cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Self Signed certificate for SSO22KerbMap Module

rainer_joseph
Explorer

on ‎02-28-2006 3:36 PM

0 Kudos

Hi,

we use the SAP EP 6.0 on Web AS 6.40. We have installed the SSO22KerbMap Module on an Exchange Server 2003. We have installed the standard portal certificate, which is available in the Web AS 6.40 ticket keystore in the SSO22KerbMap Module. With this certificate the SSO to exchange works fine.

To increase the valid date of the portal certificate, we create a new self signed certificate with the visual administrator in the Web AS 6.40 ticket keystore.

We have downloaded the public certificate and put it in a PSE-File. We have installed this PSE-file in the SSO22KerbMap Module.

Unfortunately the SSO doesn't work with this new self signed ticket. In the Log-file of the SSO22KerbMap Module are the following information:

Signature byte stream:

Encoded content byte stream:

      • ERROR => Verify failed with rc = 5. [ssoxxsgn.c 142]

uResult=27.

Signature invalid.

      • ERROR => MskiDefaultVerify failed with rc = 1769477. [ssoxxsgn.c 216]

      • ERROR => Validate ticket failed with rc = 1769477 [wpsso_v3.c 468]

Ticket is AjExMDAgAA9wb3J0YWw6UkFKT1NFUE...

Argument Dump for ticket verification:

Content byte stream:

Signature byte stream:

Encoded content byte stream:

      • ERROR => Verify failed with rc = 5. [ssoxxsgn.c 142]

uResult=27.

Signature invalid.

      • ERROR => MskiDefaultVerify failed with rc = 1769477. [ssoxxsgn.c 216]

      • ERROR => Validate ticket failed with rc = 1769477 [wpsso_v3.c 468]

Fri Feb 24 08:14:12 2006

Ticket is AjExMDAgAA9wb3J0YWw6UkFKT1NFUE...

Argument Dump for ticket verification:

Content byte stream:

Why doesn't work the new self signed certificate?

What must we do?

Regards,

Rainer

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-01-2006 4:18 AM
0 Kudos

Verify failed with rc = 5. [ssoxxsgn.c 142] SSO signature has been discussed in the following thread it may be useful

/message/345046#345046 [original link is broken]

Show replies
Show replies
rainer_joseph
Explorer
‎03-01-2006 9:01 AM
0 Kudos

Hi KSK,

before I wrote this message, I have read the thread.

But I cannot transfer it to our problem.

In visual administrator per default the following public certificate is given (aliasname in ticketkeystore=SAPLogonTicketKeypair):

CERTIFICATE

[ creationDate ]: Tue Jan 03 17:20:22 MET 2006

[ DN ]: CN=SPP

[ issuerDN ]: CN=SPP

[ validNotBefore ]: Tue Jan 03 17:20:21 MET 2006

[ validNotAfter ]: Thu Jan 03 17:20:21 MET 2008

[ signAlgorithm ]: dsaWithSHA (1.2.840.10040.4.3)

[ fingerprint ]: 65:5F:31:E3:E4:0E:6E:3F:6D:8F:24:D1:95:F7:7F:2C

[ subjectKeyIdentifier ]: <none>

[ publicKey ]:

[ algorithm ]: DSA

[ format ]: X.509

I create the following new certificate:

CERTIFICATE

[ creationDate ]: Fri Feb 03 15:10:48 MET 2006

[ DN ]: CN=SPP

[ issuerDN ]: CN=SPP

[ validNotBefore ]: Fri Feb 03 15:10:00 MET 2006

[ validNotAfter ]: Sat Feb 03 15:10:00 MET 2057

[ signAlgorithm ]: dsaWithSHA (1.2.840.10040.4.3)

[ fingerprint ]: 92:C4:16:FA:66:4B:B3:0F:06:AA:6C:B7:EE:8C:BF:1C

[ subjectKeyIdentifier ]: 4C:8C:F9:FA:DE:FD:A6:7D:74:E3:E2:AF:C2:A0:EA:5E:6F:B8:CF:6E

[ publicKey ]:

[ algorithm ]: DSA

[ format ]: X.509

I want to increase the valid date. To activate the new certificate I put the new Aliasname SPPLogonTicketKeypair to ume.properties with configtool.

The behaviour is now:

With the default certifacte the SSO to exchange Server 2003 (SSO22KerbMap Module) works fine.

With the new one it doesn't work.

INFO: The SSO to SAP R/3 Systems works fine with both certificates.

Best regards,

Rainer

Ask a Question