Skip to Content
author's profile photo Former Member
Former Member

SAP SSO ticket verification problem in 3rd pary application

Hi All,

We are a 3rd party vendor trying to implement single sign on with the client's SAP system. Our client have provided us with a SAPSSOEXT archive that contains the library files and a sample program to verify the ticket. The application environment is running in 64bit linux OS. After installing libraries and compiling the sample C program following the instructions, we are successfully able to decrypt/verify the sample ticket provided as part of the archive.

./ssosamp -i ticket.txt -p verify.pse

***********************************************

Output of program:

***********************************************

The ticket

AjExMDABAAdTQVBVU0VSAgADOTk5AwADRVhUBAAMMjAxMTA5MDcxMDQ2BQAEAAKsYAgAAQEgABFwb3J0YWw6UE9SVEFMVVNFUogAE2Jhc2ljYXV0aGVudGljYXRpb27/AT4wggE6BgkqhkiG9w0BBwKgggErMIIBJwIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYIBBjCCAQICAQEwVzBMMQswCQYDVQQGEwJERTEcMBoGA1UEChMTbXlTQVAuY29tIFdvcmtwbGFjZTERMA8GA1UECxMIU0FQIFRlc3QxDDAKBgNVBAMTA1NZUwIHIBEIJBVVSDAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTEwOTA3MTA0NjEzWjAjBgkqhkiG9w0BCQQxFgQU4lvc!J0ne0uWJDAlmYY2vGhfkq4wCQYHKoZIzjgEAwQvMC0CFCuCpBG10JDoxYQ/QgqlN!Zc7rxRAhUAiaj46GoR3Ayo2PgJFZlNwg2axL4=

was successfully validated.

User : SAPUSER

Ident of ticket issuing system:

Sysid : EXT

Client : 999

External ident of user:

PortalUsr: PORTALUSER

Auth : basicauthentication

Ticket validity in seconds:

Valid (s): 557661780

Certificate data of issuing system:

Subject : CN=SYS, OU=SAP Test, O=mySAP.com Workplace, C=DE

Issuer : CN=SYS, OU=SAP Test, O=mySAP.com Workplace, C=DE

However when we try a real ticket generated from client's SAP portal, I get the following error message: "The mySAP.com logon ticket couldn't be verified. The standard error code is 20. The SSF error code is 7."

I gather from the documentation that it means the private address book could not be loaded from the provided verify.pse file. The client has confirmed it is the right key.

Can you please help in troubleshooting this issue further?

Thanks,
Aravind.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Best Answer
    Posted on Jan 07, 2014 at 09:40 AM

    Hi Aravind,

    ok, in C header sapssoext.h there is the answer.

    error code 20 := MYSAP_VERIFY_FAILED

    ssf error 7 := SSF_API_UNKNOWN_PAB.

    I assume you did not add the public key from portal into your local verify.pse or your dont have passed

    the full path and name to your verify.pse name.

    The PSEs "system.pse" and "verify.pse" are only example keys. for your real usage you have to

    exchange to keys, which means you create the trust.

    The security of the SAP tickets is based on digitally signed information. This signature is a DSA signature which is based on public key infrastrukture.

    Therefore you find in SAPSSOEXT package the tool sapgenpse which allows you to maintain the trusted keys.

    Your client has to to login to SAP portal , download the specific verify.pse and you have to use this

    PSE.

    regards,

    -markus

    Add a comment
    10|10000 characters needed characters exceeded

    • Hello Aravind,

      can you please add the complete trace file to this thread.

      The error says that in verify.pse there is no public key from the signer (ticket issuing system). This is the typical error if not trust is created from issuer to verifier.

      If possible you should create a OSS ticket to SAP. If your are not a customer, then you should add / upload the ticket and the verify.pse so that I can check the problem.

      My PGP key is:

      PGP Key-Id: 0x0B9EA3F1 | PGP Key-Server: https://keyserver.pgp.com

      With that you can encrypt data which should not be visible to all.

      regards,

      -markus

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.