            GSS-API(min): No credentials found for this name (not logged

            on) (USER

            name="p:CN=PQA, OU=I002xxxxxxx, OU=SAP Web AS, O=SAP Trust

            Community, C=DE"

TIME        Wed Nov 27 11:05:23 2013

RELEASE     721

COMPONENT   SNC (Secure Network Communication)

VERSION     6

RC          -4

MODULE      sncxxall_mt.c

LINE        1445

DETAIL      SncPAcquireCred

SYSTEM CALL gss_acquire_cred

COUNTER     1

**************************************************************************************************************

I came across Note 1525059 (Analysis of Problems Accessing a PSE via Credentials) but am unable to analyze what and where to look for.

All certificates, ticket, cred_v2 files etc. reside in their original location. None of the settings have been changed during the upgrade process. The one thing I figure is that SAPCRYPTOLIB was reinstalled during the kernel upgrade. Can this be what is causing the issue? And in case it is, do we have to follow the entire process of importing the certificates again? Because it seems illogical that SSO would start failing just because the kernel was upgraded.

Please help!

Kind regards,

Amer.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-27-2013 9:26 AM

0 Kudos

Hi Amer,

just to get it right, the user is using a browser to connect to a dual stack system. He authenticates at the JAVA part of the dual stack system (Portal) using SPNEGO to a MS AD. You have configured SNC between the JAVA and ABAP parts and you use certificate based authentication for the SNC connection from the JAVA part to the ABAP part?

Based on the error however I would guess you have to systems, a java based system called PQA and an R3 based system called EQA.

Regards,

Patrick

8 REPLIES 8

Go to solution
Former Member

‎11-27-2013 9:26 AM

0 Kudos

Hi Amer,

just to get it right, the user is using a browser to connect to a dual stack system. He authenticates at the JAVA part of the dual stack system (Portal) using SPNEGO to a MS AD. You have configured SNC between the JAVA and ABAP parts and you use certificate based authentication for the SNC connection from the JAVA part to the ABAP part?

Based on the error however I would guess you have to systems, a java based system called PQA and an R3 based system called EQA.

Regards,

Patrick

Go to solution
Former Member
In response to Former Member

‎11-27-2013 12:27 PM

0 Kudos

Hi Patrick,

You got it right! Our ABAP system is EQA and JAVA system is PQA.

I look forward to your reply.

Kind regards,

Amer.

Go to solution
Former Member
In response to Former Member

‎11-27-2013 12:50 PM

0 Kudos

Hi Amer,

to me it sound like you have swapped some certificates or some user names in either the connection from the portal to the backend or the backend user mappings. Based on your description, I would guess you have configured some ivew to use stored credentials in the portal to connect to the backend and retrieve the info for the ess. Please check that the information in the definition on the portal matches the user intended to be used on the ABAP side.

Regards,

Patrick

Go to solution
Former Member
In response to Former Member

‎11-27-2013 2:17 PM

0 Kudos

Hi Patrick,

Just a short correction to your earlier reply which I missed during my reply.. Our Portal system PQA is a standalone JAVA system and our ABAP system EQA is the dual stack system. We have maintained our certificates using STRUST on the ABAP side and imported the corresponding certificates and files (ticket, cred_v2 etc.) into the Java side.

Prior to the kernel upgrade, we maintained JCo destinations in Content Administration -> Web Dynpro and all was working fine. I have not made any changes to these destinations or any other settings. I did not have any reason to touch anything else because my work started and finished with the kernel upgrade. However, like I've written before, this stopped working after the kernel upgrade. I followed the directions in the notes mentioned earlier right down to the wire. Since SAPCRYPTOLIB is a file primarily used for SSO, I feel the error may be because of it being re-installed but I'm not sure. This is why I'm unable to reason forward in any direction.

Please advise. Greatly appreciate your taking the time to help me out.

Kind regards,

Amer.

Go to solution
Former Member
In response to Former Member

‎11-27-2013 2:52 PM

0 Kudos

Hi Amer,

based on your initial answer, I already guessed, that you do have two different systems. This is the reason, why I did point you to the JCo destinations. Something is wrong with the destination config. I would suggest you check the ABAP system log for authentication attempts to the user in question. this is most likely a certificate authentication issue. Either you did create new certificates in the process of setting up the new systems, for which reason you also have to remap them or something else is wrong there.

Regards,

Patrick

Go to solution
Former Member
In response to Former Member

‎12-03-2013 11:28 AM

0 Kudos

Hi Patrick,

The issue has been resolved. There was a mismatch between the versions of libsapcrypto.so files. Everything is now working successfully. Many thanks for your inputs... greatly appreciate it!

Have a great day!

Kind regards,

Amer.

Go to solution
Former Member
In response to Former Member

‎05-30-2015 7:46 PM

0 Kudos

Hi Amer,

How did you resolved the issue, i am also facing the same issue after kernel upgrade from 700 to 721.

Can you please share how you updated the libsapcrypto.so files.

Did you copied from the old backup kernel or you downloaded the new from SMP and replaced ?

Thanks

Ahmed Shafir

Go to solution
Former Member
In response to Former Member

‎06-03-2015 10:09 AM

0 Kudos

Hi Ahmed,

I just copied the upgraded libsapcrypto.so file from /sapmnt/SID/exe to /usr/sap/SID/exe and ESS started working!

Kind regards,

Amer.