Skip to Content
avatar image
Former Member

MYSAPSSO2: ABAP backend shows empty SYSID and CLIENT

Hi,

We are trying to generate SAP Assertion Tickets using the SSOEXT library from a java app, but our ABAP backend refuses our generated tickets.

The ABAP backend is already configured to accept Logon tickets issued by Java stacks, so the general SSO config works. The certificate to sign the ticket is uploaded to the SYSTEM.PSE and an ACL is configured with a sysid and a client for the certificate. The serial of the certificate is correct in table TWPSSO2ACL.

We have the Java app using the SOOEXT library to generate the assertion ticket and sign it from a PSE. The sample java code delivered with the SSOEXT library successfully validates the ticket for our receiving SID and client using the same certificate.

The ABAP stack refuses the ticket however.

We see errors 23 in the security audit log "Issuer of the logon ticket/authentication assertion ticket is not in the ACL table", but the certificate seems configured correctly for the ACL.

We see the following in the system traces via SM50; our ABAP backend is sysid BID, client 001. The assertion ticket is issued by OBD 001 for BID 001.

N Wed Jun 11 13:29:42 2014

N  dy_signi_ext: LOGON TICKET logon (client 001)

N  mySAPUnwrapTicket: was called.

N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N  HmskiFindTicketInCache: Try to find ticket with cache key: 001:10FF23995334D757C32FB93A25C9DD17 .

N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N  mySAP: Got the following SSF Params:

N         DN      =CN=BID

N         EncrAlg =DES-CBC

N         Format  =PKCS7

N         Toolkit =SAPSECULIB

N         HashAlg =SHA1

N         Profile =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse

N         PAB     =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse

N  Got the codepage 4102.

N  Got ticket (head) AjQxMTABAAZFWEE1MzICAAMwMDADAANPQkQEAAwy. Length = 792.

N  Convert ticket content from SAP_CODEPAGE >4110< to >4102<

N  MskiValidateTicket returns 0.

N  Got content client =    .

N  Got content sysid =         .

N  No entry in TWPSSO2ACL for SYS  and CLI .

N  CheckSubject failed (rc=19). Verifying if ticket was issued by me.

N  *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c   1065]

N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  Data from ticket: sysid=        , client=

N  My system data: sysid=BID     , client=001

N  *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c   1071]

N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  dy_signi_ext: ticket issuer not trusted

N  dy_signi_ext: ASSERTION TICKET logon (client 001)

N  mySAPUnwrapTicket: was called.

N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N  HmskiFindTicketInCache: Try to find ticket with cache key: 001:10FF23995334D757C32FB93A25C9DD17 .

N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N  mySAP: Got the following SSF Params:

N         DN      =CN=BID

N         EncrAlg =DES-CBC

N         Format  =PKCS7

N         Toolkit =SAPSECULIB

N         HashAlg =SHA1

N         Profile =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse

N         PAB     =/usr/sap/BID/DVEBMGS02/sec/SAPSYS.pse

N  Got the codepage 4102.

N  Got ticket (head) AjQxMTABAAZFWEE1MzICAAMwMDADAANPQkQEAAwy. Length = 792.

N  Convert ticket content from SAP_CODEPAGE >4110< to >4102<

N  MskiValidateTicket returns 0.

N  Got content client =    .

N  Got content sysid =         .

N  No entry in TWPSSO2ACL for SYS  and CLI .

N  CheckSubject failed (rc=19). Verifying if ticket was issued by me.

N  *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c   1065]

N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  Data from ticket: sysid=        , client=

N  My system data: sysid=BID     , client=001

N  *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c   1071]

N  {root-id=A7DD8E28C2241ED3BCAB75CC6B095571}_{conn-id=A7DD8E28C2241ED3BCAB75CC667ED570}_1

N  dy_signi_ext: ticket issuer not trusted

As mentionned, the assertion ticket gets validated succesfully by the sample java code with the SSOEXT for our receiving system:

PS C:\Data\software\sap\sapsso\myssosample> java SSO2Ticket -i .\test.ticket -crt .\obi_tests.cer -exsid BID -excli 001

SAPSSOEXT loaded.

static part ends.

Start SSO2TICKET main

-------------- test version --------------

Version of SAPSSOEXT: SAPSSOEXT 10

***********************************************

Output of program:

***********************************************

The ticket

AjQxMTABAAZFWEE1MzICAAMwMDADAAN <lots more> X598NhjdkNU1c=

was successfully validated.

Type     : SAP Assertion Ticket

User     : <myuserid>

Ident of ticket issuing system:

Sysid    : OBD

Client   : 000

External ident of user:

PortalUsr: <myuserid>

Auth     : basicauthentication

Ticket validity in seconds:

Valid (s): 60

Certificate data of issuing system:

Subject  : CN=OBI Assertion Tests

Issuer   : CN=OBI Assertion Tests

Does anyone have any clue why our ABAP backend might not recognize the target sysID and client fields from the assertion ticket?

Thanks in advance!

Pieter

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Jul 01, 2014 at 09:59 AM

    It seems to be a kernel version problem. Kernel 720 patch level 401 gives the errors above, kernel 721 patch level 311 works fine:

    N Tue Jul  1 11:31:22 2014

    N  dy_signi_ext: LOGON TICKET logon (client 111)

    N  mySAPUnwrapTicket: was called.

    N  HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

    N  HmskiFindTicketInCache: Try to find ticket with cache key: 111:6E96C3E7BB9D965DE95F0D1F7FFFA376 .

    N  HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

    N  mySAP: Got the following SSF Params:

    N         DN      =CN=SI2, OU=***********, OU=SAP Web AS, O=SAP Trust Community, C=DE

    N         EncrAlg =DES-CBC

    N         Format  =PKCS7

    N         Toolkit =SAPSECULIB

    N         HashAlg =SHA1

    N         Profile =/usr/sap/SI2/DVEBMGS32/sec/SAPSYS.pse

    N         PAB     =/usr/sap/SI2/DVEBMGS32/sec/SAPSYS.pse

    N  Got the codepage 4102.

    N  Got ticket (head) AjQxMTABAAZFWEE1MzICAAMxMTEDAANTSTIEAAwy. Length = 604.

    N  Convert ticket content from SAP_CODEPAGE >4110< to >4102<

    N  MskiValidateTicket returns 0.

    N  Got content client = 111.

    N  Got content sysid = SI2    .

    N  Got date 201407010930 from ticket.

    N  Cur time = 201407010931.

    N  Computing validity in hours.

    N  Computing validity in minutes.

    N  CurTime_t = 1404293460, CreTime_t = 1404293400

    N  validity: 120, difference:     60.000.

    N  Ticket contains no RFC Payload info.

    N  mySAPUnwrapTicket returns 0.

    N  DyISigni: client=111, user=EXA532      , lang=E, access=H, auth=T

    N  usrexist: effective authentification method: SAP logon ticket

    N  Get_RefUser(111,EXA532) =>

    N  password logon is generally enabled (default)

    N  productive password is still valid (expiration period=0 / days gone=0)

    N  password change not required (expiration period=0 / days gone=896)

    N  usrexist: update logon timestamp (M)

    N  save user time zone = >CET   < into spa

    N  DyISignR: return code=0 (see note 320991)

    N  ==> krn_Base64_Encode()

    N  <== krn_Base64_Encode()==0 (SSF_KRN_OK)

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Samuli Kaski

      That is indeed very plausible as it impacts one of the ACL line fields, but I still don't see why the sysID or the client came through empty...

      Pity the trace doesn't display which serial it finds in the ticket.

  • avatar image
    Former Member
    Jun 11, 2014 at 02:16 PM

    Some more info on the same certificate being used in the system.pse, the ACL on client 001 and the java app.

    output of the sample SSOEXT ticket verification code shows the same certificate subject.

    Add comment
    10|10000 characters needed characters exceeded